The Door to the Future of Access Control is Open

March 11, 2020
Apple’s full embrace of NFC is paving the way for a true mobile revolution in access control (Security Business March 2020 Cover Story)
This article originally appeared in the March 2020 issue of Security Business magazine. When sharing, don’t forget to mention @SecBusinessMag!

It has been nearly a decade since HID Global launched a pilot program to validate how mobile access control using Near Field Communication (NFC)-enabled smartphones can enable employees to open doors using a mobile device without compromising an enterprise’s physical security.

But progress – as it often is in the security industry – creeped along at a decidedly measured pace among manufacturers, mainly because only one major smartphone providers truly supported NFC in the first place.

More than eight years after HID’s first pilot programs were completed, the pace of innovation is poised to be turbo-charged, as Apple has announced it will finally support NFC natively with the release of the new iPhone 11. Additionally, HID and ASSA ABLOY have begun piloting a new technology that may bring access control to Star Trek-like levels in the near future. Will cards become the analog cameras of the access control industry? Perhaps, but at this point, it all depends on the end-user and integrator’s preferences.

“For the innovative organizations who have embraced building special and unique experiences, there are little to no barriers remaining,” says Brandon Arcement, HID’s Senior Director of Product Marketing. “For example, HID has worked with some end-customer organizations to deploy mobile credentials to tens of thousands of users and mobile-enabled readers at thousands of locations across several use cases, including physical access control. These connected environments have truly become mobile-first and are on the path to mobile-only very quickly. To these organizations, the barriers have been addressed.

“Conversely, there is a large swath of the market that has yet to take advantage of the power of mobile,” Arcement adds. “Thus, adoption of mobile access still requires education through sharing the successes, value-adds and lessons learned from organizations who are pioneering mobile-first environments.”

The Evolution of NFC

Nearly six years ago, industry experts hailed Apple’s decision to incorporate an NFC antenna for Apple Pay into its iPhone 6 models as the beginning of what would be widespread adoption of NFC for mobile access control deployments. Despite advancements in other technologies, such as Bluetooth Low Energy (BLE), NFC has long been the preferred modality among the industry’s manufacturers for delivering mobile credentials, given the vast amounts of R&D resources that have already been poured into it for nearly a decade.

“NFC – specifically ‘Card Emulation mode’ – has been coveted technology for use in access control since HID’s initial pilots about a decade ago,” Arcement says. “By design and as the name suggests, this mode emulates the contactless card experience.”

Vendors began rolling out bring your own device (BYOD), mobile access pilot projects powered by NFC technology at places like college and corporate business campuses in the early 2010s to much fanfare. However, the problem was these deployments almost exclusively leveraged cellphones with Android operating systems at the time, as they were unable to offer the same capability via the iPhone. According to recent projections, iPhones held as much as a 13% market share of the global smartphone market as of Q3 2019 and more than 45% of the U.S. market – which meant that expanding mobile access via NFC would be a non-starter until iOS could also be used en masse.

“For mobile access adoption to succeed, our broad insights from customers and partners point towards the need for consistent and secure experiences across (all) mobile device platforms,” Arcement says.

Apple has supported NFC Card Emulation mode since the iPhone 6; however, NFC on Apple devices was initially limited to only the Apple Pay payment card use case. It wasn’t until the recent release of iOS 13 that the tech giant fully embraced NFC for access and identity solutions.

“Probably the biggest news for the (access control) market overall is the launch of the iPhone 11 and iOS 13, (because) Apple has really fully embraced all aspects of NFC,” Steve Humphreys, CEO of Identiv, recently told the company’s investors on a conference call. “Since (Apple) is always a bellwether, and partly as a result, we are really starting to see the pipeline of NFC-based RFID applications expand more than ever.”

According to Humphreys, the expansion of NFC capabilities on the iPhone will truly start to enable frictionless mobile access for end-users.

“With (some) technology, you have to open an app and then click to open a door – that is not very frictionless,” Humphreys said. “With NFC, of course, you can just use the device and tap it right to an NFC reader. That is certainly one of the areas we are going to leverage.”

Vincent Dupart, CEO of STid, says the industry is quickly evolving towards the “dematerialization” of access, and Apple’s adoption of NFC presents a golden opportunity to accelerate the use of mobile credentials throughout the market.

“In companies now, safety and IT departments aim to validate the operation between the brand of smartphone and the access control system,” Dupart explains. “People are more likely to adopt easy solutions to welcome visitors or provide access to a virtual workstation. In this way, the constraints of access control are done away with so that every single employee willingly adheres to the company’s security policy.”

Additionally, Dupart says that being able to use NFC for mobile access on the iPhone will also provide end-users the added benefit of enhanced protection of their digital identities and credentials.

“Apple is known for its security requirements, and these new identification solutions have to be more flexible and guarantee that data is protected,” Dupart adds. “With our mobile ID solutions, for example, the smartphone, when switched on – and even during phone calls – becomes a means of identification that uses several different modes. Users can tap their smartphone twice, move their hand over the reader or enter a room directly without taking any specific action. Access to buildings is controlled by the user’s profile and access rights can be granted or cancelled from anywhere in the world.”

Manufacturers have wasted little time in tapping into the opportunities presented by NFC on the iPhone. Last summer, HID announced support for its Seos-enabled student IDs in Apple Wallet with Clemson University, which began allowing its students and faculty members to use iPhones and Apple Watches to access buildings, purchase meals and more last fall. The company demonstrated this new capability last year at GSX 2020 in Chicago, shortly after the announcement was made.

“Apple’s adoption of NFC (in iOS 13) has really signaled to the industry that the time for wide adoption is now,” Humphreys said.

The BLE Alternative

Apple’s delay in fully adopting NFC led many vendors to seek alternate methodologies for mobile access, which predominantly centered around the aforementioned BLE technology; however “BLE, in its currently deployed manner, does not offer as much speed and consistency as a contactless card, and thus does not exactly emulate that traditional cardholder experience,” Arcement says.

BLE’s range – up to 100 meters – provides for longer-distance authentication use cases, but requires additional effort to offer similar levels of security as NFC. “Since BLE’s range is quite far and no one wants to simply open a door just because the device is within connection range, use of Bluetooth as a transport technology requires the incorporation (by the developer) of an intent trigger that signals when the user actually intends to gain access,” Arcement explains.

“NFC offers a security and a framework of use close to a classic badge,” STid’s Dupart adds. “BLE, with its increased reading distances, offers new opportunities of identification – such as for an outside gate. To me, the secret is combining NFC, BLE and RFID solutions.” 

A New Player: Ultra-Wideband (UWB)  

Ultra-Wideband (UWB) is a newer, emerging technology that HID and Arcement expect will become ubiquitous on mobile devices in a few years. UWB provides the unique ability to deliver accuracy and security when measuring the distance or determining the relative position of a target.

“UWB will not replace NFC or Bluetooth; rather, we believe UWB will work as a supplement to provide the assurance, reliability, and granularity of device position to enable truly seamless access experiences,” Arcement explains.

Still, the combination of technologies offers the potential to dramatically transform the access control experience into a completely seamless one. Think Star Trek, when Captain Kirk approaches a door and it opens automatically – no action needed.

“Between NFC and UWB, there are going to be lots of capabilities we can bring to market,” Humphreys said.

“Almost all fictional settings about the future – e.g. StarTrek – suggest an access experience that is truly seamless: Somehow doors open and other entitlements are simply granted when appropriate without intentional gesture or request from the user,” Arcement says. “UWB, given its technical properties and anticipated increased adoption by smartphone manufacturers, has the potential to enable those experiences.”

Arcement demonstrated the capabilities of UWB recently at CES 2020, which we caught on video at www.securityinfowatch.com/21120731.

“Many mobile device manufacturers appear to be committed to UWB, with a handful of the leading device manufacturers having already joined the FiRa Consortium,” Arcement says. “Given the trajectory of UWB and regular refresh rate of mobile devices, HID anticipates that a majority of smartphones will contain UWB technology in only a few years. We predict early adopters in the next couple of years, with the technology going through the familiar lifecycle adoption curve, where maturity needed for the majority will likely take years.”

Initial use cases for the technology in phones will likely focus on consumer experiences, such as digital car keys with seamless access. Once successful, this will prime the user population to demand a similar experience from their traditional enterprise access control systems.

“Partners and end-customers are encouraged to prepare their installed base, infrastructure and technology platforms to be able to embrace the technology once it becomes practical at scale,” Arcement recommends.

Will Traditional Cards Become Obsolete?

With the advancement of NFC, BLE and now UWB, and the proliferation of smartphone use in the United States, it is not difficult to imagine a world with no access control cards.

According to a recent report from IHS Markit, mobile credentials are the fastest-growing product in access control, with a nearly 150% growth rate between 2017 and 2018. The research firm predicts that more than 120 million mobile credentials will be downloaded in 2023, representing nearly 15% of all new credentials entering the market that year.

“Access control systems have been among the last to embrace the capabilities of mobile technologies,” Bryan Montany, an analyst for IHS, wrote in a research note. “By 2023, mobile credentials will grow from 1% of all credentials issued annually to 14% and will be introduced as a prominent alternative to physical credentials across the globe.”

Through 2023, Montany predicts the private commercial sector – which includes hotels and office buildings – will continue to dominate the market for mobile credentials, with better than 90% market share. Despite their anticipated growth, however, Montany is not predicting that mobile credentials will supplant their physical counterparts anytime soon.

“Most commercial building owners have viewed mobile credentials as a supplemental technology that can provide occupants alternatives to carrying a physical badge, but few facility owners have expressed a willingness to transition away from physical credentials entirely,” he writes.

“It is difficult and would be highly speculative to suggest an exact timeline for such a transition, but the market will decide when cards are no longer a top choice for access control,” Arcement adds.

“Unlike with traditional cards, mobile credentials are at the mercy of the mobile device market, which evolves very rapidly. Moving forward, leadership in the mobile credentials will require platform agility, a need to always ‘expect the unexpected,’ a reputation for future-proofing installed bases, and close relationships with the mobile device manufacturers, who have significant influence on the overall experience.”

Joel Griffin is Editor-in-Chief of SecurityInfoWatch.com; Paul Rothman is Editor-in-Chief of Security Business magazine.