How to apply the “Bring Your Own Device” model to access control

As we enter the next era of physical and logical access control, identity no longer must be carried on a plastic card, but is transportable and media-independent, and can be securely embedded into smartphones and other mobile devices that feature Near Field Communications (NFC) capabilities.

Within this environment, companies are increasingly allowing employees to use their personal smartphones for work, also known as the Bring Your Own Device (BYOD) mobility deployment model.

Moving physical and logical access control to BYOD smartphones and other mobile devices offers tremendous advantages and will be an important addition to the existing access control infrastructure.

The coming generation of mobile access control solutions will improve convenience and management flexibility while ensuring the security of all transactions; however, using BYOD smartphones for a growing range of access control applications requires planning and a rigorous security assessment, along with an infrastructure that supports cloud-based provisioning of digital keys and credentials. The co-existence of physical and logical access control on a BYOD smartphone also creates the need for adequate cloud-based security data so these devices can be used for network and application logon.


How Smartphones Work for Access Control

Today’s NFC-enabled smartphones can be used to access computers, networks and information assets, as well as to open doors and enter secured areas. As they become deployed for these applications, they must seamlessly coexist with current access control systems and traditional plastic access cards. NFC technology provides the short-range communications link that enables users to open doors by “presenting” the digital key or card inside their phone to the access-control card reader. Non-NFC-enabled devices may be securely upgraded to this communication capability by using an NFC-enabled add-on device such as a microSD card.

A number of pilot programs have validated the benefits of this mobile access control model, including the value of the smartphone platform for protecting credentials. Studies show that users react within minutes when they have lost their phone, but may go a full day or more before realizing they have lost a plastic card.

Using smartphones to open doors requires a new identity premise. This premise consists of interoperable, encrypted data models that represent many types of secure identity information, and it enables multiple data models for multiple applications to exist on a single device. Additionally, the new identity system has to operate within a trusted boundary so that BYOD smartphones and their transactions with readers can be trusted within the access-control managed network.


Adapting the Model to BYOD Smartphones

The technology used to confer trust to a BYOD requires the use of the phone’s secure element, which is usually an embedded tamper-proof integrated circuit or a plug-in module version, often called the subscriber identity module (SIM). The trusted boundary, combined with the proven reliability of smartphone technology, provides the foundation for an extremely secure mobile identity environment, including a secure communications channel for transferring information between validated phones, SIM cards and other secure media and devices.

Using this mobile access model, organizations can issue digital cards and keys to BYOD smartphones and other mobile devices via an internet portal, similar to the traditional model for purchasing plastic credentials — but instead connecting the mobile device via a USB or Wi-Fi- enabled connector.

Alternatively, digital credentials can be acquired over-the-air from a service provider, in much the same way that today’s smartphone users download apps and songs. The NFC-enabled smartphone communicates with a Trusted Service Manager (TSM), which interfaces either directly to the mobile network operator (MNO) or to its TSM so that a key can be delivered to the smartphone’s SIM card. Digital cards and keys can also be shared with authorized users via NFC “tap-n-give” provisioning, if this complies with security policies established by the organization.

This content continues onto the next page...