Smart phones carrying digital keys and portable identity credentials may render traditional keys obsolete
For roughly 4,000 years since the invention of the lock, the mechanical key has provided an inexpensive method for opening doors and gaining access to properties, vehicles and other assets. Many applications for the mechanical key have gradually been eliminated with the advent of more secure and manageable plastic access-control cards that, over the years, have become increasingly more capable and intelligent. Now, a quantum leap in access-control technology may do away with mechanical keys — and even cards — by ushering in a new era of digital keys and portable digital identity credentials that can be securely provisioned and safely embedded into smart phones and other devices.
Over time, the access-control card has become increasingly sophisticated and intelligent as exemplified by today’s 13.56 MHz contactless smart cards, which include a tamper-proof RFID device connected to a multi-turn antenna. These cards are personalized to the cardholder, and a mutual authentication process occurs when they are presented to a reader. Additionally, they can be used for multiple applications such as biometric authentication, cashless vending and secure PC logon using the inherent secure storage capability of this technology. Until now, this card was required for securely carrying our identity, and the decision to allow or deny access was made between the reader and a central panel (or server) that stores the access rules and decides if a particular person should be allowed to open a door.
In reality, our identity information and the procedural chain of encrypted communications and data processing events that occur between the reader and server or panel can be virtualized just like any other IT procedure and moved onto new platforms, including mobile phones. In other words, the intelligence contained in today’s smart cards, along with the user’s identity information, can reside on any suitably secure electronic device.
In order to seamlessly integrate with existing physical access control systems, there are two prerequisites for such a “virtualized” system to coexist:
1. A way for the data to be communicated to an access-control reader (the equivalent of swiping or presenting a physical card), and
2. A mechanism for securely managing the identity and authentication information that is carried on the device (i.e., from the time of provisioning and throughout its life cycle).
With these two pieces in place, the same basic access-control methodology proven for decades in businesses, healthcare, government and other applications can be embedded into smartphones and other mobile devices, and we can do away with keys and cards virtually anywhere we need to unlock a gate, door, or drawer.
Near Field Communications
An ideal technology for this methodology is Near Field Communications (NFC), a short-range wireless communication standard that enables data to be exchanged between devices over a distance of several centimeters. Moreover, NFC is also fully compliant with the ISO standards governing contactless smart cards, an obvious feature that makes this an ideal platform.
A mobile phone equipped with NFC technology can be used to carry a portable identity credential and then wirelessly present it to a door reader — just like the current plastic smart cards. The phone is simply waved in front of the reader and the user can open the door. Key or card access functionality becomes another application alongside the device’s other voice, data, memo, music, navigation, camera and game functionality. According to the research firm IHS iSuppli, manufacturers will ship approximately 550 million NFC-enabled phones in 2015.
The most simplistic model for NFC digital keys and portable identity credentials is to simply replicate existing card-based access-control principles. The phone communicates identity information to a reader, which passes the identity to the existing access control system, which then opens the door. This eliminates the need for keys or smart cards while providing a safer and more convenient way to provision, monitor and modify credential security parameters, eliminate credential copying, temporarily issue credentials as needed, and cancel credentials when they are lost or stolen.
An early example of this type of application was recently tested at the Clarion Hotel Stockholm in Sweden during a pilot that concluded in June 2011. The hotel worked with HID Global parent ASSA ABLOY, Choice Hotels Scandinavia, TeliaSonera, VingCard Elsafe and Giesecke & Devrient (G&D), to replace the hotel’s room keys with digital keys that are sent to guests’ NFC-enabled mobile phones.
During the Clarion Hotel pilot, guests were given the opportunity to use their mobile phones to access their rooms. Participating guests received a Samsung NFC mobile phone with Assa Abloy’s Mobile Keys software installed. Before arriving at the hotel, guests received a text message with a link to where they could check in, and the hotel sent an electronic room key to their phones. Guests then were able to skip the check-in line and go directly to their room, where they opened the door by holding the mobile phone in front of the door lock. When checking out, guests simply touched their phones to a kiosk in the lobby, again saving time by skipping the front desk.
In a survey conducted after the Clarion Hotel trial, sixty percent of respondents said they saved more than 10 minutes by using the digital key solution, and 80 percent said they would use the solution if it were available today. The hotel also benefitted in several ways (apart from the expenditure on plastic cards) by re-focusing the staffing resources required to check in those guests to other more valuable customer service issues. It was also much easier to replace lost keys when needed.
Replacing Panels and Servers
There are other opportunities to harness a smartphone’s power to significantly reduce the cost of deploying access-control applications. Modern smartphones have on-board intelligence that is comparable to today’s typical access-control system, and can be used to perform most of the tasks that otherwise would be jointly executed by reader and server or panel. Can this mean that NFC smartphones can replace the functional duties carried out by access control panels and servers? The simple answer is yes. What this question (and its answer) really means to the access control industry is a paradigm shift in the interaction between the card, the reader (or lock) and the access control panel.
Readers (and locks) can be built without any significant intelligence or connectivity capabilities. NFC-based phones will verify a person’s identity and any other relevant rules (such as whether the access request is within the permitted time period during the day, or that they are standing at the door using the phones’ GPS capability), and then send a trusted message to the door that it should open, using cryptographically secure communications. All the reader must do is interpret the encrypted command to open the door — the readers (or locks) become encrypted door switches, that are not connected to a panel or server, potentially reducing the cost of these products.
Moreover, NFC smart phones will be capable of storing the necessary access control rules and processing, and providing trusted commands to these lower-cost, disconnected NFC readers, in order to unlock the door. This will make it possible to deploy inexpensive, yet equally robust access systems for applications like interior doors, filing cabinets and storage units for valuable or controlled materials (e.g., pain-relieving drugs) where it previously would have been prohibitively expensive to install a traditional wired access-control infrastructure.
Bookmark this page for “digital keys” and check back regularly as these articles update on a very frequent basis. The view is set to “news”. Try clicking on “video” and “2” for more articles.