Anyone using RFID tokens for 2FA?

Hi experts.

The reason I ask: we are looking for info on 2-factor-authentication. If we will finally use it, is not yet clear. The first step should be to see if what we already have can be used somehow. We have RFID tokens that are used to unlock the doors.

Anyone here use RFID for
-windows/linux logon?
-logon to a webserver/share/cyrptocontainer?
-remote access authentication (like RDP)?
If so, what software do you run to make it usable and what is your impression?

Remember: I don't ask what is the most secure 2FA method. I am looking for experience with RFID, no matter if it is state of the art or not.
LVL 60
McKnifeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
We looks at RFID card and 2FA ONE but not impress on the higher mgmt side as smartcard mutual authentication with card's embedded crypto chip still win over. The use case however fits the lower risk appetite users in use of shared workstation
The common workflow for RFID device authentication requires the user to present their device to a connected reader (USB, embedded, PCMCIA, PC Express), 2FA ONE then identifies the user’s information (the user does not have to enter a username) and requests the user to enter their PIN associated with the device; the user then enters their PIN and 2FA ONE validates the two components. Once validated the user is permitted access to the operating system or application.
The bolts and nuts was not drill deep though there is interest in the past... http://2fa.com/all-service-list/proximity-card/
0
Rich RumbleSecurity SamuraiCommented:
We had a Hospital client use proximity as 2fa, the nurses and doctors had the RFID in their badges and had to be within 5 feet of the computer to logon. If they got too far away, 60 seconds later the workstation locked. They were not fans of that actually, and relaxed the timeout, but they wanted the range extended (5 feet was pushing it, but supposed to be 16 feet possible with Gen 2 uhf).  Each reader was like 30$ (2 years ago) each. Trouble too was having more than one person within range of the reader, it wouldn't allow the person at the terminal to login until others were out of the reader's range. So the long range could be a double-edged sword if you are using them for proximity. Gen-1 though has like a 1ft max range.
-rich
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeAuthor Commented:
@btan: "We looks at RFID card and 2FA ONE but not impress on the higher mgmt side as smartcard mutual authentication with card's embedded crypto chip still win over. The use case however fits the lower risk appetite users in use of shared workstation" - please try to rephrase that, I have problems understanding it, sorry.
@richrumble: interesting. What info would you need to decide if we have gen1 or 2 here?
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

btanExec ConsultantCommented:
Apologies. The senior mgmt. folks is not impressed by the RFID card as they still deemed smartcard is more secure. They used that for login into their machine and treated it already as their 2FA. They are used to it. The wireless card gives them the creeps even though it is short distance. Probably it is risk appetite is lower and they need extra USB connected RFID reader sticking out of their machine. They construe RFID card more of door access or physical entry driven use case instead of end user authentication mean for using their daily computing machine.
0
McKnifeAuthor Commented:
Understood, thanks.
0
Rich RumbleSecurity SamuraiCommented:
You'd need one reader per workstation, and that will add up quickly unless you get Gov't write-off's or some grant that helps pay for it. Perhaps use it only for highly sensitive area's only, and only allow access to the sensitive data via the small handful of boxes that use the 2fa rfid cards. Again the hospital client had one in each room for each computer terminal essentially. A small practice or dentistry for example the cost wouldn't be much, but this client had hundreds of terminals all with 2fa readers.

I was there to do a job, if I could of made a recommendation to the client, I'd also skip the RFID route, even though proximity was cool, having a short timeout on inactivity ->lock screen would be fine. When we walked around making sure things were working well, we noticed most folks knew windows+L locked the screen and they were really good about it already. I think this negated most of what proximity was asked for, and the 2nd factor was just an added bonus in compliance. The proximity was not mandated by law, but was on their list of must have's.

I'd sooner issue token's to their phone's (one that works in airplane mode) or in key FOB form, it would of saved them a lot of $$. After attending all the security con's I have, I never trust RFID for anything myself, but client's want it and I have to educate them, and still press on, as they don't think it can happen to them. RFID is easily and cheaply cloned, esp gen 1.
-rich
-rich
0
McKnifeAuthor Commented:
Thanks Rich. Again my question: how do I recognize what generation we have? So far, I know only the manufacturer, no model type. Is there a list somewhere showing which models are gen2? Just in case this is easy to answer.
0
Rich RumbleSecurity SamuraiCommented:
We use this in our audit's, cannot be beat if you can't find any identifying numbers on the card:
https://github.com/Proxmark/proxmark3
http://proxmark3.com/products/new-proxmark3-kit 
http://www.xfpga.com/html_products/proxmark3-20.html (I've not used this one)
You get some info, but not really the maker or brand, just the bit'ness of the card, serial number/uid, frequency (which tells you a lot about the card).
-rich
0
btanExec ConsultantCommented:
Another use of RFID we did planned for is the timesheet tracking on employee reporting for work, and we did think of using 2FA RFID but would not figure that out and biometric is the next inline to better identify the staff so that to deter bypass by (or cheated via) logging on behalf of other peers.. The budgeting is still optimal as it isolated to a small group on trial... as for tool, this may be useful -
EPC Encoder/Decoder — Translate between different forms of the Electronic Product Code (EPC)
User Memory Encoder — Encode supplementary data into the user memory of a Gen 2 RFID tag.
User Memory Decoder — Decode supplementary data stored in the user memory of a Gen 2 RFID tag.
TID Decoder — Decode the Tag Identification (TID) memory bank of a Gen 2 RFID tag, which carries information about the tag itself
http://www.kentraub.com/tools.html
0
McKnifeAuthor Commented:
Thanks, will return to this question with my own experience story when we have started the test phase.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.