13 February 2016
Electronic Grid Cards are often used for implementing strong or Two Factor Authentication. Although they offer lesser security than e.g. physical grid cards or authenticator apps, they are very popular because the rollout is easy: Just assign the grid card to the user in the authentication system, email the pdf document with the grid card, and off you go.
That sounds good, but without training in proper handling of the grid card this may end up in a security nightmare. Besides processes for e.g. blocking the grid card in the case of loss or theft, rules for proper handling need to defined and communicated to all users:
- Print the grid card and store the printout in a safe place.
- If required for convenient access, store the grid card on a secured mobile device.
- Delete the email after print and empty the mail programs waste bin.
- Delete the pdf document after print, make sure it is not cached or remains in the computers waste bin.
- Do not note down passwords on the back of the grid card.
Please note that this list should not be considered as complete.
In particular copies on whatever online storage may pose a risk to a company. A cyber attacker who hijacked a computer may find the online copy and use it when requested to do so, e.g., for safe logon to the company’s web access portal.