Register Interest
IP EXPOCyber SecurityDeveloperAI and AnalyticsIoTBlockchain

Most cost-effective and secure credential enterprise-wide?

Monday 15 October 2018

Hybrid smartcards - one ID for all identity & access applications.

Making it possible for each staff member to use just one credential for all identity and access applications not only makes life easier for them (which aids productivity), but also strengthens security across the organisation by enforcing behaviours that ensure protective measures are not circumvented (such as users leaving unattended workstations unlocked, or allowing other people access using ‘loaned’ IDs).

Furthermore, having just one user identity database for all applications, enterprise-wide, avoids wasteful resource duplication and significantly reduces overall costs

Talk to Dot Origin, the experts in identity driven security, on stand D16 at IPEXPO 2018.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Contact smartcard chips are ideally suited to PKI-based applications, providing the ‘gold-standard’ in security by utilising private keys which are generated and stored securely in the chip, protected against external access, and never shared. The chip hardware from established manufacturers includes design features that prevent keys from being extracted, even if probed by an electron microscope, and so achieve certification to the highest international standards, such as EAL 5+ and FIPS 140-2.

‘Hybrid’ smartcards combine a separate contactless RFID interface chip with a contact PKI chip in the same card body. This enables the best choice of standards-based contact and contactless technologies to be selected for an organisation’s specific requirements

Smartcards ‘v Mobile device based credentials


Mobile device based credentials appear to offer a convenient alternative to having to issue each staff member with smartcards, they do however introduce the burden of managing and maintaining multiple apps and device platforms; a task that becomes even more complex as these proliferate over time.

Issuing employees with smartcards commonly supports wider site security requirements, as they can be printed on for use as an easily recognisable company ID, bearing a photo of the user and worn on a lanyard.

The actual security of any digital credential ultimately depends on how well its encryption keys are protected. As mentioned already, contact smartcard chips have been certified to the highest security standards. Mobile devices support 2FA by hosting various app and cloud-based implementations of cryptographic algorithms; such software-based solutions are at greater risk from malware attack and the security of encryption keys depends very much on the particular mobile device and OS in question.

While mobile credentials solutions have become increasingly available, across an ever widening range of identity and access applications, their adoption is currently limited by their far greater cost in comparison to well-established and reliable smartcard solutions.

Security benefits of converged credentials:


Combining the identifications required for both logical access and physical access in to a single ‘converged credential’ facilitates the streamlining of steps in staff on-boarding and off-boarding, helping avoiding the very common process breakdown that leaves former employees with access to an organisation’s systems and data.


Staff always tend to find the most expedient ways of getting their work done, even if short-cuts may result in security vulnerabilities. For example, the benefits of two-factor authentication for securing IT access can be negated by users leaving PCs logged-on while they’re away from their desks.

Issuing each staff member with a single card for IT-access as well as opening doors (amongst other uses) naturally compels them to always carry their ID-cards with them at all times. Microsoft Windows can be configured, using a standard Group Policy, to lock a workstation when a user’s smartcard is removed from an attached reader. IT access is then automatically secured when the user goes elsewhere – to pick-up a coffee or collect a document from a printer perhaps.

The greater the number of applications that the converged credential is used for, the more indispensable it becomes to personnel; resulting in credentials with photo-ID being consistently worn by staff moving around a site, and quashing the practise of lending colleagues IDs to allow them unauthorised access to controlled areas or resources.


Because hybrid smartcards combine separate chips within a single card form factor, it’s possible to configure the solutions to an organisation’s specific needs; using established technology standards that provide the flexibility to integrate with an extensive range of identity and access applications.

Contactless applications, including building access, can make use of up-to-date technologies, such as DESFire, iCLASS and SEOS, which support mutual authentication with card readers before transferring encrypted identification information. Older RFID chip technologies rely on a simple manufacturer chip serial number (or a programmed identification number) which is not protected from being read by any reader, making them vulnerable to card cloning attacks. Multiple RFID chips can also be incorporated, to support migration from legacy to modern physical access controls, and/or multiple systems.

Talk to Dot Origin, the experts in identity driven security, on stand D16 at IPEXPO 2018, or find out more:


Digital Transformation Europe EXPO 9-10 October 2019

Register Interest

IP EXPO takes place on 9-10 October 2019 at ExCeL London. This unmissable event is your one stop shop for digital transformation and covers every vertical you need to consider for successful implementation. Including network and hardware, cybersecurity, developer community, AI and analytics, IoT and Blockchain.