What will it take to use NFC for physical access?
Say “mobile wallet” and most people think payment–tapping your phone against a reader instead of swiping a card. But the phrase may soon come to encompass not just your credit card, but your entire wallet: loyalty cards, work ID, access credentials and all–and potentially even the keys jingling in your pocket.
Since NFC uses the same standard as contactless smart cards, the technology could enable employers to take existing smart ID cards that are used to get into the office and transfer it over to the phone–a process called “card emulation.” Making this a reality, however, is not as easy as it sounds, explains to Jeff Fonseca, director of business development and sales at NXP Semiconductors.
“It’s not like you can just take somebody’s badge and put it on a phone and have it just work everywhere,” says Fonseca. “It doesn’t work that way.”
The market is split with different companies providing different “flavors” of contactless technologies in different parts of the world. According to Fonseca, this makes interoperability a big hurdle.
Agreements need to be in place to replicate card types, cryptography and unique IDs to NFC devices. Credential vendors such as NXP, HID Global, LEGIC and Sony will need to authorize one or more parts of the mobile chain–the NFC chip, the handset, the mobile operator–to enable card emulation.
“You can’t just copy the credentials and (use) a different unique ID … it won’t work,” Fonseca says. “You have to have a commercial agreement with the enterprise to replicate and make those credentials virtual onto the phone.”
These obstacles, though relevant, are less daunting for real world physical access systems than for a future globally interoperable vision. Most organizations select a single type of contactless credential to issue to employees. There may also be a preferred mobile operator and handset. Thus it is not a requirement that every flavor of contactless credential be approved for all handsets to have a working solution.
Making all this work together will not fall to the issuing organizations. Rather, contactless providers will work with the mobile chain to offer solutions to issuers. In the near term, it is likely that the contactless provider will have one or more approved handsets and/or mobile operators that issuers can opt to deploy. It is likely that the current network of system integrators that provides hardware and cards to issuers will offer these new emulated NFC cards as a future option.
To be clear, this work is ongoing and it is true that there are very few NFC-enabled handsets on the market today. But these limitations are temporary, according to Fonseca. “The industry is moving in this direction,” he says, adding that there are significant benefits to justify the switch to mobile.
Unlike plastic cards, which are static, a mobile phone can be constantly updated with new permissions and apps for changing needs. Because NFC-equipped handsets can be updated dynamically over the air, new credentials can be provisioned without requiring the employee to physically visit company security or human resources.
Another benefit is that the phone itself acts as another layer of security, explains Fonseca. For starters, each phone comes with an International Mobile Equipment Identity number. Since the IMEI is unique, it can be used to provide another identity aspect to the credential.
The secure element in the phone that stores the credential adds yet another level of security. “You get the added benefits of those two aspects from the phone where you do have more real-time security,” he says. “And more real-time ability to re-commission cards to the phone over the air.”
This dynamic nature of the mobile device will enable security postures to change in real time, says Tam Hulusi, senior vice president of strategic innovation and intellectual property for HID Global.
“You can create a lot more powerful use cases of your access control scenario,” Hulusi says. “Dynamically you will be able to add one, two or three factor identification. If the threat level goes up or the context changes, you can change the number of factors accordingly in real time.”
HID Global’s iCLASS contactless cards are widely used in physical access and other applications. This fall the company will launch its first iCLASS emulation, enabling contactless credentials to be loaded onto NFC phones, Hulusi says.
HID will provide applications to enhance its mobile security offerings, adds Hulusi, including a virtual pin pad on the phone in lieu of traditional wall mounted devices. This will enable companies to provide two-factor authentication and eliminate the need for added hardware.
Hulusi says the company is working on a future architecture in which the NFC chip is embedded in the door lock itself and the handset acts as a reader. In this mode, the standard key/lock relationship is essentially inverted; the key is already in the lock, it just needs the right phone to “turn” it.
According to Hulusi, it is similar to accessing information from NFC tags and posters, only in this case the tag is encrypted to ensure only authorized handsets can access the information.
So there seems to be plenty of projects on the horizon, but what will we have in the mean time? Fonseca says to expect a transition period during which we’ll be carrying both our phones and smart cards as access devices.
“From an enterprise security standpoint, most (issuers) do not yet accept a virtual security credential as the only ID,” Fonseca explains. “There are ways on the phone to tie a photo to the credential, but that part hasn’t been (completely) solved yet, so in the interim you’ll likely have physical cards that are carrying the employee’s credential and photo in case they don’t have a phone. And then eventually the phone becomes the redemption vehicle for everything.”