Editor’s Note: We have received several requests to post the full version of the paper without requiring a download. If you prefer to read that (includes analysis and supporting concepts), it can be found here. Alternatively, It can be downloaded in PDF by clicking the box at the bottom.
While organizations are realizing they need to get away from passwords, some are concluding that they want the simplicity of their building access cards at the cost of leveraging an existing investment. On the surface this seems reasonably logical, but if the intent is to improve security, it is a big step backward.
I am seeing it increasingly too often where organizations do not understand the underpinnings of their RFID cards and how it correlates to the objective at hand. Unfortunately, vendors are far too complicit most of the time and either forego the deeper discussion that should take place, or advocate the approach vigorously. My own experience is that even vendors don’t understand the implications of the RFID implementation in an IT environment as well as they should, but does not excuse or justify the lack of disclosure or flawed advisory.
In particular, this is gaining scale in Healthcare Provider settings and in the vast majority of cases, they did not properly investigate or consider the facts surrounding how this “upgrade” would impact their perceived security benefits. While I don’t think that organizations need to come to the same conclusion as I do about what they will implement, I do (strongly) believe that all decisions should be weighed based on fact, risk and carefully considered acceptance. Therefore, I feel compelled to speak out to educate on this topic and debunk the common perceptions, how it translates in comparison to their existing password environment, and what should realistically be expected from a future-state “upgrade”.
The main thing to realize is that underneath, RFID uses a static binary string of data to authenticate – basically a password. Unfortunately, they are not designed to be managed post-issuance which means they cannot even conform to the existing password management policies already in place by most organizations before the “upgrade”. Essentially, a password program is being replaced by a weaker password program that “looks” like a card. Note, that I am not talking about smart cards that leverage contact chips to use PKI for authentication (this is good) as this would qualify for an entirely new technology and deployment. While RFID and PKI can be combined on the same card, they are quite separate and just co-exist in the same “wallet”. In such cases, RFID isn’t used to transmit the PKI (PKI over RF isn’t quite there yet) but rather only in use for the existing building access system.
So how does RFID stack up and where does a seemingly good idea turn into something worse than what was previously in place? Below is a chart that outlines basic password management principles that are commonly accepted in information security. It contrasts the capabilities and conformance in important areas from a typical password paradigm that exists before migrating to proximity to one afterward.
Not to mention that RFID is currently not capable of supporting any of the industry mandates and incentives starting to hit healthcare. I know that vendors tout that RFID helps organizations comply with HIPAA, but this is a myth. HIPAA doesn’t mandate RFID, or really any other method for that matter. It comes down to each organization making their own rules in this area and signing off. However, a best practice for HIPAA is to encrypt data (next best thing to when it is lost in keeping PHI private) and RFID can’t do that.
Outside of HIPAA there are a slew of other mandates. Some call for PKI, federated and anchored trust models, and processes where RFID is absent. Some are less defined, but behind the scenes, matching the intent of the mandate to where it will likely further develop, it’s in another direction than current RFID technology. This means that aside from building out an authentication environment that decreases security, a dead end is being built as other systems will need to be implemented for other uses, at minimum, to comply. It becomes a wasted investment, even if it was cheaper in the beginning.
You can get the full 5 page white paper that breaks it all down. It digs into what is going on in the authentication process with RFID, some of the technical gaps when held to commonly accepted IT security principles, and how it can be broken and subverted. Yes, we even get into debunking common assumptions and take on more secure forms of RFIS such as ones that have encryption keys on high frequency (because they represent the same lack of security in context of use as do low frequency). It also considers current and future mandates and incentives in healthcare to understand how viable this path is in terms of an investment over time. We don’t have sales people call you, and you won’t be added to a mailing list.