NFC Meets BYOD

Aug. 24, 2012
How to apply the “Bring Your Own Device” model to access control

As we enter the next era of physical and logical access control, identity no longer must be carried on a plastic card, but is transportable and media-independent, and can be securely embedded into smartphones and other mobile devices that feature Near Field Communications (NFC) capabilities.

Within this environment, companies are increasingly allowing employees to use their personal smartphones for work, also known as the Bring Your Own Device (BYOD) mobility deployment model.

Moving physical and logical access control to BYOD smartphones and other mobile devices offers tremendous advantages and will be an important addition to the existing access control infrastructure.

The coming generation of mobile access control solutions will improve convenience and management flexibility while ensuring the security of all transactions; however, using BYOD smartphones for a growing range of access control applications requires planning and a rigorous security assessment, along with an infrastructure that supports cloud-based provisioning of digital keys and credentials. The co-existence of physical and logical access control on a BYOD smartphone also creates the need for adequate cloud-based security data so these devices can be used for network and application logon.

How Smartphones Work for Access Control
Today’s NFC-enabled smartphones can be used to access computers, networks and information assets, as well as to open doors and enter secured areas. As they become deployed for these applications, they must seamlessly coexist with current access control systems and traditional plastic access cards. NFC technology provides the short-range communications link that enables users to open doors by “presenting” the digital key or card inside their phone to the access-control card reader. Non-NFC-enabled devices may be securely upgraded to this communication capability by using an NFC-enabled add-on device such as a microSD card.

A number of pilot programs have validated the benefits of this mobile access control model, including the value of the smartphone platform for protecting credentials. Studies show that users react within minutes when they have lost their phone, but may go a full day or more before realizing they have lost a plastic card.

Using smartphones to open doors requires a new identity premise. This premise consists of interoperable, encrypted data models that represent many types of secure identity information, and it enables multiple data models for multiple applications to exist on a single device. Additionally, the new identity system has to operate within a trusted boundary so that BYOD smartphones and their transactions with readers can be trusted within the access-control managed network.

Adapting the Model to BYOD Smartphones
The technology used to confer trust to a BYOD requires the use of the phone’s secure element, which is usually an embedded tamper-proof integrated circuit or a plug-in module version, often called the subscriber identity module (SIM). The trusted boundary, combined with the proven reliability of smartphone technology, provides the foundation for an extremely secure mobile identity environment, including a secure communications channel for transferring information between validated phones, SIM cards and other secure media and devices.

Using this mobile access model, organizations can issue digital cards and keys to BYOD smartphones and other mobile devices via an internet portal, similar to the traditional model for purchasing plastic credentials — but instead connecting the mobile device via a USB or Wi-Fi- enabled connector.

Alternatively, digital credentials can be acquired over-the-air from a service provider, in much the same way that today’s smartphone users download apps and songs. The NFC-enabled smartphone communicates with a Trusted Service Manager (TSM), which interfaces either directly to the mobile network operator (MNO) or to its TSM so that a key can be delivered to the smartphone’s SIM card. Digital cards and keys can also be shared with authorized users via NFC “tap-n-give” provisioning, if this complies with security policies established by the organization.

With mobile provisioning, there is no risk of cloning. It is also significantly easier to issue temporary credentials, revoke or cancel credentials at will, or when they are lost or stolen, and monitor and modify security parameters when a security area’s threat level increases. The systems administrator can either de-provision a digital key over-the-air or via a managed service portal, or remove access rights in the access control system database.

Organizations also can support variable security levels and use additional data elements. They can perform dynamic, context-based role-setting, such as invoking two-factor authentication during an elevated threat level. For instance, an application could be pushed to the phone that requires the user to enter a 4-digit pin or perform a gesture swipe before the phone can send the message to open the door.

There are many types of keys and credentials that can reside simultaneously on NFC-enabled smartphones. This includes credentials for purchasing items at the company cafeteria, and for using secure printing equipment. Smartphones can also generate One Time Password (OTP) soft tokens for securely logging on to another mobile device or desktop computers in order to access a network. With all these physical and logical access capabilities on BYOD smartphones, IT departments know they must develop solutions to protect their systems, data and facilities.

IT Security Concerns
First, to preserve personal privacy for BYOD users while protecting the enterprise from compromised personal apps, all applications and other ID credentials must be containerized between personal and enterprise use. Applications must be enabled for use with digital keys and cards, including applications that enable smartphones to support PIN entry to “unlock” key usage for authentication or signing. Also, middleware application programming interface (API) technology must be standardized so that ID credential functionality can be exposed to the application.

Smartphones used for access control may also need to support derived credentials and support Public Key Infrastructure (PKI), including personal identity verification (PIV) credentials, as used by U.S. federal workers. The combination of containerization and derived credentials will also create the need for hierarchical lifecycle management. This will enable organizations to, for instance, revoke all credentials when a phone is lost, or to only revoke “work” credentials in the case of phones carrying PIV credentials. This is a multi-dimensional mobile ID management challenge that the industry must address as the BYOD model proliferates.

There also must be adequate cloud storage security so that BYOD smartphones can be used for network and application logon. There are four possible approaches. While an open access model on the public internet is easy to implement using a software as a service (SaaS) provider that manages usernames and passwords, this approach offers the weakest data protection.

An alternative is a virtual private network (VPN), and have remote users first authenticate to the VPN before entering username and password. However, this does not scale well to BYOD since VPN clients must be installed on many different devices alongside personal applications, and doesn’t provide additional protection against internal threats. Another option is native strong authentication, but this is inconvenient since each application requires its own, specific security solution.

The best option is federated identity management, in which the user authenticates to a central portal to access multiple applications. Federated management supports different authentication methods and meets compliance requirements by providing a centralized audit record. It also is more convenient than alternatives because nothing must be installed on end-user devices, and it offers good protection against Advanced Persistent Threats (APTs), along with internal threats such as employee fraud.

Federated ID will also ensure that identity can be effectively managed on both plastic cards and smartphones. Plastic cards are not going away anytime soon, and the mobile access control infrastructure will augment what already exists. Many organizations will still want their employees to carry cards because they are used as a means of photo identification. Printer systems will also support both plastic and mobile credentials, as well. 

Dr. Tam Hulusi is Senior Vice President of Strategic Innovation and Intellectual Property for HID Global (www.securityinfowatch.com/10213866).