Insights into identity and access from ASIS 2010

Last week at the 2010 ASIS International Seminars & Exhibits, I had a chance to hear from HID Global President Denis Hebert and their CTO Dr. Selva Selvaratnam, as they presented a joint discussion about the future of identity and access control. HID Global, as you probably know from our coverage on, is being positioned as a company that can provide physical access control and network/logical access control solutions. The presentation during ASIS -- which seemed to be attended by their key customers, HID staff members and trade magazine editors -- covered a number of trends, but I want to hit on two trends that were referenced. These trends affect the entire smart card and access control industry.

Smart cards are becoming more and more prevalent. While at the tradeshow, I learned that Schlage had launched its own smart card offering (called Aptiq – see product release). And unlike old mag cards that simply matched a unique numerical identifier in order to test for granting access, the very cool thing about smart cards is that they can use high levels of encryption to store data and identity credentials – things that you wouldn’t have found on their nearest brethren: proximity cards. Because they can be secured and offer more memory on the card than you found on prox, smart cards can become the host for an identity that is shared across multiple uses.

The classic example of a multi-use smart card is using the card for the building cafeteria payment system and also for door access control, and the second model is using the same card for door access control and logging into a secure website. The concept of the future for this is one of a “federated” identity that can be shared across potential use scenarios. Today, the cafeteria application on a smart card is almost always separate from the application that unlocks doors. The only commonality is that they are on the same card. But the future could mean a single identity for everything. “You can use that same federated identity across both domains – the logical access and the physical access,” said Hebert. “This has been talked about for a long time, but it hasn’t really been acted upon.” Maybe that will change. Part of the reason for the slowness in adoption of a federated identity model, I suppose, may have been that the U.S. market has been somewhat slow in its adoption of smart cards. We need stepping stones in our technology, and adoption of smart cards is one of those stones.

The second big trend I heard mentioned was the concept of the virtual credential. Today, we see the card itself as the credential, but it’s not. The smart card just happens to be a very convenient and accepted form factor for presenting an identity to unlock a door or sign-on to a computer. But the virtual credential concept means separating the credential from the physical medium (the card).

“We often confuse ‘identity” with the technology or the card that carries it,” said Selvaratnam. “The identity can be taken away from the card.” If we do this, he said, then we can put that credential technology into a number of devices, but the most likely would be the cell phone. And with a mobile phone serving as the carrier of your identity, Selvaratnam says the industry can use a fourth dimension of authentication. Currently, we use the three forms of authentication:

  • Who you are: The oldest model of this is simply recognizing someone, but it can also be understood as biometrics and also role-based authentication (we let Joe in, but not Steve)
  • What you have: This is the classic access control model. You are granted access because you have something that earns access. It’s best represented by the door key, or the access control card, or the ID badge.
  • What you know: This model of authentication means that you have to know something to get in. Maybe it’s a PIN number at the ATM, or an entry code or combination to open a physical lock. It might also be a username and password for a website or your computer.

Today, said Selvaratnam, we can introduce authentication based on “where you are”. If the phone becomes the carrier of the identity, and if the phone supports location-based positioning (GPS is in most phones), you start to get possibilities for high-security granting of access. “New credentials like phones will be able to transmit back securely where you are,” he said. “The mobile phone allows that fourth authentication requirement to come through.”

Don’t expect the jump to this location-based authentication model overnight. Transition technologies will be needed. Some of this has started with dual-technology card readers available from a number of companies. To get to the phone-as-credential model, it might mean creating a sticker form factor to stick the card on your phone until the credential is built into the phone. One thing is for sure: If you thought of the access control industry as a fairly staid part of our industry, think again. This part of the industry has a lot of room for technology growth and a lot of possibilities for ways that identity management and access control can be used in the future. The thing I hear from so many of the top access and ID firms is that we’re just beginning to scratch the surface.