New report says card or handset, smart card tech plays critical role
Smart cards have long played a key role in securing physical and logical access, but now smart cards embedded in mobile devices are emerging as a new, more robust identity credential. The Smart Card Alliance released a white paper on this global trend toward using mobile identity credentials and the role that smart card technology plays in securing those credentials.
Mobile devices don’t require individuals to carry around multiple pieces of plastic. Payment cards, driver licenses, health care insurance cards could all be securely stored on the mobile device, the paper posits. “A digital identity credential in a phone could be used to both access a building and digitally sign e-mail messages being sent from the phone,” the paper states.
The processing and memory capabilities of a smart phone can enhance or extend the functionality of identity credentials. For example, key codes delivered through text messages can be used as an additional authentication factor and location-based services can add more security to a transaction by confirming the location of the individual.
Companies incur costs to maintain the infrastructure that supports employee identity credentials and to equip facilities, computers and employees with the readers that enable their use. An NFC-enabled mobile device can act as both the credential and the reader for physical and logical access.
The report illustrates three different approaches for mobile device authentication in enterprise settings:
- Using the mobile device as an out-of-band solution to determine whether an employee is the right employee;
- Leveraging the NFC capabilities of a mobile device to read and transmit the details of a company ID credential;
- Using the mobile device as the credential, leveraging the secure element to securely store credentials and authenticate the employee.
To use a phone as an out-of-band authentication device requires that it be provisioned with an application that, when requested, either produces a one-time password or prompts the person for confirmation. Once a preregistered user ID–password combination is entered, the phone can be used as an additional factor to authenticate the employee.
For example, when an employee tries to gain access to a secure site, the network initiates a dialogue with the phone. The application on the phone is activated either through a text message or an Internet-based request or push. The phone then displays a company Web site or prompt and asks the employee to confirm the access attempt. The accepted or rejected response from the employee determines whether access is granted.
With an NFC-enabled devices additional identity applications are possible, the paper states. An employee with an NFC phone may be able to tap a contactless smart card credential against the phone and use the information on the card to authenticate the employee.
In this instance, the phone would be associated with the individual’s employee ID. Once a preregistered user ID–password combination is entered, the phone could be used to capture data from the ID card.
In this use case, as with out-of-band authentication, the company site would initiate a dialogue with the phone through a text message or an Internet-based request. The phone would then display the company Web site and prompt the employee to tap the company-issued ID card against the phone and enable the employee to access necessary data or resources.
A company-issued credential can also be stored in the secure of a phone. Storage of the credential in the element would require the company to work with the secure element’s owner – the phone manufacturer or mobile network operator – to pay for memory space and provision the credential. In addition, the phone is associated with the employee ID. Once the employee uses preregistered logon credentials, the company can communicate with the credential on the phone.
NFC-enabled smart phones can also provide opportunities for in-person security and authentication of people carrying contactless ID cards. One potential solution is for security personnel to confirm a person’s identity by having that person tap an ID card against the guard’s NFC-enabled phone.
The security guard would start an application on the phone, which prompts for a card to be tapped. The data on the card would be communicated to the phone using NFC and then transferred to the secure element. The credential would then be validated or denied based on permissions.
Using the reading capability of NFC-enabled phones can offer a few benefits to organizations. First, the number of cards used fraudulently in the market can be greatly reduced and instead of relying on the image on a card, security guards would potentially be able to access a digital image of the cardholder and electronically verify an identity.
Second, phones can represent a low cost terminal for deployment to security guards or first responders. Traditionally, hardware costs have been a barrier to reading cards in the field.
Adding the ability to read contactless cards and NFC to laptops also has identity implications, the paper states. In January 2012, Intel announced plans to embed contactless card-reading capabilities in the Ultrabook product suite, with other product lines to follow.
The implication is that soon all communication devices will be able to read contactless smart ID cards or NFC-enabled mobile devices and use the credentials from the card or the mobile device to authenticate users for access to online services and transactions.