The physical access control system used to be a metal box in a riser room. Today it is enterprise software: a server on the corporate domain, a browser console, administrators with email addresses and calendar invites. Which means the oldest attack on the internet now opens doors. Phish the PACS administrator, and the badge database, the door schedules and the alarm masking rules are yours without touching a fence.
Your door controllers trust a directory your helpdesk will reset over the phone.
Why codes and prompts stopped working
One-time codes and push prompts were designed against password reuse, not against patient adversaries. Real-time phishing kits proxy the code as fast as the victim types it; prompt bombing turns fatigue into consent; helpdesk impersonation skips the technology entirely. The industry’s answer is phishing-resistant authentication: FIDO2 security keys and passkeys, where the credential is bound to the origin and cannot be relayed to a look-alike site, no matter how convincing the email was.
Where to spend it first
- PACS and video administrators: the accounts that open doors and blind cameras go on hardware keys before anyone else.
- Domain and identity admins: the tier that can mint access to everything, including the systems above.
- Remote access into OT and building systems: no vendor tunnel authenticates with anything a website can steal.
- The helpdesk itself: reset procedures with verification that survives a good voice actor, because that call is coming.
This is the cheapest defense in this series: a few hundred keys, a rollout plan, and a policy sentence. The convergence attack it removes is the one we would run against you first.
We have rolled phishing-resistant keys out to PACS teams. It is a smaller project than it sounds.