An early example of this type of application was recently tested at the Clarion Hotel Stockholm in Sweden during a pilot that concluded in June 2011. The hotel worked with HID Global parent ASSA ABLOY, Choice Hotels Scandinavia, TeliaSonera, VingCard Elsafe and Giesecke & Devrient (G&D), to replace the hotel’s room keys with digital keys that are sent to guests’ NFC-enabled mobile phones.
During the Clarion Hotel pilot, guests were given the opportunity to use their mobile phones to access their rooms. Participating guests received a Samsung NFC mobile phone with Assa Abloy’s Mobile Keys software installed. Before arriving at the hotel, guests received a text message with a link to where they could check in, and the hotel sent an electronic room key to their phones. Guests then were able to skip the check-in line and go directly to their room, where they opened the door by holding the mobile phone in front of the door lock. When checking out, guests simply touched their phones to a kiosk in the lobby, again saving time by skipping the front desk.
In a survey conducted after the Clarion Hotel trial, sixty percent of respondents said they saved more than 10 minutes by using the digital key solution, and 80 percent said they would use the solution if it were available today. The hotel also benefitted in several ways (apart from the expenditure on plastic cards) by re-focusing the staffing resources required to check in those guests to other more valuable customer service issues. It was also much easier to replace lost keys when needed.
Replacing Panels and Servers
There are other opportunities to harness a smartphone’s power to significantly reduce the cost of deploying access-control applications. Modern smartphones have on-board intelligence that is comparable to today’s typical access-control system, and can be used to perform most of the tasks that otherwise would be jointly executed by reader and server or panel. Can this mean that NFC smartphones can replace the functional duties carried out by access control panels and servers? The simple answer is yes. What this question (and its answer) really means to the access control industry is a paradigm shift in the interaction between the card, the reader (or lock) and the access control panel.
Readers (and locks) can be built without any significant intelligence or connectivity capabilities. NFC-based phones will verify a person’s identity and any other relevant rules (such as whether the access request is within the permitted time period during the day, or that they are standing at the door using the phones’ GPS capability), and then send a trusted message to the door that it should open, using cryptographically secure communications. All the reader must do is interpret the encrypted command to open the door — the readers (or locks) become encrypted door switches, that are not connected to a panel or server, potentially reducing the cost of these products.
Moreover, NFC smart phones will be capable of storing the necessary access control rules and processing, and providing trusted commands to these lower-cost, disconnected NFC readers, in order to unlock the door. This will make it possible to deploy inexpensive, yet equally robust access systems for applications like interior doors, filing cabinets and storage units for valuable or controlled materials (e.g., pain-relieving drugs) where it previously would have been prohibitively expensive to install a traditional wired access-control infrastructure.
In addition to cutting access control costs and creating new market opportunities, digital keys and portable identity credentials will also be more secure. At a minimum, users will be far more likely to notice and report a lost phone carrying a portable identity credential than they would a missing card.
Additionally, these NFC-based phones with embedded keys and credentials will make it easier to quickly and efficiently modify security parameters. For instance, in a traditional application such as accessing a federal building, two pieces of evidence — or authentication factors — are required to prove identity. The same is true of bank ATMs, where the plastic card is the first piece of evidence, and a PIN code is the second. With an NFC phone, two-factor authentication could be dynamically turned on when necessary, such as when intelligence leads to an elevated threat level. With an NFC-based mobile phone carrying digital keys or credentials, an application can easily be pushed to the phone that, for instance, requires the user to enter a 4-digit PIN on the phone before it sends the message to open the door, making multi-factor authentication a real-time managed service.