NFC Changing Identity Management
Hayden Hsu | Date:
Identity is often thought about in terms of the card that carries it. Clearly, identity can now take the shape of a mobile phone, a USB thumb drive or some other medium. These and other virtualized credentials expand the concept of identity beyond traditional ID cards to include many different credential form factors. “This new way of thinking is driving fundamental changes in how we deliver and manage secured identities,” said Tam Hulusi, Senior VP of Strategic Innovation and Intellectual Property, HID Global (an Assa Abloy company). “Today's new form factors for credentials improve user convenience and flexibility, but they also raise questions about how to ensure that all identities can be trusted.” If a user's identity resides on a mobile phone, how can one be sure that the device is trusted and secured?
Or, if a user loses a USB stick or a handset that houses his/her identity, how does one disable that device without affecting the user's identity/ credential residing on another device?
Peace of Mind
There are several important areas for near-field communication (NFC) data security: eavesdropping, corruption, modification, insertion and man-in-the- middle attack, according to NXP Semiconductors researchers.
As it is difficult to prevent signals from being compromised, several industry initiatives, including embedding encryption in secured chips, may effectively enhance security for users, said Jacek Debowski, Research Analyst at Frost & Sullivan. “ARM introduced an authentication technology called TrustZone, which aims to set a new level of transaction experience and security for consumers. Sequent Software launched a neutral NFC platform developed on proprietary ‘Secure Element Management' method that facilitates management of data instead of merely storing it. It is a step toward improving data transfers through NFC.”
Solution providers are also drafting or implementing frameworks for creating, delivering and managing secured identities in virtualized credential environments. “For example, at the heart of our trusted indentify platform, the secured ‘vault' serves only known nodes within a published security policy, delivering three critical capabilities: plug-and-play secured channels between hardware and software; secured key management and provisioning processes; and integration with IT infrastructure,” Hulusi said. Data security, privacy and reliability are ensured using symmetric-key cryptography, so that all nodes can execute trustworthy transactions. “Once a ‘handshake' is accomplished between the vault and a node device, then the device is deemed ‘trusted' in the network. Trusted devices may operate independently, and resulting transactions, such as opening a door or logging onto a computer, can also be deemed trusted. Access control can actually be used in reverse, to prevent access to your NFC phone based on certain rules and authentication factors. The notion of access filters could become more important as we become inundated with electronic data vying for our attention.”
Other applications could also harness a smartphone's power to significantly reduce deployment cost. “Modern smartphones have onboard intelligence that is comparable to today's typical physical access control system, and can be used to perform most of the tasks that would otherwise be jointly executed by a reader and server or panel,” Hulusi said.
Readers (and locks) can be built without any significant intelligence or connectivity capabilities. “NFC-based phones will verify personal identities and any other relevant rules (such as whether the access request is within the permitted time frame), and then send a trusted message to the door that it should open, using cryptographically secured communication,” Hulusi continued. What the reader must do is to interpret the encrypted command to open the door; readers (or locks) become encrypted door switches that are not connected to a panel or server, reducing overall deployment cost. “This will make it possible to deploy inexpensive yet robust access systems for applications like interior doors, filing cabinets and storage units for valuable or controlled materials.”
In addition to cutting cost and creating new opportunities, digital keys and portable identity credentials will also be more secured. “At a minimum, users will be far more likely to notice and report a lost phone carrying a portable identity credential than they would a missing card,” Hulusi said, giving a frequent, real-life occurrence. “Additionally, NFC phones with embedded keys and credentials will make it easier to efficiently modify security parameters.” In a traditional application such as accessing a federal building, two pieces of ID or authentication factors are required. The same is true of financial ATMs, with the plastic card and PIN. “With an NFC phone, two-factor authentication can be dynamically turned on when necessary, such as during elevated threat levels. A command can easily be pushed to the phone to require the user to enter a PIN on the phone before it sends the message to open the door, making multifactor authentication a real-time, managed service that was not possible with plastics.”
Ready, Set, Go!
There are many possible applications for NFC-based mobile phones carrying such embedded keys and identity credentials. Although airlines today use barcode technology, travelers have already shown interest in using smartphones as mobile boarding passes, which further validates the growing popularity of using handsets for a variety of transactions. “NFC phones could also be used to provide access to personal health history. One could present his or her phone at a hospital rather than filling out forms, and have the same information available to paramedics with proper access credentials during a medical emergency,” Hulusi said. Another emerging application is “micro marketing” using intelligent posters. NFC-based access systems and other virtualized credentials will enable a new era of more convenient and secured transactions. “Delivering on this promise will require a simple but protected, scalable and standards-based identity delivery system,” Hulusi said. “These systems will need to support a wide variety of identity nodes — ranging from readers and cards to NFC-equipped mobile phones — and that each can be registered as a trusted node so that it can be securely provisioned anywhere, anytime.” With more decision making and record keeping of access control residing on NFC phones rather than individual readers or locks, it becomes significantly easier, Hulusi added, to secure locations and items with disconnected locks or lost/ compromised keys, and then acquire new keys, remotely deliver keys to other people, and change the rules for who or what can use each digital key where and when.