printer friendly version

The future of physical access control

For roughly 4000 years since the invention of the lock, the mechanical key has provided an inexpensive method for opening doors and gaining access to properties, vehicles and other assets. Many applications for the mechanical key have gradually been eliminated with the advent of more secure and manageable plastic access-control cards that, over the years, have become increasingly more capable and intelligent. Now, a quantum leap in access-control technology may do away with mechanical keys – and even cards – by ushering in a new era of digital keys and portable digital identity credentials that can be securely provisioned and safely embedded into smartphones and other devices.

Over time, the access control card has become increasingly sophisticated and intelligent as exemplified by today’s 13,56 MHz contactless smartcards, which include a tamper-proof RFID device connected to a multi-turn antenna. These cards are personalised to the cardholder, and a mutual authentication process occurs when they are presented to a reader. Additionally, they can be used for multiple applications such as biometric authentication, cashless vending and secure PC log on using the inherent secure storage capability of this technology. Until now, this card was required for securely carrying our identity, and the decision to allow or deny access was made between the reader and a central panel (or server) that stores the access rules and decides if a particular person should be allowed to open a door.

In reality, our identity information and the procedural chain of encrypted communications and data processing events that occur between the reader and server or panel can be virtualised just like any other IT procedure and moved onto new platforms, including mobile phones. In other words, the intelligence contained in today’s smartcards, along with the user’s identity information, can reside on any suitably secure electronic device. In order to seamlessly integrate with existing physical access control systems, there are two prerequisites for such a virtualised system to coexist:

1) a way for the data to be communicated to an access-control reader (the equivalent of swiping or presenting a physical card), and

2) a mechanism for securely managing the identity and authentication information that is carried on the device (ie, from the time of provisioning and throughout its life cycle). With these two pieces in place, the same basic access-control methodology proven for decades can be embedded into smartphones and other mobile devices.

Enter NFC

An ideal technology for this is near field communications (NFC), a short-range wireless communication standard that enables data to be exchanged between devices over a distance of several centimetres. NFC is also fully compliant with the ISO standards governing contactless smartcards, an obvious feature that makes this an ideal platform. A mobile phone equipped with NFC technology can be used to carry a portable identity credential and then wirelessly present it to a reader. The phone is simply waved in front of the reader and the user can open the door. According to the research firm IHS iSuppli, manufacturers will ship approximately 550 million NFC enabled phones in 2015.

The most simplistic model for NFC digital keys and portable identity credentials is to simply replicate existing card-based access-control principles. The phone communicates identity information to a reader which passes the identity to the existing access control system which then opens the door. This eliminates the need for keys or smart cards while providing a safer and more convenient way to provision, monitor and modify credential security parameters, eliminate credential copying, temporarily issue credentials as needed, and cancel credentials when they are lost or stolen.

An early example of this type of application was recently tested at the Clarion Hotel Stockholm in Sweden during a pilot that concluded in June 2011. The hotel worked with HID Global parent Assa Abloy, Choice Hotels Scandinavia, TeliaSonera, VingCard Elsafe and Giesecke & Devrient (G&D), to replace the hotel’s room keys with digital keys that are sent to guests’ NFC-enabled mobile phones.

During the Clarion Hotel pilot, guests were given the opportunity to use their mobile phones to access their rooms. Participating guests received a Samsung NFC mobile phone with Assa Abloy’s Mobile Keys software installed. Before arriving at the hotel, guests received a text message with a link to where they could check in, and the hotel sent an electronic room key to their phones. Guests then were able to skip the check-in line and go directly to their room, where they opened the door by holding the mobile phone in front of the door lock. When checking out, guests simply touched their phones to a kiosk in the lobby, again saving time by skipping the front desk.

In a survey conducted after the Clarion Hotel trial, sixty percent of respondents said they saved more than 10 minutes by using the digital key solution, and 80% said they would use the solution if it were available today. The hotel also benefitted in several ways (apart from the expenditure on plastic cards) by re-focusing the staffing resources required to check in those guests to other more valuable customer service issues. It was also much easier to replace lost keys when needed.

Paradigm shift

There are other opportunities to harness a smartphone’s power to significantly reduce the cost of deploying access control applications. Modern smartphones have on-board intelligence that is comparable to today’s typical access control system, and can be used to perform most of the tasks that otherwise would be jointly executed by reader and server or panel. Does this mean that NFC smartphones can replace the functional duties carried out by access control panels and servers?

The simple answer is yes. Readers (and locks) can be built without any significant intelligence or connectivity capabilities. NFC-based phones will verify a person’s identity and any other relevant rules (such as whether the access request is within the permitted time period during the day, or that they are standing at the door using the phones’ GPS capability), and then send a trusted message to the door that it should open, using cryptographically secure communications. All the reader must do is interpret the encrypted command to open the door – the readers (or locks) become encrypted door switches, that are not connected to a panel or server, reducing the cost of these products.

Moreover, NFC smartphones will be capable of storing the necessary access control rules and processing, and providing trusted commands to these lower cost, disconnected NFC readers, in order to unlock the door. We contend that this will make it possible to deploy inexpensive, yet equally robust access systems for applications like interior doors, filing cabinets and storage units for valuable or controlled materials (eg, pain-relieving drugs) where it previously would have been prohibitively expensive to install a traditional wired access-control infrastructure.

In addition to cutting access control costs and creating new market opportunities, digital keys and portable identity credentials will also be more secure. At a minimum, users will be far more likely to notice and report a lost phone carrying a portable identity credential than they would a missing card. Additionally, these NFC-based phones with embedded keys and credentials will make it easier to quickly and efficiently modify security parameters.

For instance, in a traditional application such as accessing a federal building, two pieces of evidence, or authentication factors, are required to prove identity. The same is true of bank ATMs, where the plastic card is the first piece of evidence, and a PIN code is the second. With an NFC phone, two-factor authentication could be dynamically turned on when necessary, such as when intelligence leads to an elevated threat level. With an NFC-based mobile phone carrying digital keys or credentials, an application can easily be pushed to the phone that, for instance, requires the user to enter a 4-digit pin on the phone before it sends the message to open the door, making multi-factor authentication a real-time managed service.

Future applications

There are many future applications for NFC-based mobile phones carrying these embedded keys and identity credentials. Although today airlines use QR barcode technology, travellers have already shown their interest in using cellphones as mobile boarding passes, which further validates the growing popularity of using today’s handsets for a variety of transactions.

In Japan, NFC payment systems are already installed in fast-food restaurants, subways, taxis and vending machines. University campuses will also be ideal candidates for this technology. Students will be able to use NFC mobile phones to enter buildings, pay for parking, make purchases, use campus transit systems, check out library materials, identify themselves before taking tests, and access computer resources.

Digital keys and identity credentials also will provide an ideal platform for emerging applications such as electric vehicle charging stations. Drivers will be able to pull up to a charging meter and use their NFC-based mobile phone to access and pay for the service. NFC phones also could be used to provide access to personal health history. One could present his or her phone at a hospital rather than filling out forms, and have the same information available to paramedics with the proper access credentials during a medical emergency. Another emerging application is micro marketing using intelligent posters. Consumers can use their NFC phone to read a tag on the poster which takes them to a special Web page on their phone with more information.

Access control technology can actually be used in reverse, to prevent access to your phone based on certain rules and authentication factors. The notion of access filters could become more important as we become inundated with electronic data vying for our attention.

With the access-control decision-making and record-keeping now residing on the NFC phone rather than each individual lock, it becomes significantly easier to secure locations and items with disconnected locks, and then acquire new keys, remotely deliver keys to other people, and change the rules for who can use each digital key, and when.

Share this article:

Further reading: