Outstanding!: October 2010 Archives


October 15, 2010

In a previous post, I trashed the stick-on badges that companies like to issue visitors. This doesn't mean I'm any more fond of the plastic RFID badges that get issued to employees. For those of you who haven't had a chance to see these, your typical employee ID is a plastic card with your picture, your name, and an embedded RFID device. For instance, this. In many (most?) companies, the door locks don't use keys but rather are RFID receivers activated by your badge.

I don't mean to give you the impression that I'm inherently against proximity-card activated locks. On the contrary, if you've ever tried to lean a 20 pound box against the door while you figured out which of the four near-identical Schlage-style keys on your key ring matches your office door, you can easily appreciate the virtues of remote door lock activation (side note: one of the coolest features about the Prius when it first came out). However, the actual implementation leaves something to be desired.

Let's start with the combination of the proximity key (a good idea) with the photo badge (a less good idea). As with visitor badges, the security offered by a plastic card with your name and photo on it is relatively minimal. First, my experience is that employees don't do a very good job of checking badges ever. As I said before, I routinely float around other people's companies without any badge at all and nobody ever stops me. Even if employees did check badges, at most this would be a cursory visual inspection and it's trivial to make a plastic badge that looks like that of any random company you choose, as long as you know what it looks like. Sure enough, a little image searching quickly turned up images of badges for Google, Cisco, and Apple. So, badges are next to useless for verifying people inside the security perimeter. (One exception: if you see someone doing something suspicious, you might ask for their badge and they might have been lame enough not to have forged one.)

Badges are potentially of some use at the security perimeter, where they can be processed by machines rather than fallible humans. Potentially, that is, except for two problems. First, RFID proximity cards are laughably easy to clone. As I understand it, you can even do this remotely so you just hang out somewhere that employees go by and you can make as many cloned badges as you want. Second, it's trivial to enter the building without being badged in: despite corporate policies prohibiting it, at nearly every company I've ever visited people with legitimate badges (or at least ones that the reader accepted!) have let me follow them into the building, even though I wasn't displaying any ID at all. Think how easy it would be if I was wearing a plausible looking but nonfunctional piece of plastic.

This isn't to say you couldn't make a badge system work: you'd need a system where the badges really couldn't be copied and where there was strong enforcement against any kind of tailgating. That's not impossible but it's very different from current environment in many of not most organizations.