Japan airport staff dash to replace passcodes after security cock-up

Re: Epic fail

Notes containing passcodes are supposed to be stuck to the bottom of ones keyboard!

You have obviously never managed a helpdesk. Do you have any idea of the call volumes from people who have forgotten that their password cribsheet is underneath the keyboard after a bank holiday weekend? Best practice remains to stick the post-it to the monitor bezel. If security is critical, the post-it may be applied to a flat surface and obscured with a gonk.

The sheer number of keys you would have to produce, distribute and control?

Multiply this by the number of times you would have to re-issue them in the the event of a breach and the effort in changing all the physical locks.

"what's wrong with plain old keys?"

This is Japan we're talking about. If it doesn't operate by pressing a touchscreen, a keypad or falling out of a vending machine (sometimes AFTER pressing a touchscreen or keypad), it's simply not done.

"In this case, since it's physical access, what's wrong with plain old keys?"

Volume. And if you drop it someone can pick it up and use it. With a combination you can't drop something you know. Unless you have a half dozen to remember and have to write them down...

Seems the most appropriate solution is 2-factor security - a swipe/RFID card, which is your physical key and means person x can only access those areas they have authority for, in conjunction with a single individual PIN*, such that a dropped card on it's own is useless.

If someone loses their card you only have to disable that card, not reissue cards to everyone else as you would with a physical key (and change the physical locks). Presumably all the staff have ID cards anyway, to prevent someone just telling a mate the codes so they can pop in for a gander at Obama...

Of course someone could give their card to a 3rd party and divulge their PIN, but that's the same risk as them telling a 3rd party the codes or handing over a key/cutting unauthorised copies.

Next step up from that is a security guard checking the photo on the card against the bearer and the reference photo in the database on a terminal, but that'd be overkill for all bar the most sensitive areas.

*Or fingerprint/palm/Iris scanner if you want to go all Mission Impossible, but you could probably recover the fingerprint off a dropped card, so still a risk until the card is reported missing and privileges revoked.

Re: unit...

I was flashing back to the Wizard of ID:

Rodney, to guards: Tonight's password is "I Don't Know".

Next day:

King: Good grief! The courtyard is full of Huns. How did this happen?

Rodney: "I don't know"