Access Without Borders
Hayden Hsu | Date:
As the number of mobile-payment users grows to surpass 375 million by 2015, demand for devices with near-field communication (NFC) grows as well. Recent research from In-Stat forecasts that adoption of this technology will push global annual shipments of NFC chips to more than 1.2 billion units by 2015.
Fast and contactless communication, reliable data transfer and ease of use are some of the factors that make NFC, a revolutionizing technology which is disruptive to the mobile payment and physical access control markets, attractive. Access control, file sharing, ticketing and loyalty programs are emerging, according to Frost & Sullivan, to be potential applications which will further boost NFC market share. Transitioning from the development phase to the growth stage within its product life cycle, NFC is actively implemented in some of the key verticals, with retail, banking and consumer electronics gaining good and quick traction.
It is not perfect without flaws, though. Despite being a short-range technology, issues such as identity theft, lack of layers of protection, malware and viruses restrict faster and wider utilization of NFC. Standardization bodies such as GlobalPlatform and Smart Card Alliance are actively developing NFC standards. These efforts, according to Frost & Sullivan, are playing a key role in addressing security and privacy challenges. The initiatives are being complemented by several key players in the NFC ecosystem who are providing secured communication solutions and NFC-compliant tags that can address security concerns via chip-level encryption.
By enabling access control and payment management across the full spectrum of mobile keys and credentials, readers and locks, and over-the-air provisioning and deprovisioning services, companies are creating game-changing solutions, as well as opportunities, designed to address end-user needs for security, convenience and privacy.
Smartphones are key to our world today, never leaving our hands or sides. They are so much more than communication devices and have become indispensable consumer appliances for numerous personal, professional and entertainment applications, said Tam Hulusi, Senior VP of Strategic Innovation and Intellectual Property, HID Global (an Assa Abloy company). “With the advent of near-field communication (NFC) technology, mobile phones can now also be used to hold your identity keys and carry out numerous secured transactions.”
A short-range wireless communication standard, NFC enables the exchange of data between devices over short distances such as a few centimeters/inches. NFC is one of several new platforms that can be used to hold virtualized credentials that previously were stored on contactless smart cards and used to open doors. The same contactless credentials that are programmed to provide various levels of facility access can now be loaded onto a mobile handset and used with NFC for secured access. “Users benefit as it eliminates the need to carry any other access credentials, while making it easier for security managers to track who is entering and exiting monitored access points,” Hulusi added. This is the way that RFID cards, smart tags and card readers work, and the capability is now extended to smartphones.
How It All Started
Over time, access control cards have become increasingly sophisticated and intelligent, as exemplified by today's 13.56-MHz contactless smart cards, which include a tamper-proof RFID device connected to a multiturn antenna. These cards are personalized to the cardholder, and a mutual authentication process occurs when they are presented to a reader. Additionally, they can be used for multiple applications, such as biometric authentication, cashless vending and secured PC log-ons using the inherent secured storage capability of this technology. “Until now, cards were required for securely carrying our identity, and the decision to allow or deny access was made between the reader and a central panel (or server) that stores the access rules and decides if a particular person should be allowed to open a door,” Hulusi explained.
In reality, our identity information and the procedural chain of encrypted communication and data-processing events that occur between the reader and server or panel can be virtualized just like any other IT procedure and moved onto new platforms, including mobile phones. “In other words, the intelligence contained in today's smart cards, along with the user's identity information, can reside on any suitably secured electronic device,” Hulusi said.
Nevertheless, two prerequisites for such a virtualized system to coexist must be met: a way for the data to be communicated to an access control reader (the equivalent of swiping or presenting a physical card); and a mechanism for securely managing the identity and authentication information that are carried on the device (from the time of provisioning and throughout its life cycle). With these two pieces in place, the same access control methodology used by billions of people worldwide for decades can be embedded into smartphones and other mobile devices, Hulusi said. “This methodology must be based on a comprehensive chain of custody in which all system end points can be validated; only in this way can identity transactions between the end points be trusted at any time.”
Managing virtualized credentials can be a complex process. “In one typical example, a server would first send a person's virtualized credential over a wireless carrier's connection to the person's mobile phone. To ‘present' the person's virtualized credential at a facility entry point, the phone is held close to an IP-based access controller connected to another server. Throughout the process, there must be a way to ensure that the credential is valid. Both end points, plus all of the systems in between, must be able to trust each other,” Hulusi said.
The basis for modern transactional systems has been the ability to trust the identification of a person, computer, website, check or a credit card. “Unfortunately, the effort required to authenticate them has grown exponentially,” Hulusi continued. “There is, however, an aspect of secured identity systems that simplifies the problem: like mobile networks, secured identity systems are closed systems. To use them, you must complete a background check and sign a legal document to construct the basic blocks describing your identity.”
To have a current and valid set of identity blocks usually means that one has passed this bar and is a member in good standing of the closed system. It also means that the blocks and the systems supporting them can be simpler and constructed so that they use industry standards. “This is the approach taken with the trusted identity platform, which enables the validation of all end points, or nodes such as credentials, printers, readers and NFC phones, in the network, so that transactions between the nodes can be trusted,” Hulusi said.