How Often Should Credentials Be Rotated?

Our company is a relatively new user of EAC. However, we recently went through a companywide badge reprint to remove the logos from the badges (security thru obscurity, etc.). It was not cheap. However, it was considered worth it by C-level because we have had multiple instances of unknown persons trying badges at the doors because they new what company it was for.

Considering the typical Access threats that we face (curiosity seekers, homeless, consumers seeking refunds, etc.) I personally do not see a reason to rotate credentials. Damage, loss, and wear comes frequently enough anyway!

Caleb

I do not have a rotation schedule except for the reasons you have already given. There are exceptions: Name change, gender change, weight loss (people usually don't want to change their photo when they gain weight).

The ones that use their cards the most are our students. They wash and dry, bite, punch holes in their cards, cards fade out on dashboards so there is a constant stream of people rotating their cards. As for faculty and staff, most don't use their cards for building access, so they keep them for a number of years. Most of them don't bear any resemblance to their ID photo after a time.

This is the main reason I would think rotation is necessary, at least for credentials used as ID cards: ten years and 20 pounds later, at least the photo should be updated; but here again, vanity rules. Most want to keep the younger photo ID. Some cards do lose their ability to work for access purposes after so many years, but this has not been much of an issue. Mag stripes wear out long before the prox components in most cases but that is not a credential used for access here.

Since we are a 4-year institution, we like to see the cards last for (at least) that many years, but I believe they are only warrantied (prox) for 2 years. If I had to come up with a rotation schedule, it would probably be a 4-year. Of course, given our resources it would be difficult to enforce.

Given that we occasionally perform installs on customer sites where they still have keys from 50+ years ago, we haven't always seen agressive rotation schedules. Sure, we think it is an excellent idea. But, like the Owner's key system which often is neglected, only some of the market will be willing to keep themselves organized and enforce rotation periods; we think most of the market ends up getting complacent with the state and age of their credentials, just as they would if had physical keys. Is that the right thing to do? No! We always to try to counsel that sometimes applying common sense can provide a security lift.

One feature of access control systems that does seem to give Owners the feeling of security is the notion that if anything happens to credential, I can remove it from the system instantly. This may lead to the relaxed approach to rotations.

To argue against regular rotation here for a brief moment...if the Owner is unwilling/incapable of properly removing the cards from the database, they could accidently end up with a box of "old" cards that are actually perfectly good and alive in the system, and should somebody get their hands on them, could lead to unauthorized access. I know its a stretch, but we have all seen Owners not see a process all the way through, and I wouldn't be surprised if there were some out there who rotated credentials but then failed to remove all the old credentials.

We really don't rotate actual 'keys' to buildings around here until a problem occurs. One con might be the longer a credential with the same value/code stays in a persons possession the higher the chances are of it being comprismised by someone with wrong intentions... well, that's really not a good answer, but I'm trying to participate...

I really do appreciate Caleb's comment on not having logos printed on the card. I've never thought of that before and it's a great point to remember.

These are interesting answers. The most aggressive rotation schedule I have experienced in the field was a research organization that used fingerprint readers.

They would simply not use other credential forms. However, in order to lower the rate of bad reads, they found that re-enrolling everyone's prints yearly was needed. (The manufacturer recommended this.)

All told, the facility re-enrolled two employees every day to work through their ~500 employees in a year's time. Quite the undertaking!

I believe rotation is not a bad concept in theory... When you get to thousands even just 100s of cards, it gets almost impossible, definitely not practical. All the coordination required, time and effort. We tend to recommend adding a second authentication factor instead if the client is concerned, such as a PIN, this way the PIN can easily be changed once in a while and older cards out there become obsolute without the PIN.

This research center example is out there that's for sure, I have never seen this before, it is quite an undertaking. Most people do not realize how much work (man hours) can be involve in this until they have to do it themselves or pay up...

On smaller system that are getting of age, we do encourage rotation, but that usually does not get approve before several years. Brian is right with the comment: ""If it isn't broken, don't fix it" seems to be the common opinion"

We are all about best practices, but this is a hard pill to swallow for most client.

I agree with Dave as secondary authentication like PIN make rotation a bad concept. The only issue with changing PIN is not to allow a user to reuse a small list of PINs.

What should be done and what ends up being done are two different things. I have seen several installations where credentials rotation does not exist. The only time new cards get issued are for a new employee or a lost card, as you mentioned. With tight budgets, managers are tending to what is bleeding the most, being proactive is not part of the plan.

Agreed with above. 9 times out of 10 access control in general is at the bottom of the list when it comes to budget, unless either something happens at the building or the system just dies. We still try and promote being proactive and even offering things like yearly maintenance, etc but a lot of times its just not put into the budget.

In my opinion they should be rotated/replaced as required. I would recommend that every year an audit of the card holder database should be conducted and inspection of badges be conducted, exactly how this is done depends on the company size.

I think that only the most secure facilities will have the budgets to rotate the users credentials. In the real world, most are on tight budgets and rotating credentials wouldn't be funded.

I would say that rotation of cards is a good way of keeping your site secure but really I wouldnt know how often maybe instead you do a quarterly audit of cardholders in your system with hr or whatever department that controls they system. We have sites that have less then 60 people and sites that have 1000 people. So I would say that it depends on site and what is feasible for site to do. so I do think its a good idea but couldn't really tell you how often you would rotate credintials.

My state requires a new driver's license every four years. That seems to be a reasonable interval for most.

Agree/Disagree?

The feasibility of rotating credentials is a big reason why the schedule our end users use is so broad. It is basically "when it needs to be done" or if an employee's card stops working. Our customer with the biggest security budget is only updating their cards next year to move to iClass.

I don't understand the rotating of credentials. Perhaps we are using the wrong terminology here and we really mean "Expiring" credentials. My point is how will a rotated credential, which sounds to me like a credential once assigned to Paul then gets rotated to Scott help keep my facility secure? I certainly see the point of updated credential holder information with regard to name, address, photo, etc. But if the point of changing credentials is to limit access to the building because the credentials information has somehow been compromised, a "rotated" credential with compromised credential id information will still allow access.

I think when we say rotated, we mean issuing new ones, but either way. Doing a rotation will ensure that old possibly lost or cloned credentials are discontinued or caught. Now that you possibly have switch Paul's and Scott's, one could see irregularity in the pattern. Eg. Paul is IT and Scott is in accounting. Scott newly issued credential was tried a few times on the server rm... we have a cloned card... then camera can be check etc.

At this point I have only been involved with a small number of access installs and the majority have been for convenience rather than security. In saying that they have all just rotated on a need basis. We are the same within our own company as well

We do not rotate our cards. In a perfect world that would be awesome but with costs we just don't do it.

I agree with Joe, I am not quite sure what the meaning is of rotating credentials. I am a facility manager and we do not issue new credentials to existing employees on a schedule, only on an as needed basis (card stopped working, lost, picture not recognizable etc). We do have a system tied to the new hire process that sends out requests for new employees to receive a badge and to remove badge access for employees who leave the company - the day that they leave. We also track whether or not we were able to retrieve the badge from someone who left. And we change access rights if the employee changes positions and may no longer need access to a certain area. I can't really see how rotating badges would improve security in my case.

A rotation is great because it will save money in the long run. Think about it- what costs more? A break-in where expensive or confidential items are stolen or reissuing cards?

It is a good idea to evaluate every 5 years the entire access control system looking for cost savings, efficiency, flexibility and more user friendly software. After 5 years it may be time to look at going from Prox to iClass or start using some sort of biometric readers after a cost benefit analysis. After 5 years a threat assessment needs to be done on the current credentials. Perhaps the vulnerabilities can justify rotating the credentials.

if the credentials where badges/cards I would recommend a rotation every two years.

1-updates photo ID's

2-verify credentials

3-maintain the ACS DB

for Fobs one year as they are more prone for being lost . it's easier to challenge a person with a badge/card that does't match his picture than a person holding a fob.

We do not rotate cards and our customers have not inquired about it either. I do believe that the salesman have a chance to upsell the service. Until someone's system is breached I don't think people really think about it.

My own experience would tell me that rotation is not the norm with companies due to the resources it would take to manage as well as the cost associated with the ongoing effort.

Personally I had an experience on my apartment entrance. They tried to change the pin code every year and it has been always a great hassole. Even they allowed 1 month period after announcement, there are many people who were out for this period and could not be informed properly etc. So always big disorder after chaning the pin code.

But without this change the number became so widely known to anyone who lives nearby, it is almost useless as credential. So I think at least one per year rotation sounds good.

Jeff, pin code only in an apartment complex may as well have a sign posted on the door saying use this code.

Although using a credential as an ID with the pictures do have some benefits, I think the best solution still remains to use non printed card to make sure that a lost card can't be associated with the facility or area where it give access to as it may takes time before the card is reported as lost and is deactivated. There several ways to ensure credentials are validated on a regular basis and that "unused card" are deactivated. We have many clients that generates a report every 30 days or more to see which cards haven't been used during that period and they deactivated those cards. This doesn't mean you can't deactivated a card that has been reported as lost immediately but it helps to avoid having unreported lost cards in circulation.

For badges with a printed information, I haven't seen a specific standard some don't have any rotation procedure as other will rotate every 2 or 4 years. However I think the bottom line is how the information printed on the card been used. If it is just to get something personalized and to look good then the cycle could be longer, if the badge must be used for visual authentication then as soon as it is worn or starting to fade it should be replaced and the cycle would depend on how the card is protected (in a transparent sleeve or not)

No rotation here. Cons on no rotation would be having the picture become out of date; also, if the card isn't taken out of service, any clones will still work, even for years.

I think this is a good theory that should be used, we have suggested it to customers in the past- but like any install its left unless a user has damaged or lost their card. In theory it would work well for customers that have a 100ish cards, and a batch load could be used, but we have customers that have in excess of 30,000 users and would be quite unmanageable. Given that larger sites usually have a large geographical separation between all the sites, it would be quite difficult to get the credentials from and to each individual.