For roughly 4,000 years since the invention of the lock, the mechanical key has provided an inexpensive method for opening doors and gaining access to properties, vehicles and other assets. Many applications for the mechanical key have gradually been eliminated with the advent of more secure and manageable plastic access-control cards that, over the years, have become increasingly more capable and intelligent. Now, a quantum leap in access-control technology may do away with mechanical keys — and even cards — by ushering in a new era of digital keys and portable digital identity credentials that can be securely provisioned and safely embedded into smart phones and other devices.
Over time, the access-control card has become increasingly sophisticated and intelligent as exemplified by today’s 13.56 MHz contactless smart cards, which include a tamper-proof RFID device connected to a multi-turn antenna. These cards are personalized to the cardholder, and a mutual authentication process occurs when they are presented to a reader. Additionally, they can be used for multiple applications such as biometric authentication, cashless vending and secure PC logon using the inherent secure storage capability of this technology. Until now, this card was required for securely carrying our identity, and the decision to allow or deny access was made between the reader and a central panel (or server) that stores the access rules and decides if a particular person should be allowed to open a door.
In reality, our identity information and the procedural chain of encrypted communications and data processing events that occur between the reader and server or panel can be virtualized just like any other IT procedure and moved onto new platforms, including mobile phones. In other words, the intelligence contained in today’s smart cards, along with the user’s identity information, can reside on any suitably secure electronic device.
In order to seamlessly integrate with existing physical access control systems, there are two prerequisites for such a “virtualized” system to coexist:
1. A way for the data to be communicated to an access-control reader (the equivalent of swiping or presenting a physical card), and
2. A mechanism for securely managing the identity and authentication information that is carried on the device (i.e., from the time of provisioning and throughout its life cycle).
With these two pieces in place, the same basic access-control methodology proven for decades in businesses, healthcare, government and other applications can be embedded into smartphones and other mobile devices, and we can do away with keys and cards virtually anywhere we need to unlock a gate, door, or drawer.
Near Field Communications
An ideal technology for this methodology is Near Field Communications (NFC), a short-range wireless communication standard that enables data to be exchanged between devices over a distance of several centimeters. Moreover, NFC is also fully compliant with the ISO standards governing contactless smart cards, an obvious feature that makes this an ideal platform.
A mobile phone equipped with NFC technology can be used to carry a portable identity credential and then wirelessly present it to a door reader — just like the current plastic smart cards. The phone is simply waved in front of the reader and the user can open the door. Key or card access functionality becomes another application alongside the device’s other voice, data, memo, music, navigation, camera and game functionality. According to the research firm IHS iSuppli, manufacturers will ship approximately 550 million NFC-enabled phones in 2015.
The most simplistic model for NFC digital keys and portable identity credentials is to simply replicate existing card-based access-control principles. The phone communicates identity information to a reader, which passes the identity to the existing access control system, which then opens the door. This eliminates the need for keys or smart cards while providing a safer and more convenient way to provision, monitor and modify credential security parameters, eliminate credential copying, temporarily issue credentials as needed, and cancel credentials when they are lost or stolen.