One of my volunteer activities is with my local fire department. As I was looking at my ID card recently, I marveled at its simplicity. It has what you’d expect on an ID card of this type: a logo, photo, name, title and a barcode. The barcode is associated with my level of training and the fire department. The barcode is there so when I scan in at a multiple agency response, the incident commander receives a list of who is there and what they are capable of doing. We also scan out when we are finished working, and thus the necessary records are produced for insurance billing and FEMA documentation. It’s a simple, but very easily duplicated method of authentication, but the card would be difficult to duplicate due to the security laminate, plus I’m wearing firefighter gear and arriving in a large fire engine. The majority of us in the enterprise need a bit more security in our credential solutions than that.

Most of us use some second form of verification and it’s typically an electronic solution. A common and popular solution is a card embedded with a RF proximity chip. There are thousands of devices that can read these cards, ranging from key cabinets to full featured electronic card access systems. Once the proximity card and associated hardware is installed at an enterprise level facility, the expansion of usage and the number of applications becomes viral. Card readers are mounted near doors, stand alone access devices are mounted on doors and entrances to parking ramps have card readers. This typically gets the attention of area businesses and they began offering discounts and incentives verified by an inexpensive prox reader. They’re everywhere! Some large corporations will partner with you and provide your card stock and printers and more incentives. It finds its way into standard construction documents and point-of-sale contracts...Viral! This is all great, right? Well, there are a couple of problems presented in this scenario.

Does any single entity or database track every location that is relying on that prox technology? Is there an audit trail of who paid for what device and why?

Take this scenario: a CFO has to reduce funding to the security department due to unforeseen economic conditions. The badging station manager informs the security manager that the organization is about to exceed the number of badges/IDs that can be issued with a current facility code – one of two pieces of information embedded in the prox credential – facility code and badge number. When a prox credential is presented at an electronic access control reader, for example, the system checks to see if the facility code is valid for the facility and if that badge number has access to the door in question. It’s another security feature of the credential. The security manager contacts the system administrator for the access control system and inquires as to how many facility codes the system can manage.

The only devices that a security manager may know to be in existence that rely on their prox ID cards are those that he/she can literally see on the software that manages the system and generates the credentials. They may not be aware of standalone security devices that were installed without consulting them, nor of the numerous contracts that the CFO has entered into as a value-added income stream. The system administrator advises the security manager that the system can handle 255 different facility codes at the same time. The security manager directs the badging station manager to order new cards with a different facility code and advise the system administrator of the code on order for programming the additional code into the system. Problem solved.

A bit later, as the new credentials are being issued in fairly large quantities, the security manager receives a call from the CEO that her card isn’t working in a downtown parking ramp located next to her favorite restaurant. The card doesn’t validate her discount at the restaurant, either. The security manager asks the CEO if she has recently gotten a new company ID card – she has. He asks: what parking ramp and discount at a restaurant? It’s now a cascading effect of non-compatible hardware that can not accept the new facility code. The CEO is not happy and the CFO is busy fielding calls from angry partners in that wonderful revenue stream.

The maximum number of credentials that can utilize one facility code and the number of facility codes a device can handle is such a granular piece of information that may only be known by your card stock supplier and was included as boilerplate language in numerous construction documents and contracts. No one really needed to know what that meant; it was just a question that came up once a long time ago.

Perhaps someone in your organization is aware of the limitations and parameters surrounding facility codes embedded in your credentials, but isn’t likely to be in the loop on the decisions that were made regarding the expansion of their usage. The viral expansion of the use of the technology resulted in numerous security enhancements, process efficiencies and even produced income! Yet, one tiny detail can turn that into a series of unexpected expenses.

Ask a few questions that this column may have generated to people within and outside of your organization. Would you want to be the security manager discussed here? I’d prefer to be the “hero” that caught this before it became a nightmare for my entire organization and, of course, for me.