Phishing-resistant multifactor authentication (MFA) is the new gold standard in modern cybersecurity. IT professionals can help their organizations improve network and information security and meet emerging industry standards by migrating their organizations to passwordless login with Radio-Frequency Identification (RFID) or Near-Field Communication (NFC) and a user PIN. RFID/NFC+PIN is one of the only MFA methods that meet Cybersecurity & Infrastructure Security Agency (CISA) guidlines for phishing resistance, and it's easy to implement with the ID card or smartphone employees already carry.
Why move to RFID/NFC+PIN?
RFID/NFC+PIN is a simple and effective way to implement phishing-resistant MFA. Instead of typing in a username and password, users simply log into their devices (e.g., computers), networks and applications using an RFID card (such as their existing employee badge) or a mobile credential on their smartphone. A user PIN (or biometric authentication on smartphones) acts as the second authentication factor.
This is faster, easier and much more secure than MFA methods such as one-time codes and push notifications, which are vulnerable to sophisticated phishing and social engineering attacks and other forms of data interception. Users can't be tricked into revealing their login credentials, physical token or smartphone as they are unknown to the user. The PIN, even if compromised, is useless without the corresponding physical card or phone, virtually eliminating the possibility of a fraudulent remote login. At the same time, if the card or phone is lost or stolen, it can't be used without the PIN. RFID/NFC+PIN can be used to unlock computers and workstations (and, potentially, printers) and combined with single sign-on (SSO) software for a total information security solution.
Here's how RFID/NFC+PIN helps organizations:
- Simplify device login: Instead of typing a long password and then checking their phone for a push notification or short-lived login code, users simply present their card or phone to a reader embedded in or plugged into the computer and enter a simple PIN. This substantially speeds up the login process for users.
- Improve device security and compliance: MFA solutions utilizing RFID/NFC make it impossible for attackers to trick users into revealing their passwords. These solutions meet CISA and NIST standards for phishing-resistant MFA and can help organizations comply with ISO/IEC 27001 and emerging data security requirements for defense contractors, healthcare, finance and critical industries such as utilities.
- Cost savings: RFID/NFC+PIN improves productivity for users, who may have to log into devices and applications many times a day. It also substantially reduces IT department time spent managing forgotten passwords and lockouts. These productivity increases can add up to substantial cost savings.
- Unify information security: A unified information security architecture is simpler for both users and IT to manage. The same combination of card/smartphone and PIN can be used for both logical access (to business systems and networks) and physical device access (to computers and, potentially, printers).
How to Implement RFID/NFC+PIN in Three Easy Steps
RFID/NFC+PIN is a simple MFA solution to implement. Here are a few steps and considerations.
1. Decide on your primary authentication technology: Authentication can be achieved with an RFID card, a mobile credential on a smartphone, or a physical security token. In most organizations, employees already carry an ID badge that is used for building entry and physical access control for parking areas, elevators and secure locations. The same badge can be leveraged for device and network login.
This eliminates the need for additional token provisioning by IT and lessens the burden on employees. Alternatively, a mobile credential stored on the employee's smartphone can be used to log in. With the right reader, it is possible to set up a system that uses both forms of authentication; for example, ID badges for full-time employees who carry them and mobile credentials for remote workers, contractors or visitors.
2. Choose the right reader + authentication software solution: The RFID reader is attached to (or embedded in) a computer, printer, machine or other networked for authentication. If you are planning to leverage existing employee badges, it is essential to choose a reader that works with the transponder technology already in place.
There are more than 60 major transponder technologies used globally; companies operating in multiple locations may have multiple technologies in use. For maximum flexibility, choose a multi-technology reader that supports a wide range of HF and LF RFID tags along with mobile credentials using NFC or Bluetooth Low Energy (BLE). This enables organizations to support multiple credential types with the same reader and respond to changing needs in the future.
3. Roll out the solution with users: User acceptance for RFID/NFC+PIN is usually very high--virtually no one misses cumbersome passwords and one-time codes. Acceptance for card-based solutions may be higher in organizations where users already carry an employee badge and do not have employer-issued phones, as some users can be hesitant to add a work-related mobile credential to their personal phones. Make sure users know how to attach the RFID reader to the computer (if they will be doing this themselves), how to set up their user PIN, and how to reset their PIN if necessary.
Working with a full-service RFID solution provider will further simplify implementation for IT staff. Look for a knowledgeable solution provider with the right software partnerships in place who can work with you every step of the way, from initial planning to post-installation support. By implementing phishing-resistant MFA with RFID/NFC+PIN now, IT professionals can ensure that their organizations are prepared to face emerging cybersecurity threats.
