The new NFC and Apply Pay features of the iPhone 6 could be the lightning-rod to finally spark changes in the way that mobile credentials are used for access control.
For more than four years now, one of the most talked about trends has been field communication (NFC). NFC was supposed to change the face of the access control industry by eliminating the need for cards, subsequently reducing the administrative burden on organizations of all sizes all while increasing security. However this has not yet come to pass, with suppliers offering little more than pilot projects, with limited real-world installations.
NFC isn't a new concept. In 2006, Nokia released the first NFC phone, followed by Samsung in 2010 which released the first Android NFC phone. In 2011, Samsung announced its Secu-NFC technology. According to Samsung, the Secu-NFC chip combines a NFC controller and a secure element storing personal information and security keys with advanced encryption technologies. In 2013, Samsung and Visa announced a major partnership for mobile payments. The list of NFC enabled phones today is extensive. Examples include Alcatel, Asus, BlackBerry, Nexus, HTC, Kyocera and LG among many others.
Historically, most NFC installations were instigated by partnerships between handset manufacturers and financial institutions, producing closed systems with limited opportunity for developers to expand the concept to uses beyond mobile payment. IHS believes this has been one of the main barriers for implementing NFC in the access control industry.
On September 9th, Apple announced NFC would be a feature of the new iPhone 6. While Apple Pay is primarily a mechanism for secure mobile payments, there appears to be plenty of opportunity for other applications, since iOS 8 will also have an Apple Pay application programming interface (API) available for developers. Already, many retailers and restaurants have implemented Apple Pay into their own applications, allowing patrons to skip lines and pay/order directly from a mobile device. According to Apple, the mobile payment transaction occurs by assigning a unique device account number, which is encrypted and securely stored in the secure element, a dedicated chip in the iPhone. When a purchase is made, the device account number alongside a transaction-specific dynamic security code is used to process the payment. So the actual credit or debit card numbers are never shared with merchants or transmitted with payment.
The true benefit of this announcement for the access control industry is the potential use of the open API for developers. Although Samsung Galaxy has an embedded SE and countless other devices offer subscriber identification module (SIM)-based SE, there has been limited traction for access control.
So what exactly is the secure element?
There are many forms of secure element, including the universal integrated circuit card (UICC) - NFC SIM, embedded SE, external (sticker or sleeve) and microSD. The most used formats are UICC and embedded, with the new iPhone 6 featuring an embedded SE. According to the 2014 IHS report on NFC, globally 18.2 percent of cellular handsets shipped in 2013 were NFC-enabled (up from about 8% in 2012). IHS forecasts the number of phones that are NFC-enabled to reach about 1.17 billion by 2018. The report also estimates that about 70% of NFC secure element implementations into cellular handsets were embedded and 27% were on the SIM card in 2013.
What does this mean for the access control industry?
The announcement by Apple addresses one of the barriers the access control industry has faced with regards to NFC, i.e. loading an identifier onto the secure element. With the API mentioned by Apple, it is possible that access control manufacturers--among others in the supply chain–could load and command an identifier directly onto the secure element. Currently, most providers of NFC-based access control are using encryption methods which are located in the ‘sand box' (host operating system) of the handset only, not the SE. By using host card emulation (HCE), providers are able to offer NFC outside of the SE. Although this isn't deemed a ‘best practice' the only other means to provide mobile access control through NFC would be to partner with all the cellular carriers and providers, which can be an incredibly arduous process. By partnering, the access supplier is allowed access to the SE, which is typically either embedded or in the SIM card. One example of such a partnership is HID and Oberthur Technologies. In 2013, HID announced a partnership with Oberthur Technologies to carry Seos Digital Keys on NFC SIM Cards. As mentioned above, the Apple announcement could make it easier for access control suppliers to provide mobile credentials with the true security provided by the secure element.
Beyond the buzz, the market opportunity for access control remains unclear and only time will tell if Apple providing mobile payment will jumpstart NFC usage for access control. Some access control manufacturers speculate that the use of the secure element may not always be necessary and that the encryption provided for access control data on the handset is sufficient for most end-users.
So how quickly could this announcement impact access control? Today, data suggests that less than 3 percent of retailers, or 220,000 out of about 9 million, will be utilizing the mobile payments at the start. One of the main reasons for low adoption is the lack of infrastructure in stores. However, every credit card in the U.S. will be required to have EMV chip-and-pin technology by October 2015. As a result, merchants could decide to move forward with NFC capabilities since they will need to upgrade their system anyway.
Interestingly enough, Apple is only launching in the U.S., which has the lowest penetration rate of mobile payments compared with all other regions. There is tremendous upside though. Access control end-users already have the infrastructure in place to support NFC, e.g. the smart card reader (13.56 MHz). While some pieces of the system may need upgraded such as incompatible hardware and software, the system is mostly ready. So unlike the retail space which has to replace millions of terminals and retrain employees, access control is already primed for the transition.
Overall, Apple could instigate change for the access control industry; however, adoption will remain low due to the other barriers which have not been addressed, such as mobile phone issuance to colleagues and identifying which department in an organization will manage the mobile credentials, since in most cases, the phone would be managed by IT and the security credential would be managed by the security department. New policies and procedures will have to be created and many end-users will still be issued badges for identification purposes. Lastly, Bluetooth is becoming a viable alternative to NFC. Security suppliers have been working for the past several years to work with NFC and implement it beyond pilot projects to little avail. As a result, many are turning to Bluetooth, which is deemed by many to be a more robust option for security purposes such as access control since the read range can be modified, among other reasons. Additionally, Bluetooth has a longer history than NFC with smartphones, with Bluetooth being introduced in 2000, NFC in 2006. So while the Apple announcement gets the ball rolling for NFC in the physical security space by providing more outlets for app developers to create a unique user experience, other barriers still need to be overcome prior to reaching critical mass.