Operators Might Inadvertently Self-Enroll Non-Nymi NFC Devices to Evidian

 

Creation Date: 2024/03/06

Last Update: 2024/03/06

Nymi Risk Assessment Identifier: EVD-81494

Overview

An operator can inadvertently enroll a non-Nymi NFC device to Evidian.  The impact differs depending on the authentication mode: 

  • In RFID-only mode, the user can use the non-Nymi NFC device to complete authentication tasks. 

  • In Wearable mode, the user cannot use the non-Nymi NFC device to complete authentication tasks. 

Problem Description

By default, the Evidian software allows operators to self-enroll RFID devices, which associates the device with the user credentials. Many devices, like smart watches and bar code scanners, are NFC-enabled and Evidian can recognize them as devices that are eligible for enrollment. When a non-Nymi device comes in close proximity to the NFC reader (typically inadvertently, when the operator is performing their regular task), Evidian may detect this device, recognize that the device has an NFC UID (unique identifier) that is not currently associated with an operator, and prompt the operator to provide their Active Directory username and password to self-enroll the device. 

If the operator completes the device self-enrollment, in RFID mode, the operator can tap the device on an NFC reader and perform logins and electronic signatures. However, these devices do not have the biometric verification capability of the Nymi Band that prevents other users from obtaining the device and performing logins and e-signatures as the user that performed the self-enrollment. 

Furthermore, the NFC UID of some of these non-Nymi devices is not unique. The device manufacturer may assign the same NFC UID to all devices of the same model or related models, which means that one operator can inadvertently self-enroll a non-Nymi device, and another operator in possessions of a device with the same NFC UID may inadvertently bring the non-Nymi device in proximity to an NFC reader and perform a login or an electronic signature with the credentials of the operator that performed the self-enrollment. 

Security Impact

An operator can successfully perform an application login or an electronic signature with a non-Nymi device under the identity of the operator who performed the self-enrollment of the non-Nymi device, which negatively affects the data integrity of the electronic signature process. 

If the Nymi with Evidian solution uses Evidian Authentication Manager to perform Windows logon and desktop unlock, an operator can successfully log into Windows or unlock the desktop with a non-Nymi device under the identity of the operator who performed the self-enrollment on the device.  

Mitigating Factors

The Evidian software detects Non-Nymi NFC devices and triggers self-enrollment only if the device has an Answer-to-Reset (ATR) value that is recognized by Evidian. The ATR value is the first piece of data that Evidian retrieves from an NFC-capable device.

Recommendation

Nymi recommends that all customers who use the Nymi with Evidian solution disable the self-enrollment feature in Evidian, as described in the Nymi Support Knowledge Base.  Contact Nymi Support to assess your environment and determine if your data zone has experienced a self-enrollment event for a non-Nymi device. 

After you disable self-enrollment and a user brings a non-Nymi NFC device in close proximity to an NFC reader, the action does not trigger the self-enrollment prompt, however; the Evidian window displays the device identifier for the non-Nymi device.  The Nymi Support Knowledge Base provides more information. For an improved user experience, instruct operators to avoid bringing non-Nymi NFC devices in close proximity to the NFC readers.

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.