A Better Approach to Credentials?
NFC, as a technology, has much to offer marketeers, technology suppliers and the consumer sector. In essence, it allows a higher degree of interaction between devices, and allows sharing and exchange of data. The principle certainly seems to suit access control on paper, but does the appeal match up in the real world?
As a technology, near field communications has much to offer. One sector that has been quick to take advantage of that is electronic marketing. With a fair few smartphones being NFC-enabled, this means that businesses can interact with consumers via their smart devices. Some of the schemes that have already been introduced include the ability for users to follow businesses and organisations on Twitter, or to Like certain things on Facebook, simply by presenting their handset to a device. Another scheme involved customers loading an App onto their phones, and this was activated in different ways, depending upon which NFC device the phone was presented to.
Whilst these applications might seem irrelevant when considering solutions to risk-based problems in business, to the world of marketing – where interacting with the consumer to capture data via social networking sites represents true worth – the move is significant.
NFC also has business uses. In many countries, schemes have been trialled using NFC for ticketing on transportation systems, as well as other vending applications, and NFC-based payments are being trialled by several banks.
Currently, there are a growing number of smartphones which include an NFC chipset, but one of the leading handsets – Apple’s iPhone – doesn’t currently support NFC. There are cases and add-ons that can be purchased to make the unit NFC enabled, and there seems little doubt amongst the technology-savvy that the introduction of NFC equipped iPhones will come sooner rather than later.
As with any fledgling technology (NFC has been around for a good few years, but the technology has only recently become widely available to consumers), there is something of a rush to find applications for it. On paper, NFC does seem to have the ability to be used in access control applications. The standard is based on the RFID standard, the read range is low, but suitable for access readers, and data can be encrypted. However, does this translate into a real world proposition?
Firstly, any company utilising NFC as an access control tool would have to equip personnel with NFC-enabled phones. Whilst many companies do provide staff with smartphones, do they always offer them to all staff? If they don’t, and a hybrid solution is sought, it could be argued that utilising the same credentials across a business provides for a simpler solution.
There have been claims that NFC-enabled devices are more secure than access cards or tokens. In order to utilise a smartphone as an access credential, an unauthorised user has to know that the phone works as a key. A PIN number will be needed to activate the phone, and an understanding of how the key is activated is also necessary.
Whilst this case can be argued, it also highlights that each user will need to input their PIN to activate the phone, then activate the credential element and present the device to a reader. This could lead to slow throughput in some sites. Additionally, as staff arrive in the morning, carrying bags and other items, the process could be seen as something of a hindrance. Think about an icy damp December morning, and the potential frustrations are obvious!
It has also been said that people rarely lend out their phones, which reduces the chances of the item falling into the hands of an unauthorised person. Again, this point could be argued, but in reality you have to question whether people are more careful with wallets or keys, which is where traditional cards or tokens are often stored.
You only need to walk around sites to see how often phones are left in situations that might be compromised. It’s rarer to see keys or wallets left in such vulnerable positions.
Whilst these negatives shouldn’t be seen as a reason to reject NFC as an access control technology out of hand, the opposite stance shouldn’t be accepted as proof positive that taking such an approach to credentials will immediately increase the security of any site.
In the field
HID Global recently completed two pilot schemes to assess access control using NFC-enabled smartphones. The trials were conducted at the headquarters of internet film and TV provider Netflix, and Good Technology, a secure solutions provider. The trials used HID’s iClass SE platform.
Both facilities were using existing proximity-based access control. The readers were replaced by MultiClass readers, which support a number of technologies. Personnel participating in the trial programme were also provided with Samsung Galaxy S III NFC-equipped smartphones, which has digital keys loaded. The digital keys emulated user credentials, and this allowed access to be gained via the doors protected by the access control system.
Previously, Netflix used keyfobs for access control, but decided to review the use of digital keys to see if they could streamline the access process. The company operates a ‘bring-your-own-device’ (BYOD) mobility environment. Of course, such a scheme allows staff to use their own technology, if they have preferred devices over those utilised by the company. Whilst the BYOD culture is being embraced by many business, especially in the technology sector, it also creates issues if preferred devices aren’t NFC-enabled!
At Netflix, a number of staff had already made use of proximity tags affixed to the back of their phones, rather than standard keyfobs. The switch to a mobile over-the-air system therefore only required an element of interaction with the device.
In addition to testing the access control capability, Good Technology also evaluated the use of an NFC-enabled Sargent SE LP10 lock. This was installed on the door of a manager’s office, which is used as a conference room when he is away. This set-up allowed the manager to control access to the office, permitting select members of staff to access it during specified times. There was also the capability to generate reports about who was using the office, and when.
Following the pilot scheme, a survey of participants was carried out. The results indicated that the majority of users felt the use of a smartphone as a credential was intuitive. Many preferred the solution as they felt they were less likely to forget their phone rather than an access card. Also, many participants stated they would be willing to load the Digital Key App onto their own phones.
It is unsurprising, given that both companies are involved in technologies associated with mobility, that there was support from participants for the use of NFC-enabled solutions across the board, over and above access control. Indeed, it could be argued that the additional uses of NFC chips will have more of an influence in its role as an access control enabling technology, than the development of NFC-compatible access solutions. If a company invests in the technology for the host of other applications, they will naturally want the greatest return on that investment.
One point of interest is that many participants stated that would like an ‘always on’ NFC-based access control solution, meaning that the smartphones should be able to open doors without having a PIN entered or an App triggered. This is obviously at odds with statements that the requirement for interaction with the smartphone adds a desired layer of security, whilst also raising the issue that the process could impact on throughput; think about that icy December morning again!
Other issues highlighted were the need for a system that will continue to operate when a handset’s battery is drained, and that can be used without affecting other functionality of the smart device.
NFC, as a technology, does offer an option, but there are a number of areas that also need to be addressed with regard to secure use. As the utilisation of NFC-enabled devices increases, and as other applications embrace the technology, the biggest driver for the use of NFC-enabled smartphones in access control may come from outside of the security solutions sector.