When it comes to access control cards and credentials it is difficult to have a discussion about technology without considering some of the seemingly contradictory trends in the marketplace. For example, the largest installed base of cards is proximity — a 20-year-old technology with known security issues. Yet in an industry that often seems to move at a glacial pace, the credential space is filled with some of the hottest buzzwords inside and out of the security industry, including Near Field Communications (NFC), Bluetooth, biometrics and even wearables such as the Apple Watch.
Within the access control market, the state of the credential can be broadly categorized like this: First- and second-generation smart cards are standard on new projects; proximity is king of the retrofit and still used even on some new projects; biometrics is often a mostly niche technology; and many card holders want to know when they can use their phone as a credential.
“Some of the resistance to clients’ fully jumping on board [with] new technologies is card readers last forever,” says integrator Matt Vellek, vice president of business operations, Security Equipment Inc., Omaha, Neb. “Trying to get the budgets for something that still works can be tough. It is mostly discussion at this point. It boils down to user experience.”
What can the integrator do to help end users move forward, get more secure and move beyond budgetary concerns to get a better credential solution? Talking to customers about two key points is a good place to start. The first is the security of the credential, particularly in an age when it is rare to go a week without reading about a security breach or hack; the second is the convenience factor, which is predicted to be a driver for adoption of newer “virtual” credentials. And marrying the two together just may be the winning strategy.
How Secure is That Credential?
Target. Home Depot. The IRS. Sony. These are just a few of the high-profile organizations that have experienced cyber attacks involving credit cards, passwords or ID numbers in the past few years. Is it a leap for end users to think about their own card and credential security?
Well, yes and no. Some security integrators report their end user customers are absolutely coming to them asking about this. Others say their customers are aware of it, but are not concerned about their own facilities.
“They are concerned about security,” says Rick Allan, chief technology officer, VTI Security, Minneapolis. “They hear the stories and keep up with the information out there as far as the vulnerabilities. They look to us to guide them about what to do next.”
Despite talking extensively to their customers about card security Shaun Castillo, president, Preferred Technologies Inc., Houston, says they are not budging. “I know they understand the risk, because we have educated them. They have not had incidents and don’t see it as a grave concern. Proximity is cheap. It is a quick interrogation of the card, whereas some of the newer options take a little longer. Despite them understanding the issues, I haven’t witnessed many of them moving on.”
Even if a customer is “stuck” on proximity for whatever reason, that doesn’t mean there aren’t things to make them less vulnerable.
“One of the biggest mistakes end users and integrators tend to make is the over use of the standard 26-bit proximity cards,” says Christopher Sincock, vice president of security business, DAQ Electronics LLC, Piscataway, N.J. “It is the de facto standard in the industry and you can walk into any distributor and buy cards off the shelf; but it is a woefully insecure format. I have literally seen people walking around with duplicate cards in the same facility.”
Integrator Rick Zimmerman, director of physical security, Netech Corp., Grand Rapids, Mich., chalks it up to familiarity. “Many integrators provide [125 KHz proximity] to their customers in almost a vanilla flavor using off-the-shelf standard 26 bit format. There are only 255 facility codes available for that entire product set, globally.”
Zimmerman says there is a better option that costs only a fraction more, but keeps the technology and convenience in place. “The integrator should register their card formats. It is almost like in the mechanical key days where you had a patented key. This is the same idea, electronically.
“If you are a security contractor, you should be doing business in a secure way. Customers may save 10 cents on a generic card, but they are compromising their security because they don’t understand the vulnerability they are embracing.” Card format registration can be done for smart cards as well as proximity, he adds.
In some cases, the customer assumes they have addressed security issues by using encrypted smart cards — but they may be wrong.
“If you look at the smart card market, there has been a move from first- to second-generation cards,” says Rick Focke, senior product manager, Tyco Security Products, Westford, Mass. “Generation one was basic Mifare and iClass, which were touted as safe and secure and a good move from proximity. Those first-generation cards are all hacked now. Now we have HID Seos instead of iClass and EV1 instead of Mifare. Both of those formats offer stronger encryption, better physical security and a lot more built in to make the card a fortress.”
But telling the customer that their “secure” smart card may not be can be a tough sell.
“The truth is most customers haven’t even brought up card security. It has never even been discussed. The assumption is that encryption [smart cards] should be more than sufficient,” says Joseph Riotto, president, Advanced Video Surveillance Inc. (AVS Technology), Totowa, N.J.
“A smart card will have both a ‘secure’ number that is protected behind one or multiple layers of encryption and a card serial number (CSN) that can be read freely; these two numbers are different,” explains Aaron Barbe, product manager, Honeywell Security, Louisville, Ky. “A reader will only read the secure number if it knows the keys to unlock the encryption. Any reader capable of reading the ISO14443 standard format can read the serial number, including from NFC-enabled smartphones. It is because of this that using CSN-based authentication can actually be less secure than low-frequency prox. Tell that to an end user that spent more money on what they thought was a more secure card and reader solution.”
The key to talking to customers about card security is not to scare, but to educate, Focke suggests. “I think it is a great opportunity to educate customers, not just sell them something. Keep them informed of the latest technology and give them the path forward.”
Sometimes that means discussing factors that have less to do with technology on the card and more to do with the physical attributes of the card itself.
“It is ridiculously easy to counterfeit a credential — any credential,” Sincock says. On a standard card, a little Internet research and a color printer will produce a reasonable facsimile of the ‘real’ card. “Most 10-year-olds can do it,” he says. “And you know what? We all know that access control cards don’t work all the time. As long as that card looks like it belongs and the person who has the card looks like the person on the card, all they have to say to another employee is that their card isn’t working and show it to them.”
This is called “social engineering” your way in, and has more to do with policies and procedures than technology, Sincock says. It can be an excellent talking point for the integrator and an entry to the discussion about card security and a great way to position the integrator in that “trusted advisor” role that makes for a sticky customer.
There are technology solutions to be discussed around social engineering as well.
“We have seen an increase in our badge products side where we are selling the total package including [difficult-to-reproduce] hologram images,” says Rick Caruthers, executive vice president, Galaxy Control Systems, Walkersville, Md.
“Statistically speaking, more than 90 percent of ID inspections are undertaken visually and in the field, making visual security features more important than any electronically stored information on the card or in the associated database,” adds Josh Nippoldt Sr., product marketing manager-consumables, secure issuance, HID Global, Austin, Texas. HID’s new vanGO patch offers optical security media for counterfeit resistance and is designed to be an affordable option.”
The Convenience Factor & ‘New’ Technologies
What many integrators are seeing in the field regarding card security demonstrates that often convenience trumps security, except in cases in which extra security is needed or mandated. (See “A World About Government Credentials” online at SDMmag.com.)
The newest credential formats are beginning to capitalize on that desire, from virtual credentials that can be used on a phone, tablet or wearable to no-credential-at-all biometrics. Virtual credentials are still very new, and most integrators haven’t done many actual installations using these technologies — but there is a lot of planning and discussion around them. Some also report biometrics ramping up for convenience, not just security (see related sidebar, page 80). The question remains whether this will tempt users to upgrade more quickly than in the past.
In the world of new credentials, by far the most buzz is around virtual credentialing. But it is in its early days yet, and these technologies have plenty of bumps in the road to conquer before they go full mainstream.
From the social engineering standpoint, it is hard to argue that phones are far more likely to be both noticed and reported missing or stolen than an access control badge. “If I lose my badge on a Friday night I may not notice it is gone until Monday morning,” says Brian Sherman, product manager, readers and reader technology, Allegion, Carmel, Ind. “If I lose my phone I will be much more likely to notice that. In addition, anyone who has a phone, at a minimum has a PIN or even a fingerprint available to secure that phone.”
One of the factors potentially slowing down the virtual credential is the two competing technologies themselves, each with their own benefits and challenges. NFC was the early front runner, but until Apple gets on board with opening up their Apple Pay, functionality to other applications is mostly limited to the Android platform. Bluetooth, however, is widely available even outside of phones, but faces an image problem: Is it too broad range for security purposes?
“Mobile is a very interesting technology but the competing technologies have bifurcated the market,” says Adam Shane, senior systems design architect, AMAG Technology Inc., Torrance, Calif. “It is not at all clear who the winner will be. Both are viable.”
Integrators are definitely gearing up for virtual credentialing. “We are looking heavily into Bluetooth credentialing,” says Josh Cummings, director of engineering services, VTI Security. “I really see Bluetooth as the winner in the race with NFC. It is device-agnostic and you can use it anywhere. It doesn’t have to even be a cellular device. It opens up a whole realm of possibilities.”
Cummings says his company is getting regular requests about virtual credentials. “There have been a dozen or more that have at least talked about it over the last six to 12 months.”
Integrator Bassam Al-Khalidi, co-CEO and co-founder of Axiad IDS, Santa Clara, Calif., says Bluetooth suffers from an image problem, however.
“There is a perception issue with Bluetooth,” he says. “Today, consumers’ interaction with it is that it gives them freedom of range and the longest range possible. When we talk about using it for door access it is imperative that it be deployed correctly. Bluetooth virtual credentials today can be configured for use in different modes, to require a specific gesture, turn on an app first or be within a foot of the reader.”
Security concerns can also plague virtual credentials. Riotto says he has had clients back away from virtual credentials as a result of hacking incidents in the news. “Just recently some guy supposedly hacked the flight deck on a plane using the entertainment system. Two years ago we wouldn’t have thought to discuss that. That is the problem. You hear about phones being hacked, getting banking information off of phones. Customers are less concerned about proximity security, but they are wary of digital technology, whether that perception is accurate or not.”
Sherman says security levels are different for virtual than they are for the card. “There are elements of the phone that are more secure, or as secure as a credential, but they are not as available in today’s marketplace. Getting access to that secure element is great for payment companies, but it doesn’t make sense for access control.”
The virtual credential market does have a unique upside, though. It may be the first technology in a long while that the end user — and their employees — are actively asking for.
“As more young people become part of the workforce they are saying ‘I don’t want to carry a card,’” says Keith Kranz, technical sales, Low Voltage Contractors Inc., Minneapolis. “One of the best comments I have personally heard in the field was ‘I can pay for my coffee with my phone, but I can’t get in the door with it.’ Once they see it, they will start expecting it.”
Vellek agrees. “I think mobile credentials will have a speedier adoption rate. With typical security, employees aren’t asking for it. It is not top of mind for them. But the phone has become a lifestyle outside of work. As they start to see coworkers or friends who have a gym membership use their phone for access, they will start to ask their employers. For the first time there is more of a personal connection to the employees. Security has never been at the tech forefront or at the top of the budget pile. But this outer influence reaches a lot more people.”
Vellek says his company is actively pursuing this with clients. “We have started to put this out there when we are visiting with clients. They are asking us, ‘What’s next?’ We want to be viewed as a technology leader in the market so it is our job to educate our customer base.”
At the end of the day that is what it is all about, whether you are talking about virtual credentials, smart cards, biometrics, proximity or social engineering.
“We see a lot of clients asking us the question, ‘How secure am I?’ Al-Khalidi says. “They want to understand where they are on the security spectrum. What have they done so far and is it enough?
“But it comes down to budgeting and how fast they can move. It isn’t a lack of understanding that is important. It is a matter of finding the right time and budget to move forward. Mobile will move faster not just because the younger generation will mandate it. But if we step back and look at why a lot of companies have a hard time rebadging, it is the cost of the redeployment of the credential. With mobile access it is as simple as sending an activation code to a user. It takes that complexity out completely,” Al-Khalidi says. “I personally believe that within the next 12 months we will see a big uptick in the virtual arena. Organizations will start trying it out with a few hundred users or executives to see the user experience. Once they see that convenience and security, we will see more deployment.”
SIDEBAR: Are Biometrics Convenient, or Just Secure?
Biometrics are an interesting case. Around in the market for as long as smart cards, they have yet to find widespread acceptance — most often being used as an extra security measure (and step). But that is starting to change with the newest generation of the technology.
Customers concerned about security are starting to look into biometrics more seriously as more mature and convenient formats hit the market, AVS Technology’s Joe Riotto says. “Rightly or wrongly there was always this fear regarding, for example, iris scans. I have heard it a billion times, ‘I am not putting my eye by that.’ But now the new readers are a lot more advanced; you just have to glance in that direction for it to identify you. Suddenly we have end users saying, ‘I want better security and I have heard the card isn’t that secure. What about biometrics?’”
Matt Vellek, Security Equipment Inc., is finding that the past issues with the convenience of biometrics are starting to go away. “There has been a lot of unrest in that technology, a lot of consolidation in the marketplace. We have customers that like the biometrics but they aren’t happy with the throughput. They are starting to look at other types like retinal. A lot of corporate clients need to get people through in a hurry.”
Lack of convenience, a glut of choices, turnover in the marketplace, and sometimes having to keep separate databases from the cards all have conspired to keep biometrics a niche market to date. But Netech’s Rick Zimmerman points out we have only to look at the time and attendance space to see what’s possible.
“For some reason they have figured out how to manage that technology better than security. What is changing in the credential space now is that it is becoming more about identity management than credential management. That is where I think biometrics might get some new life to it. Cards can be compromised or spoofed.”
SIDEBAR: Leading Edge Versus Bleeding Edge
SDM asked integrators which of the newer credential technologies they consider leading edge and which are bleeding edge:
“Some biometrics I would consider bleeding edge. I would consider Bluetooth leading edge. NFC has been around for a while but not performed as the market expected. I would consider that more bleeding edge.” — Josh Cummings, VTI Security
“I would say biometrics is leading edge.”
— Joseph Riotto, AVS Technology
“Mobile apps and high-speed biometrics are leading edge.”
— Keith Kranz, Low Voltage Contractors
“Leading edge I would say smart cards, just from the numbers we sell today. NFC and Bluetooth are bleeding edge.”
— Shaun Castillo, Preferred Technologies Inc.
“Bluetooth isn’t quite bleeding edge, but the uses cases and logistics for deploying it are. Biometrics has been bleeding edge since its inception.” — Rick Zimmerman, Netech Corp.