Using Multifactor Authentication to Protect Physical Keys

If you’re familiar with cybersecurity at all, you know how valuable user credentials are — and how catastrophic it is when criminals use them to access or steal sensitive information. According to the 2021 Verizon Data Breach Investigations Report, 61% of breaches involved stolen credentials.

Protecting sensitive information requires multiple layers of defense. Even if a criminal breaches one layer of security, they’ll have to circumvent a couple more to get what they’re after. That’s the strategy behind multifactor authentication (MFA). This technology requires a user to verify their identity by providing at least two different types of credentials before they can access certain information, devices, or physical areas.

You can find examples of MFA in everyday life. When you check your phone, you might scan your fingerprint and then enter a passcode to unlock it. To access online banking, you enter a username and password, followed by a unique code sent to your phone or email address. Perhaps you log in to your work computer with a unique username and password, then log onto a VPN using a randomly generated code.

Just as you use MFA to protect your organization’s digital assets, you should use a tiered approach to protect your physical keys and fobs. Here’s how to do that.

Digitize Your Key Management

Before you can implement an MFA-inspired approach to key control, you must first digitize your key management. Keeping keys on a pegboard, in a drawer, or any other easily accessible place is like posting sensitive personal data on a public blog platform. Sure, you don’t share the link and you exclude the page from search engines. However, if anyone knows how to find that site, your sensitive data is there for anyone to swipe.

Likewise, anyone who knows how to find and access your keys can take them and use them to access your assets, whether they’re vehicles, sensitive data, or private rooms.

Protect your keys or key fobs by storing them in an electronic key control system that can automatically authenticate users.

Set up Your User Authentication Methods

Once you’ve secured your keys in a key management system, you’ll set up user login credentials. MFA involves login options from at least two of the following categories:

• Time
• Something you have
• Something you are
• Something you know
• Location

Using these principles, you could combine several of the below authentication methods for your key control system:

To give you an idea of how you could implement these methods at your organization, take a look at the example scenarios below.

Example Scenarios

• Scenario 1 — Auto Dealership: To prevent salespeople from accessing vehicles keys after hours, you set up your system to prevent user access after your office closes. During working hours, employees reserve keys using a key control app on their phones. When they’re ready to check out the key, they unlock their phone with their fingerprint or passcode, then use the key control app to generate a unique QR code. They scan the QR code at the key system to unlock the system and retrieve the keys they need.
  
  
• Scenario 2 — Higher Education Institution: Employees of a sprawling university campus should only have access to the keys or fobs they need to do their jobs. To make that possible, you set up user profiles with specific access privileges. When setting up each user, you assign a user profile to the employee so they’ll automatically have access to the keys they need and no others. To log in to the system, they scan a fob with a fob reader, then scan their fingerprint with a fingerprint reader.
   

• Scenario 3 — Apartment Community: When a leasing agent or a maintenance tech needs a key or door fob, you have them use a fingerprint reader to scan their fingerprint, then enter a unique passcode.
  
  
• Scenario 4 — Commercial Fleet: To check out the keys for a company fleet vehicle, employees scan a proximity card with a prox card reader, then enter a unique password. Only specific users are authorized to access the system. Each users is only able to check out certain vehicle keys. For example, delivery drivers can only check out van keys, and salespeople can only check out car keys.
  
  
• Scenario 5 — Government Facility: To access the system to remove a key or fob for a government facility, users are required to scan a key fob with a fob reader and then have a fingerprint reader verify their fingerprint. If an employee needs a high-security key, an authorized person must also log in to the system to authorize the key being checked out.

This isn’t an exhaustive list, of course. Every situation is unique, and these examples don’t apply to everyone. To find the best methods for authenticating your key system users, consider the types of keys you manage, the employees who use them, the physical location of your keys, employee schedules, and any other factors that affect key use.

Create a Culture of Security

After you’ve put in the effort to digitize your key control and set up multifactor authentication, it’s important to develop a culture of security throughout your organization. Security isn’t just the IT department’s responsibility. It belongs to everyone.  Set up regular employee training on key security best practices. If you already have regular cybersecurity training, consider rolling your key management training into that. Also check with your key control technology vendor to see what system training is available to you.

Once employees know what’s expected of them, hold them accountable. If someone isn’t following your key control policy, address the issue immediately. On the flip side, reinforce good behaviors by acknowledging when employees follow security best practices.