HID says future of door access might not be cards

Sept. 19, 2011 – An HID-led pilot project at Arizona State University wants to know if we can ditch the ID card and instead use our phones to unlock our doors. This proof-of-concept project, which was the subject matter for an HID thought leadership luncheon held at the 2011 ASIS tradeshow, seems to have answered that question: Yes, phones just may be a good substitute for ID cards.

Here is how it worked: The pilot project put NFC-enabled phones (near field communications) in the hands of 32 students, who then could use the phone as their access control card at certain university residence doors. They provided a mix of phones to the students, all using Verizon's network. There were iPhones, Android OS phones and even some RIM Blackberry phones.

The phones were authenticated and the NFC technology replicated the signal of an HID iClass card because NFC operates in the same 13.56 MHz frequency used by contactless cards. A mobile app installed on the phones was used by the students to initiate the NFC radio communications that would talk to the reader. The launched app gave the students a select amount of time to open a door (or multiple doors) as it offered the signal that would work with the readers.

An integrator on the project (Henry Brothers Electronics/Kratos) upgraded some of the door readers, and the system piggy-backed on a Lenel access control system.

Along the way, there were hiccups (a mobile app that crashed more than they expected; having to relaunch the app for each door; students who traded phones), but the overall answer of whether this was viable seemed to be “yes”. Students generally liked it (proving that new technology is always attractive), and 79% of the students said it was as convenient or more more convenient than the ASU ID access card they were previously using.

Of course, the one thing that using the phone as the card has going for it is simply our attachment to our phones, especially to smart phones. Presenters at the HID luncheon reminded the attendees that we may not realize we've lost our cards or keys for a day or more, but most people realize almost instantly that they have lost their phone. As Andrew Bocking, vice president of handheld software product management for Blackberry maker Research in Motion, told the attendees, “Devices are an extension of our mobile identity.”

But besides learning that, yes, the proof of concept works, the pilot project that HID Global performed at Arizona State University raised a number of questions and concerns that our industry will need to address before we can take this from pilot project to everyday project. Let's run through those concerns:

#1. The variables: In this kind of project, you no longer have one type of card. Instead you have multiple brands of phones, multiple models, multiple operating systems and even multiple networks. “How do you deal with those different variables?,” asked HID Global's Denis Hebert while presenting the pilot project. “How do you make it a seamless experience for the end-user?” The answer seems to be like the punchline to a joke: “Very carefully.” The reality is that you're going to face more complexities than ever before if/when you ever do this kind of project as a security director or as an end-user.

#2: The virtual reader: One of the things that Hebert likes to discuss is separating identity from credentials and credentials from cards. That was the subject of his last industry update address, provided at the ISC West show. On the reader front the same thing can happen. If a phone captures your biometric (or even your PIN) and relays that to the access system, it is in fact operating as a virtual reader.

#3: Mobile isn't for everyone. “Not all circumstances will permit mobile devices to serve as the credential,” Hebert said to the audience of his ASIS seminar. “This might work on a campus where students are accessing residence halls with the phone in their palm, but it might not work in airport where there is visual security value of producing an actual credential.” Even on a university campus, Hebert said there is real value to having the visual security of an ID card, and while it may not be a technology card, he said he doesn't see the card going entirely away.

#4: Who owns the client? This is a big question. If the phone is the connection to access your building, then it's Verizon, AT&T and rest of the telephony firms that have the direct connection with your customers. The thing about all those cell phone companies is that they all have a systems integration business on the side, and you can bet they want to take on more business. Some of the integrators in attendance said this was number one concern for them.

#5: If the integrator isn't selling the phones, and isn't making profit on cards and card printers any more (if it replaces the card, which is the threat), then what do they do for the project? Until Verizon and the others learn how to manage physical access control systems, they can do the integration for the databases and they can certainly hang readers on doors. But if Verizon takes over the database work and the authentication of the phones as credentials, the integrator could becomes little more than a high-tech locksmith, mounting electronic access equipment at doors. As one integrator asked during the Q&A, “We make a good living selling cards and printers, so what's going to happen when companies don't want to buy cards and printers?”

#6: What does it cost to have near-field communications on the phone? Verizon's Humphrey Chen answered this one for us. Apparently the cost is around $10-15 per device. That's cost at the manufacturer's levels. What does it cost the consumer? That's harder to answer. They might pass it along at the base price, but it's not implausible to think the cell phone firms might also just hit the customers with a monthly specialty service fee, just as today's cellular customers pay for services like text message, data access, and tethering in addition to their voice calls base fee.

#7: What happens when you want to change phones or if you forget to pay your bill? There's something to be said for a card. It's an elegant little piece of plastic. You don't have to charge it. You can fit it in your wallet. You can take it into the workout room with you (try taking that iPhone with its megapixel camera into a men's gym room and see what happens to you...), you can abuse it quite a bit before it stops working. Yes, I know people love their phones. I love my Motorola Droid, but if my phone is dead or if I left it at home, I still want to get into my office.

#8: Would this work for residential? Yes, clearly so. In fact, HID is already testing out a residential locking system that uses the phone to grant access.

#9: Is this realistic for access in the commercial world? Again, the answer is yes. HID Global already has the system in place in two of its own facilities and Hebert said he uses it regularly for access at those locations. Thanasis Molokotos, president and CEO of Assa Abloy in the Americas, said there was also a pilot project in a Stockholm hotel that allowed visitors to used phones for room access, even allowing them to by-pass the registration desk.

#10: Does NFC emulation of card technology work beyond the world of physical access? Yet again, the answer is yes. Hebert said the technology had been used in Japan for years for payment cards, so that users could pay for a coffee or buy items in the store by presenting their smart phone as the payment method, allowing readers at the retailers to register the payment information.

#11: What about adoption? The Pew Internet Project announced in June 2011 reports that 35 percent of U.S. adults own a smart phone of some kind. But that means 65 percent don't have a smart phone. The technology presupposes near 100% adoption of smart phones before it could be the de facto way a facility grants door access. And of those 35 percent of U.S. Adults who actually do have some form of smart phone, what percentage of those have NFC-capable phones? ABI Research said in a 2011 report that it expects 85 percent of Point-of-sale terminals will offer NFC capabilities by 2016, but that's just the readers, which don't need to feature nearly as much technology in a small physical form factor as the modern smart phone. Clearly, NFC adoption in smart phones is going to take longer. But there are signs NFC adoption in phones for the North American market could be picking up steam. NFCRumors.com reported earlier this month that T-Mobile is set to launch five new NFC-enabled phones by the end of the year.

Clearly the access control industry faces a lot of hurdles to overcome before NFC-ready door access is as common as iClass. The project begs even more questions than we have time for here (such as who handles the phone credential provisioning), but no emerging technology starts with all the questions answered. With the force of an industry giants like HID Global, RIM and Verizon, it's likely that this proof-of-concept project one day will become surprisingly common. And in that case, maybe we won't “badge in” to get to our desks at the office or into our dorm rooms, we'll just “app and go”.