Why implantable RFID chips are not the next frontier in access control

July 28, 2017
Industry experts discuss the technology's feasibility and potential drawbacks

A Wisconsin-based company recently made headlines when it announced that it would soon begin offering implantable RFID chips to its employees as a way for them to make cashless payments for snack purchases in their break room, open doors around the office and log-in to their computers. The company, Three Square Market (32M), which provides technology for micro markets, says the program is voluntary; however, they expect about 50 of their workers to take part in it.

The chip, which uses near field communications (NFC), is about the size of a grain of rice and is implanted underneath the skin between the thumb and forefinger. While some people may write the move off as simply a publicity stunt, this is not the first time that a company has offered its employees the convenience of using an implantable RFID chip around the office. Earlier this year, Swedish start-up Epicenter announced that it too would implant employees with the chips upon their request. Both 32M and Epicenter are working with Jowan Osterlund, CEO of BioHax International, to get these programs off the ground. 

Although it would seem unlikely that such a technology could ever gain widespread adoption for access control applications, RFID implants do address some of the issues that manufacturers have sought to tackle for years. For example, as carrying a physical ID badge would no longer be required, it would eliminate the potential for lost or stolen credentials. Primarily though it would substantially increase the convenience factor for users, which is really what the aforementioned companies are trying to demonstrate through their implementations.

The Potential Pitfalls of Implantable Technology

However, according to Peter Boriskin, vice president of commercial product management for Assa Abloy, while there is certainly increasing demand in the marketplace for convenient, unique and secure identification of individuals for both access control and cashless payments, the pace of technology advancement may leave some people actually regretting having such a chip implanted in their bodies, especially if something better comes down the pike in the near future.      

“I’m not sure you would want to sign up for an RFID technology, implant it and hope that it is going to be available for the rest of your life,” Boriskin says. “Given how quickly technology changes, I see some challenges there.”

Robert Martens, futurist and vice president of strategy and partnerships at Allegion, believes the evolution of biometrics will render the need for a solution like an implantable RFID chip unnecessary and thus eliminate any mass market potential for the technology.

“The biometric solutions coming forward will provide similar experiences without having to implant anything,” Martens says. “The variety of solutions is quite diverse: facial recognition, eye retina, iris scanning, heart beat analysis, hand writing analysis, etc. Having to implant a foreign object isn’t appealing and won’t be necessary.”

Michael Patterson, CEO of network security firm Plixer, says that there will also be opportunities for cyber criminals to steal data from these chips if they are not secured properly.

“These implants will be hacked like all other computer chips and personal information will be compromised. If software updates are not part of these implants' future, consumers should avoid them,” Patterson advises. “Regardless, extortion attempts are sure to be directed toward the victims. I can read the headline now: ‘Personal health of microchip carriers threatened if they don’t pay up with bitcoin.’”

In addition, Martens says incremental capabilities would need to be added over time to make the chip a “persistent” credential. This could involve incorporating something unique, such as person’s heart rate, or perhaps two-factor authentication leveraging a PIN code or something along those lines.

However, Martens says the downsides of such a solution still outweigh the benefits. “To me, the benefit of an implant is very limited and unnecessarily invasive,” he says.

Cybersecurity Concerns

Although 32M says the data on the chips it will be implanting in its employees is encrypted, Patterson believes there is still the potential that personal information could be stolen.

“I think personally identifiable information can likely be compromised despite any encryption claims,” he says. “The information could then be used to gain access to certain resources.  I admit that the risk here could be minimal if it is restricted to a specific company.  However, if the device can be recoded wirelessly, this could have other implications.”

Patterson advises anyone thinking of having one of these chips implanted in their bodies ask their employers about what insurance policies they have related to these devices as well what they cover.

“Employees should ask about insurance and request a copy of the policy to cover any medical expenses should they be hurt in any way by the device,” he says. “Also, employees should find out who is responsible for removing the device and if it is compromised, who is responsible for any of those charges as well. What happens when the employee leaves or is fired from the company?”

Opportunities for Mobile and Wearables

For those organizations that want to take a more forward-thinking approach to deploying access control technology, Boriskin recommends they look into mobile solutions, which have now been tried and tested for some time and offer a number of different advantages.

“If we take a look, not necessarily from the implantable side, but at what the commercial world is looking for – something that you do take with you everywhere, that can be secure and is pretty unique – a lot of the move to mobile is sort of a parallel path here for the commercial and institutional-type customer. You’ve got a very secure computing platform in that phone in your pocket. We can create Secure Elements onto that phone, we’ve got a lot of data about where it is from geo-fencing, and we have the opportunity to do multi-modal authentication on that mobile device,” he says. “I think the nice thing about that versus something you might have to carry around with you forever is it allows you to use multiple different technologies. Whereas you might have NFC supported in certain areas and maybe Bluetooth or Wi-Fi direct supported in others – because phones have all of these different radios on board – you don’t have to pick just one, so it allows you to transition across multiple different applications that might support multiple different technologies with relative ease.”

Martens says the industry has been increasingly focused on improving the user experience in access control and that the “less friction” an end-user encounters with a product the better.         

“Access control is about layered security, but it is also more and more heavily focused on the user experience as they leverage it,” he says. “Delivery of that enhanced experience is what is core to next generation access control solutions.”

Both Boriskin and Martens believe there are opportunities for wearable technology in the industry as it presents a happy medium between mobile access control solutions and something on extreme end of the spectrum like an implantable chip.

“I think if there is a middle ground between a phone or a tablet and an implantable, maybe it is something like a wearable,” Boriskin says. “We see just a tremendous number of wearables now, everything from training and fitness-types of bands all the way through to very inexpensive watches or bands that are really only RFID. Sometimes you see that in something like a waterpark where it is very inconvenient to try and carry credit cards, phones or cash. I think we’re going to see more and more people targeting this area because it is something that consumers want and we’re also seeing that in the commercial and institutional space.”     

Martens believes that efforts to implant employees or others with RFID chips are done solely for “shock value” and says that the industry is working hard to deliver real solutions that offer the same levels of flexibility and convenience.

“The next generation of access control is about allowing users more freedom and flexibility in the most natural ways, not embedding them with chips that warrant fears about Big Brother-like monitoring,” he concludes.  “It is clear that the more transparent and intuitive the interface, the better adoption it will drive in the market.”

About the Author: 

Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].