Two corporations piloted NFC for physical access control with 80% to 90% of end users finding the system intuitive and easy to use. Netflix and Good Technology tested the solution from HID Global replacing either cards of key fobs with microSD cards embedded into Samsung Galaxy S III handsets.
The phone has built-in, native NFC technology that can be used to share data between phones, read NFC tags and conduct payments. It does not, however, support the NFC standard’s card emulation mode which is needed for mobile access, says Debra Spitler, HID’s vice president for mobile access and project manager for the two pilots. Hence, a microSD card with range extender from Device Fidelity was added to enable the feature.
“To provide such support, either the handset manufacturer or the mobile network operator needs to provide communication access to the embedded secure element via a trusted service manager,” says Spitler. “The U.S. mobile network operators do not have active trusted service manager so there is currently no means by which to use card emulation.”
The pilots started in late summer and both companies continue to have individuals using their smart phones for mobile access, says Spitler. Good Technology, which provides mobile data security solutions for its customers, was using HID prox cards for door access prior to the start of the pilot. Netflix was using HID proximity key fobs.
HID Global’s multiCLASS SE readers replaced the proximity readers at select locations in both the Netflix and Good facilities. The Samsung phones were equipped with HID digital keys that store and emulate user credentials.
When a microSD is used for the HID Seos applet–as opposed to the applet being stored in a SIM or embedded secure element–HID can communicate over-the-air with the microSD and Mobile Keys app on the handset via the ASSA ABLOY Mobile Keys ID Service Provider Trusted Service Manager. “This allows us to provision and de-provision HID digital keys over-the-air to the handsets,” Spitler says.
If the NFC capability was housed in the SIM or embedded in the handset’s secure element, the network operator or handset manufacturer would control access and provisioning.
In the future, this process will take place via the HID Security Identity Services portal. Using the portal, a customer will purchase digital keys from their access control system provider just like they purchase cards today, Spitler explains. Rather than delivering programmed cards, HID will deliver the digital keys to the customer via a secure Web portal. The customer will then access the portal to register the handset to a specific user and then assign a digital key from their key vault to the handset. Once this is complete, that digital key will be entered into the access control database and assigned access privileges.
As mobile network operators and handset manufacturers put Trusted Service Managers in place, HID will have connectivity to them such that the Seos applet, mobile keys applet and digital keys could be delivered over-the-air from HID to the Trusted Service Manager and ultimately to the handset, Spitler says.
Netflix was motivated to participate in the pilot because it wanted to make access control more secure and more convenient, explained Bill Burns, director, Netflix IT Networking & Security, during an HID strategy briefing at the 2012 ASIS International conference. “We didn’t want people to have the burden of a separate token and we knew that they were using their phones,” says Burns.
The move from less secure prox technology to contactless smart cards was a benefit too. “The implementation of mutually authenticated cards and readers was really appealing to us,” Burns says.
To get employees ready for the NFC test, Netflix first gave them the option to affix microprox tags–coined-sized proximity stickers–to their phones. These coin-sized microprox tags were adhered to the back of their phones. “They could wave their phone in front of the reader to access the building,” says Burns. “They thought this was pretty cool.” The microprox tag was used because Netflix had proximity readers already on site.
At the time of the mobile access pilot, about 44% of Netflix employees had moved to the prox tag. Sixteen were then chosen to participate in the NFC pilot and provided the Samsung phone.
Feedback from Netflix employees has been excellent, says Burns. “They love the technology.”
However, employees also wanted more choices when it comes to the handset. The Netflix test involved “one particular phone, one particular operating system and the feedback we got is that they really wanted a choice,” Burns adds. “They wanted to use different mobile operating systems and different handsets.”
At Good Technology, ten employees were initially involved but by the pilot’s end, 25 were on board, says Chris Webber, senior product marketing manager for Mobile Security Platforms at the company.
The use of NFC-enabled phones for access control worked for the company, says Webber, who spoke at the same HID-sponsored ASIS conference. “We live and breathe mobility every day, so having this as a natural extension of the mobile device made a lot of sense,” he says. “For that reason it wasn’t surprising to me that people took to it very naturally.”
Webber admitted to forgetting his work badge from time to time. “But I never forget my phone at home or at my desk,” he says. “Being able to use my phone, rather than a badge, to open doors really simplifies my daily routine.”
Pilot participants didn’t require any training. “What was interesting was that folks that weren’t in the pilot were pulling their own phones out and giving it a try. That’s how natural this technology just seems to folks.” He later had to put up signs explaining the pilot so employees wouldn’t keep trying to open doors with their phones.
An additional aspect of the physical access technology was tested at Good Technology. The company extended the pilot to evaluate the use of an NFC-enabled Sargent SE LP10 lock on an interior room door to an executive’s office. The office was used as a temporary conference room when the executive was away. The executive was able to select the individual employees and specific times where access would be granted to the office.
According to HID’s third-party survey, more than 80% of Netflix respondents felt that the application for unlocking a door was intuitive, and nearly 90% described it as easy to use. This was echoed at Good Technology, where more than 80% felt the smart phone was more convenient to use than their current access card, primarily because they never forget their phones like they do their badges.
More than 83% of Good Technology participants felt that the company’s physical security was improved using a smart phone rather than a card. Among Netflix participants, 87% say they would want to use a smart phone to open all locked doors at the company.
The pilots highlighted a number of opportunities to improve the mobile access control experience as the industry moves closer to deployment. This includes bringing more mobile network operators and handset manufacturers into the ecosystem so that users have more service and product choices.
Webber sees Good continuing to utilize the technology. “We want to leave what we have in place, because the readers work with our plastic cards as well,” he says.
He also intends to test new uses for NFC. “How cool would it would be if an email sent to my phone could grant me access, for example, to the Dallas office for Wednesday through Friday?” asks Webber.
HID is continuing its work to encourage implementation of the technology. “We’re happy to see that we’re getting more people involved,” says Spitler. “HID remains committed to working with the handset manufacturers and mobile network operators to complete the ecosystem that will support the use of natively-enabled NFC smart phones for physical access control.”
There are also possibilities for applications besides physical access with NFC too, Spitler says. “In talking with HID customers, we found there was certainly interest in being able to use an NFC phone for other applications, just as customers do with their plastic HID cards,” she says.
“They’re looking to us to work with third parties to enable hardware to work with the mobile phone,” she says. She highlights multi-function printer control, time and attendance and vending payments as just a few of the possibilities. “I see a parallel with using the phone like you would use a card today,” she concludes.