The Future of Credentials

July 13, 2018
Combining security layers is the key to creating the elusive “truthful identity”

In 2017, a Wisconsin-based company specializing in “micro” markets – think small-scale grocery stores – made the news by announcing it was offering to implant its own employees with RFID chips. A microchip the size of a grain of rice inserted under the skin would allow employees to make purchases at their on-site micro market, open doors, login to computers, and access other IT infrastructure.

It is bold thinking, to be sure. But is it the future? Unlikely.

The sentiment itself is excellent: provide individuals with a convenient, unique and secure credential that is uniquely specific to them. But given how quickly technology changes, it’s a stretch to begin implanting individuals with a technology that may not have a long-term shelf life.

All that said, the question the company raised by offering the implant is also excellent: what does the future of access control look like? The latest and greatest technologies, such as mobile access solutions and intelligent keys, are being integrated in facilities today. But are they truly the future? The reality is that we are on the precipice of defining what could be described as “truthful identity”.

Single Solutions are no Longer Enough

Another news-making incident in 2017 was a massive data breach at one of the country’s leading credit check providers. Over 100 million individuals now have sensitive data – personally identifying data – out in the wild.

In a world where social security numbers and passwords are made available online, how do we really prove identity? Consider a hybrid solution that combines three different components:

Credential – The credential is still a critical component of verifying access control. It might not identify the individual per se, but with advancements in technology it does allow administrators to manage, provide and revoke access to individual accounts. The reality of today’s tech-savvy society is that nearly every individual now carries with them a cellular phone or connected wearable device. Using these devices – which tend to be very personal – the security market can now more closely tie a credential to an individual.

Biometric – Adding a biometric component to the solution helps further confirm identity when it comes to access on doors, computers, or even for payment. Traditional biometrics have relied on hand geometry readers and iris scanners at physical checkpoints. Those will still exist at sensitive locations such as data centers or critical facilities. However, for day-to-day use, the simplicity of having phones and wearables with fingerprint readers and facial recognition will be key to implementing an additional check in the system. By adding this layer of security to a phone, credentials can be authorized and activated – be it for door control or credit card payment – only if the correct user is physically in control of the device.

Inherent information – This is where things get a bit more unique. The credential of the future will likely add a component of inherent information or knowledge that is kept only by the person with access. This is information that doesn’t live with the bank nor with credit reports. There isn’t a database that keeps this information aside from the access control system. This could look something like a passphrase – think of a unique sentence that you wouldn’t forget. It could be something else we have yet to implement before.

A Holistic Approach

Combining these three areas provides a more holistic approach to identity. While there is unlikely to be a far-reaching solution to completely thwart the most motivated hackers, this is likely to keep individuals beyond the reach of a standard attempt at identity theft.

By outlining an aggregate approach such as this, we start to see how we can make it much more difficult for malicious individuals to breach a future credential. The next steps for us are to find a way to get there.

The new Truthful Identity

If we agree that the desire is to move to a consolidated identity of this type, and that identity is comprised of a number of different aspects, then as an industry we need to focus on two things:

First, we need to be the very best at what it is that we create. Be it smart cards, mobile devices, biometrics, anomaly detection, or access control readers, we need to guarantee that we are providing not only the best physical product but also a digitally secure product.

Second, we need to ensure that we coexist peacefully with technologies that aren’t necessarily in our standard lane of expertise. Working together to blend technologies makes for a better security solution for the integrator and the end user.

For integrators and end users, it is important to find companies that work toward those two ideals and develop a partnership with them. Seek out manufacturers who are willing to talk about the next steps, can provide technology that will future-proof your installation, and have a history of both quality and interoperability.

The goal for all of us should be to provide users with simplicity while using the most advanced credential in the most secure and interoperable environment. We'll get there by planning ahead and working together.

Peter Boriskin is VP of Commercial Product Management for ASSA ABLOY Americas. Request more info about the company at