Access Control & Identity: Climb Aboard the NFC Credentials ‘Train’

June 11, 2013
Integrators need to learn about this system solution

Since November 2011, Villanova University and the University of San Francisco (USF) students and staff have been using the aptiQmobile web-based service from Ingersoll Rand Security Technologies along with NFC (near field communications) and their own personal smartphones as their credential to access dormitories, academic buildings and administration offices. The NFC credential seamlessly integrates with Villanova’s CS Gold campus card system from CBORD. To enter buildings, students simply open the aptiQmobile app and tap their phone to the smart reader on the wall in the same way that they would present their Wildcard campus identification (ID) badge.

What is behind this most comprehensive access control Near Field Communications (NFC) trial in the North American marketplace to date and is it a harbinger of things to come?

Today, the great majority of colleges still deploy picture ID cards, magnetic stripe cards, mechanical keys and barcodes for access control on campus versus newer, more secure technologies such as proximity and, especially, biometrics and smart cards.

What do students want? Convenience is the ultimate student goal. Students want safety and security on campus to be as unobtrusive and transparent as possible. They do not want campus safety measures to interfere in normal activity. Tools that support this goal must enable without intruding. Technology should make their lives more convenient. If technology only “connects” them with the school, they don’t find it very valuable.

Their One Card systems are perceived as convenient and an enabling connection to accomplish their goals. Access to buildings, identification, cafeteria/food courts, library, bookstore purchases, printing and vending, in that order, are the leading applications American college students use their school-issued cards for.

How about leveraging, as a credential, something students already have? Nearly half of all students identify their cell phones as their favorite personal electronic device. It, too, is their “everything.” Some 91 percent of all mobile users keep their phone within arm’s length day and night. Already, nearly half of all students are using cell phone apps provided by their universities.

And, when it comes to credentials, two-thirds are interested in using their phone in place of an ID card. Why? They feel that they are less likely to lose their phone than an ID card.

That day is not that far off as students’ desires for using a cell phone as a credential ties in nicely with the budding discussion of NFC (near field communication) which will inevitably end up on cell phones. No Visa card; no MasterCard card…only their cell phone will be needed for cashless payments or to show their identity.

The smart card, as used in today’s One Card smart card system, would be in the cell phone, allowing students—or anyone else—to carry out, in a more convenient way, all the benefits of a One Card system.

Smart credentials: every organization’s future

With the price of smart credentials being comparable to proximity today, there is no reason not to deploy smart credentials immediately, even if the only application will be physical access control. A smart credential, for the same price, provides a higher level of security, more convenience, and far greater functionality than a proximity card. One credential has the ability to manage access, payments and many other functions.

As well as their increased security capabilities, smart credentials can be used to host multiple applications, letting organizations consolidate many services on one card, producing cost savings and increased efficiencies. Additionally, smart credentials also have clear advantages over other types of cards as a public key infrastructure (PKI) solution. Storing a private key on a smart credential makes it far less vulnerable than on a PC desktop plus the card is portable for its users. That means only the holder can make the key available. It’s not accessible until the holder makes it accessible. In addition, smart card solutions typically involve less systems integration than a full public key infrastructure (PKI).

The secure access solutions available with open system smart credentials have several ROI implications in themselves. For example, when a smart card program is introduced, it immediately solves the problem of (forgotten) passwords, a nemesis for both users and administrators. Schools and businesses will reduce overhead costs simply by not having to administer passwords.

By introducing smart credential-based authentication, an organization can immediately reduce the number of staff members needed to manage and control access to residence halls, recreation centers, laboratories and other buildings that only authorized students and staff should enter. Go beyond the campus and into a multi-tenant building. As they are using mobile applications in the rest of their lives, tenants will expect their buildings and services to be mobile-friendly too. They won’t want to remember and manage multiple cards, items and ID credentials when they could simply use their smartphones to do all.

            Likewise, the enhanced convenience of using smartphones instead of badges extends to the administrators building owners have in charge of their access control systems. Rather than having to print physical ID badges for each tenant when they enroll, a mobile ‘key’ gets issued online by your administrator directly to the tenant’s phone at any time, saving staff time, administrative costs and the expense of printers, ink, card inventory and other needed supplies. While improving the service they provide their tenants, it also extends their revenue sources to vending machines, pay-by-use systems such as copiers, and other services that can add to the bottom line.

Preparing your customers

            Look for a contactless smart solution that is armed with mutual authentication and encrypted with AES 128- bit diversified keys. With such a capability, the card and reader verify that they are authorized to communicate bi-directionally. This saves on infrastructure. Additionally, 128-bit keys virtually ensure no one can read or access credential information without authorization. The technology behind AES has approval by the NSA (National Security Agency) for classified information. A message authentication code (MAC) further protects each transaction between the credential and the reader. This security feature ensures complete and unmodified transfer of information, helping to protect data integrity and prevent outside attacks

Those not willing to make an upgrade today to open architecture smart credential solutions should at least incorporate multi-technology that readers read magnetic stripe and proximity cards as well as the afore-mentioned smartcards so that, when the switch to smart credentials comes about, they will not have to tear out and re-install readers.

Near field communication, or NFC, provides simplified transactions, data exchange and wireless connections between two devices that are in close proximity to each other, usually by no more than a few centimeters. It is expected to become a widely used system for making payments in North America. Many smartphones currently on the market already contain embedded NFC chips that can send encrypted data a short distance ("near field") to a reader located, for instance, next to a retail cash register. Shoppers who have their credit card information stored in their NFC smartphones can pay for purchases by waving their smartphones near or tapping them on the reader, rather than bothering with their actual credit card.

A smartphone or tablet with an NFC chip could also serve as keycard or ID card. NFC devices can read NFC tags on a museum or retail display to get more information or an audio or video presentation. NFC can also share a contact, photo, song, application, or video or pair Bluetooth devices.

To turn smartphones into an access control credential, one simply downloads the application, such as the aptiQmobile app, to the smartphone and uses it to retrieve the secure mobile key that was set up by the access control site administrator. Once the mobile key is downloaded, the user opens the app and taps one’s phone to the reader just like using a smart card. It’s very secure and extremely easy to use.

In some cases, there is not even any equipment to retrofit when adding the smart phone as the access control credential. If smart-enabled Schlage AD-Series locks or XceedID smart readers are already installed, it’s simply a matter of downloading the credentials to the students’ phones and they are ready to go.