The number of computer applications used by large corporations has increased significantly over the past twenty years. For example, companies may employ separate applications for electronic mail, document control, financial applications, inventory management, manufacturing control and engineering functions, in addition to overall network access. Each application often requires a separate login procedure, including some form of known personal identification such as a user ID, a password or a key sequence or the validation of some inherent trait of the user, such as biometric authentication. The increase in the number of applications requiring user authentication requires significant effort on part of users of the both the users and systems administrators to create, remember, and secure these various forms of authentication data. Furthermore, from a management perspective, the proliferation of computer applications with varying security and sign-on procedures adds significant cost to the ongoing maintenance of a secure information technology infrastructure.
In a similar fashion, physical security of the workplace has also become a primary concern. It is now common practice to require workers to present physical access cards in order to be granted access to a building, room or other location. Typically, a physical access control system (PACS) manages access privileges to site locations by associating a person or group of people with one or more badge IDs that can be read, for example, by a card reader placed in close proximity to a locked door. One common implementation of a PACS uses Wiegand control signals to communicate signals from card readers placed about the controlled area to one or more control panels that determine whether to grant or deny access in accordance with various access policies. Based on these policies, the system generates electrical pulses again using the Wiegand protocol that in turn control the door lock.
The physical access cards rely on the uniqueness of the card and its physical possession by a user who either swipes it through a stripe reader or brings it into proximity to a wireless reader. The reader reads the card and transmits its unique badge identifier to a control panel that maintains a set of rules (or a general policy) for granting or denying access to the cardholder. Thus, various zones within a building can be controlled by placing readers at the entry points and doors that lead to protected zones. This creates a “transitive trust model” by granting the cardholder access privileges for a specific location based on the known relationship between the cardholder and the card, the rules dictating that cardholder's access rights to zones within a building, and the placement of readers at the entry points to those zones. Many companies have invested significant resources in implementing the physical and procedural infrastructure that supports such access-control systems.
Authentication criteria used to access secure computer resources generally involve something individuals might know (e.g., a password), something they have (e.g., a key or token), and/or an identifying trait of the individual (e.g., a fingerprint or iris image). Authentication systems that control access to physical locations (e.g., a building or a room) generally require the person requesting access to present an authentication device associated with that person, such as a RFID card, magnetic swipe card, or other physical object.
Conventional attempts at integrating logical access systems (e.g., access to computing systems or networks) and physical access systems (e.g., access to buildings, rooms, etc.) use a USB and/or serial-port based readers that read badge information from the cards and present information to a centralized server for authentication. The drawback of integrating PACS and logical access control systems using this approach is the need for all the systems to use a common protocol so information can be exchanged among the various components. Such an approach, in other words, requires that all the components be able to communicate and understand each other, and any subsequent changes to the environment (e.g., addition of new systems, upgrades, etc.) require additional programming and implementation efforts.
Many companies employ authentication systems for granting access to their computer systems and card-based systems for granting access to physical locations as described above, but these systems are separate and do not interact. Furthermore, many individuals are associated with multiple entities, each of which may use one or more authentication systems. However, the ability to leverage the data and infrastructure of the physical access-control system for authentication and access to secure computer systems (either by replacing the need for password and/or biometric-based authentication or by implementing multi-factor authentication that combines data from multiple systems) remains elusive. This is especially difficult where the multiple systems are managed as separate physical and/or logical entities. What is needed is a system that can establish links between disparate user authentication systems, such as a system used to control access to a physical location, authentication systems used to govern access to the computer systems that operate within a physical location, and other systems for authentication/identification. Such a system would provide higher levels of access control by facilitating multi-factor authentication based on multiple forms of challenge that can incorporate authentication credentials from external systems, while simultaneously streamlining the authentication process for individuals within the organization.