As Access Control Credentials Evolve, So Do Its Users
Access control credentials today are so much more than just cards. As form factors evolve, so do the expectations, needs and desires of the end user.
That is an access control credential? That used to be a simple question to answer, but today, not so much. Modern credentials can be anything and everything from an old magnetic stripe card to a smart card to a phone, wearable or biometric.
“Looking at the past few years, the biggest change has been the addition of the mobile device as a credential,” says Peter Boriskin, vice president of commercial product management for ASSA ABLOY, New Haven, Conn. We recognize that the credential is actually the identity itself, which could be stored on a variety of devices, whether that’s a plastic card or fob, a handheld tablet or mobile phone.
Scott Lindley, president of Farpointe Data, Sunnyvale, Calif., says it is useful to look back in order to describe today’s credentials. “Over the past decades we’ve seen the RFID-based credential’s evolution from tuned resonant analog circuits to 125 kHz digital proximity to today’s encrypted 13.56 MHz contactless smart cards. Evolution has been at work on the form factor, too. Originating from the familiar shape of the clamshell credential, we now find credentials packaged in a wide variety of form factors. This includes fobs that can be carried on a keyring, cards as thick as credit cards that can be customized by the end user, and wearables — such as wrist bands, often used in gyms and waterparks. Further, today credentials can have a transmitter that offers read ranges of up to 200 feet and beyond.”
Modern credentials also do much more than just open doors, adds Kurt Takahashi, president, AMAG Technology Inc., Torrance, Calif. “I think everybody always views a credential as a card, but that is changing quite a bit with the increased focus around identity. A card is only a representation of the person. From our perspective, rather than managing cards, we are more focused on managing identity. The more we know about a person, the easier it is to understand who they are and why they need to be there.”
This “credential” could be a card, Takahashi says. But it could just as easily be a mobile credential, or biometric template. “The key to understanding the importance of the credential is to have a better understanding about the person from a risk or security perspective.”
The evolution of credentials for access control has been a slow one, but that is beginning to change, adds Robert Lydic, global vice president of sales, ISONAS Inc., Boulder, Colo. “The evolution of technology from magnetic stripe cards to proximity to advanced security cards have migrated over the past few years, with proximity still being the largest segment of the market. [But] the next generation of access control credentials has arrived with mobile credential technologies due to the proliferation of smartphones and their ubiquitous utilization by all segments of society. As our society moves their credit cards and all other cards to their mobile devices, this trend is taking over in access control as well.”
Yet for many users, they are still perfectly happy with their proximity cards and see no particular reason to change. The move to new credentials is very much a cost versus convenience versus security consideration.
TRANSITIONING FROM PROX TO SMART
Due to the popularity, installed base and maturity of the technology, proximity technology — or 125kHz — has had a seeming stronghold on the credential market for several years now. While that position hasn’t changed, there is evidence things are shifting more in the direction of smart, or even mobile credentials as the next step after prox.
According to Bob Holland, product marketing manager for DigiOn24, Camarillo, Calif., “It is estimated that contactless smart cards have taken 20 to 30 percent of the access control market from proximity,” he says.
“There is no question that [prox] is losing ground to more modern technologies in new installations,” says Brandon Arcement, director, product marketing, HID Global, Austin, Texas. “Education on its vulnerabilities and limitations is at an all-time high, coupled with the proliferation of off-the-shelf devices and services that make it easier than ever to clone or spoof, which has driven demand for more capable solutions.”
Indeed, proximity has proven vulnerabilities that make it a known security risk. In an age where cyber threats are fast becoming the new crime wave, this is beginning to matter with some customers. (See related story, “Mobile Credential Security,” page 70.) Others, however, are happy with the price and convenience of proximity and not as concerned about the security risks.
Many customers feel they don’t need the high security level of protection smart cards offer, Lydic says. “The majority of access control applications are for small to medium businesses. In these markets they are looking for a cost-effective scenario to replace keys and their budget plays a large role in their decision-making. The larger implementations… and those businesses governed by security sensitivities are moving to the 13.56 smart technologies and these are being budgeted for.”
Rajeev Dubey, senior product manager, Tyco Security Products, Westford, Mass., predicts that if smart card technologies haven’t overtaken prox in new sales yet, they are likely to do so soon — in large part because of their greater capabilities. “Smart card technology is definitely gaining adoption from customers because it provides several advantages over prox,” he says. “Smart cards… cannot be easily hacked…. Smart card technology also provides more memory, which extends the usefulness of the card to other applications.”
The problem with the transition at the enterprise level, Takahashi says, is sheer scale. “Proximity is still the most widely used technology, simply because of the deployment of so many proximity readers. The enterprises in general are outfitted with technology to read that. But the smart card technology is rising because there is more security in it and there are more things you can do with it. It gives you the flexibility to do more than just security-related tasks, which you don’t have with a proximity card…. We do see a lot of the larger enterprises moving to smart cards to do other things.”
THE MOBILE MARCH
Lydic agrees, but with a caveat. “We see that the market will move more to the 13.56 MHz; however, we are seeing more customers jump from proximity to a secure Bluetooth credential.” One of the reasons for this, Lydic says, is the predominance of mobile technology in general and smartphones in particular. “Today’s consumers have everything right in the palm of their hand via their smartphone,” he says. “They continue to expect more and more functionality and integration with their mobile devices. This expectation is driving the demand and expectation of mobile credentials in the access control market.”
However, Lydic concedes — as do most others — that cards will make up the larger part of the market for the foreseeable future. “Cards are a reliable source for access that will continue to be a viable option in the future, but mobile gives users ease of use and choice in how they deploy their credentials,” Lydic explains.
Not only do mobile credentials offer the convenience of the phone (both for the user and the issuer), but they also incorporate some of the best features of smart cards, such as the ability to do more than just access control. “If implemented correctly, organizations can deliver a better building occupant experience and greater convenience, improved security administration efficiency and higher security,” Arcement says.
While HID was one of the first to offer both NFC and BLE mobile solutions, many others have followed suit with their own solutions. Because there is no “card” required, more manufacturers can offer customized solutions to security integrators and their customers.
Brivo, for example, introduced a mobile solution last year designed to introduce its users to the concept at no or low cost, says Steve Van Till, president and CEO of Brivo, Bethesda, Md. “We have an introductory structure built in with our solution. There are five free mobile credentials built into every account. The idea is to let people try it and see if they like it without commitment. We try to encourage our dealers to put a 100-pack in with every order so it becomes the new norm, but that is a long, slow argument. At least they can do five to let them try before they buy.”
AMAG just released its own mobile solution, in addition to continuing to support the HID solution, giving customers a choice. Takahashi, too, sees mobile as the wave of the future.
“Look at mobility in general. Look at the progression of mobility in our daily lives. How many people have a smartphone? How many people mobile bank? How many use a mobile boarding pass? As our lifestyle moves more mobile, it is natural to assume companies and executives will want to use their phones as key management.”
Takahashi acknowledges, however, it is still a push. “We are trying to create demand. As I see it today there are still not a lot of people adopting it. We are early in the market. We are getting the innovative buyer that wants to do that. It is typical of the technology evolution curve.”
Two things potentially holding back mobile access control right now are the bring your own device (BYOD) factor, and convenience, Holland speculates. “Currently mobile credentials make sense in smaller systems and high-tech environments, where logistics problems with issuance, management, device compatibility, support and security are not overwhelming…. Managing ID issuance for hundreds of thousands of smartphones would be a logistical nightmare and users will require technical support.
“Also, some mobile apps require the user to navigate through menus to launch the app and select and unlock a door, which could be inconvenient and time consuming,” Holland says.
Manufacturers are starting to address the latter issue. From a simple stick-on tag that can be affixed to a phone, to new and developing enhancements that will allow for secure reads without opening an app, these objections may be overcome sooner than later.
“We launched late last year a managed service portal that enables partners to create a recurring revenue service model [around mobile],” Arcement says. “Small business customers can take full advantage of the full value of mobile…. We’ve also taken advantage of recent enhancements in the mobile operating systems to enhance the door-opening experience, making it more consistent and reliable.”
One thing mobile has going for it is a younger generation that has grown up with mobile phones and feels very comfortable using them for everything. “There are two new access control companies I have become aware of that both lead with mobile,” Van Till says. “One of them doesn’t even offer cards. Both are being started by 20-somethings. When 24-year-olds are starting a company and not even bothering with cards, what does that say?”
BIOMETRICS & BEYOND
One credential technology that has experienced a renaissance in recent years is biometrics. Reasons for this include greater reliability in the technology, newer touch-free options such as facial recognition, and — importantly — cost.
“Biometrics work better and they are less expensive,” Van Till says. “They are working better for the same reasons a lot of things are: There are faster microprocessors.”
However, despite a growing number of options that seem to offer a frictionless experience and faster throughput, biometric solutions are generally considered to still be a “boutique” offering and a complementary technology to cards or mobile credentials — often in higher security areas, Takahashi says.
“It works, and works well in restricted areas. One reason to have a biometric is for verification of the person. Any card technology or mobile credential is still lacking that multi-factor authentication validating that ‘Kurt is Kurt.’ That is where biometrics becomes critical…. We are seeing a big rise in frictionless access, in-motion identity where you don’t have to touch anything.”
By partnering with biometric companies such as FST (a facial recognition and body motion biometric solution), MorphoTrak (contact and contactless biometrics), ZKAccess (fingerprint and facial recognition) and Stonelock (facial recognition), AMAG has sought to bring several biometric choices to customers in recent years. Its most recent partnership with BioConnect combines both biometrics and mobile in an interesting way, Takahashi says. “We saw a great opportunity to enhance the mobile credential by developing a biometric app that fits in front of the credential for dual-factor authentication,” he says.
Larry Reed, CEO of ZKAccess, Fairfield, N.J., credits mobile phones with the resurgence in biometric acceptance. “Biometrics have experienced phenomenal growth in recent years. The primary reason is smartphone makers including fingerprint readers with mobile phones and the remarkable improvement in biometric speed and accuracy.”
Any access credential has to blend security and convenience in the best possible way for the user. “Security has never been about convenience, but the more convenient we make it, the easier it is to get people to participate in it, as long as we can secure it,” Takahashi says. “It comes back to how we want to manage identities. The more we know about you, the more we can manage the risk level and be able to figure out if you are behaving differently. At the end of the day, if you don’t manage identity well, it doesn’t matter what credential you are using.”
Arcement concludes, “Access control today is generally a single credential presented to a single reader. But behavioral analytics and new biometric technologies are enabling a method of authentication that uses many sensors to authenticate a user. So a simple, unique ID card may be replaced by a series of behavioral and biometric attributes that are continuously authenticated.”
Credentials of Tomorrow
Credential technology may be slow moving, but as with technology in general, there have been several new and exciting offerings recently. What is potentially next on the horizon?
DigiOn24 recently introduced NFC apps for Android that allow the user to tap on the smart card credential to display personal data or information that is stored on it, says Bob Holland. “The user can program the card using a Windows application and USB desktop reader/writer.
HID’s Brandon Arcement points to the concept of “data on card” as a near future advancement. “These certainly have the potential to disrupt the security industry. Simply put, a PACS credential today is typically nothing more than a unique number by which the card holder is identified. Behind the reader is a large, expensive, hardwired on-premise infrastructure that decides whether or not to unlock the door. The overall acceptance of wireless, mobile access and cloud solutions may enable an architectural shift whereby the traditional credential is replaced by a more intelligent set of rules traditionally provided by the … head end.”
Arcement also mentions new beacon systems as a logical expansion of credentials. “We recently announced our new location services that provide organizations with visibility into the location of their workforce in a facility, making it possible to analyze room usage for better building management and increased operational efficiency. It includes a cloud service, portals and Bluetooth beacons in the form of HID smart cards, providing a one-card solution for both indoor positioning and physical access control.”
Wearables are another form factor that could take hold, says Peter Boriskin of ASSA ABLOY. “The next generation of credentials we now see coming to market is wearables. Even as an individual, we are seeing the impact of IoT. It is now possible for the device on your wrist to communicate with your phone and your phone can communicate with your car. Ultimately all these devices are now aware of each other. We are going to see a shift from individuals authenticating devices to the devices authenticating one another as part of an ecosystem.”
Brivo’s Steve Van Till thinks artificial intelligence has possibilities. “Machine learning is showing up in a lot of places you wouldn’t know about. A lot of people are talking about combining three or four different factors and being able to make a more well-rounded decision. Five years from now we will be seeing it in quite a few products.”
Another potential, particularly for mobile credentials, is the ability to incorporate messaging, says Kurt Takahashi of AMAG Technology. “We see that today with beacon technology to understand where people are for mustering, etc. Mobile devices become important as communication devices, but also as a security device. ‘How do I make sure I know who is where and how do I help them?’”
Mobile Credential Security
When it comes to issuing mobile credentials, one of the questions that often comes up is how secure are mobile credentials?
“Security of credentials is very important and it is something that users ask about quite a bit, especially around the security of mobile credentials,” says Robert Lydic of ISONAS. “A case could be made that mobile credentials are as or more secure than a badge or fob credential. The unique, encrypted session keys for each transaction and smartphones utilizing a password or fingerprint to access the credential add additional layers of security.”
HID’s Brandon Arcement also makes the case the mobile might actually be more secure. “Assuming a reputable supplier is following security, privacy and data best practices, its mobile credentials can certainly be more secure than traditional smart cards for the following reasons: 1. Mobile devices are more closely guarded by the user than cards; 2. A missing mobile device is reported almost immediately; 3. Mobile IDs and devices can be revoked over the air; 4. Applications can be protected with a biometric and/or passcode; and 5. Security updates can be instantly deployed remotely.”
Kurt Takahashi of AMAG Technology says security around mobile credentials is often a policy and procedure issue. “As they adopt that or issue their own devices, you need to have your own IT security policies that get adopted by the phone in order to use it. We at G4S and AMAG have our own mobile security policies so it is protected. If the phone is already protected in that way, why wouldn’t applications be protected as well?”