Access control trends for 2013

A number of developing technologies are ready to surface in the access control market throughout the course of 2013, all of which will bring new levels of security and efficiency to Australian companies.

One term that will become common is ‘frictionless’.  More than ever, users are seeking a frictionless security experience, with solutions built on open standards to ensure interoperability, adaptability and easy credential portability to mobile devices.

The term ‘frictionless’ is used to describe security solutions that do not slow users down. Rather than make people carry separate cards, keys and tokens, the coming generation of frictionless solutions will embed these and other credentials inside near field communications (NFC)-enabled smartphones and other mobile devices. Users will find this convenient as they will no longer need to carry tags or cards, while organisations will benefit from cost reductions.

Smartphones for access control

An individual’s credentials will be embedded in an NFC-enabled phone and identity management will move to the cloud in a way that provides easy user log-in, often from the person’s personal device using a bring your own device (BYOD) deployment model. For a company, this requires lots of planning and rigorous security assessment, as well as an infrastructure that supports the cloud-based application of digital keys and credentials.

Cloud security will become a critical element in planning and developing an access control platform. The most effective approach for addressing data moving to the cloud is likely to be federated identity management, which allows users to access multiple applications by authenticating to a central portal.

The trend towards using mobile devices for access control will accelerate and evolve throughout 2013, dramatically changing the face of the industry. To fuel broad adoption, NFC-enabled handsets with secure elements must become widely available and be supported by all primary operating systems.

Inside the NFC-enabled device, all keys and cryptographic operations must be protected by the smartphone’s ‘secure element’. This is usually an embedded, tamper-proof circuit or a plug-in called a subscriber identity module (SIM), and is there to provide a safe channel for transferring information between NFC-enabled phones, their secure elements and other secure media and devices. The ‘ecosystem’ must also include readers, locks and other hardware that can read digital keys carried on a mobile handset.

The smartphone technology is ready to go right now, but how quickly it is adopted into mainstream security practices will depend on the development of the ecosystem, from mobile payment through to transport ticketing and access control.

The most simple mobile access control model currently is card emulation, where a phone performs the same task as the card once did, sending a message to the reader or rules engine to grant access. As technology progresses throughout 2013, however, there is the chance we will see access control performed directly by a smartphone’s onboard intelligence communicating with each individual electronic lock.

Currently, around 5% of all doors in a facility have some sort of electronic access control, while the remaining doors are either secured by a mechanical lock and key or are unsecured. If we let NFC-enabled smartphones serve as both the key and the rules engine that makes the access control decision, we can secure far more doors electronically. We simply install ‘dumb’ electronic locks and allow the smartphone to make the decision to grant or deny access, according to policy. For each door that is electronically secure today, we could see more than five times that number being secured in the future using this mobile access control model.

Another benefit of mobile access control is that all identity information the user requires for opening office doors and logging on to enterprise computers is safely embedded in a phone, rather than on a plastic card that can be copied or stolen. It also allows users to go about their business without having to remember passwords.

Despite all the good points, it is unlikely that NFC-enabled smartphones will replace physical smart cards completely in the coming years. Instead, mobile access credentials inside NFC-enabled smartphones will coexist with cards and badges, so that organisations can implement a choice of smart cards, mobile devices or both within their physical access control system (PACS). Many organisations will still require their employees to carry traditional cards because these are used as a means of photo identification. It will be important for users to plan ahead to support both types of credentials in their PACS.

NFC adoption will lead to physical and IT security teams working together more closely. Phone apps will begin to generate one time password (OTP) soft tokens or receive them via SMS, and a variety of other access control keys and credentials will be sent over the air to the phone using a convenient, cloud-based provisioning model that eliminates credential copying and makes it easier to issue temporary credentials, cancel lost or stolen credentials, and monitor and modify security parameters when required.

Additionally, mobile access control is accelerating identity management’s move to the cloud, supported by new managed services. Already companies have begun outsourcing their traditional badging projects to cloud-based service providers.

Multifactor authentication will become a real-time managed service, with encrypted keys and credentials being sent over the company’s ethernet or via a mobile network operator using a link such as 4G. The credentials will then be stored on the smartphone’s SIM, microSD or secure element.

This trend also improves the economic model for biometrics by turning the smartphone into a portable database for template storage. The device can be used to simplify system start-up; it supports unlimited user populations across multiple sites and eliminates redundant wiring requirements for template management.

Physical cards evolving

Moving away from mobile smartphones, 2013 will also see physical card technology continue to evolve, with an increasing number of users migrating from prox (proximity) to magstripe and on to even smarter smart cards with additional, multilayered security.

Today’s gold standard for access control applications is contactless smart cards based on open standards, and featuring a universal card edge. Also known as a card command interface, the universal edge improves the card’s ability to interact with a broad variety of products within a trusted boundary. The latest versions improve security, privacy and portability to mobile credentials, and users are increasingly enhancing their cards and badges with more layers of visual and digital security.

Visual elements developing in 2013 will include higher-resolution images, holographic card over-laminates and permanent, unalterable laser-engraved personalisation attributes. Cards will also start to incorporate expanded digital storage capacity so they can include biometric and other multifactor authentication information to enhance identity validation. Printing technology continues to advance in support of these trends, simplifying how cards are produced and distributed as well as making them more secure.

Additionally, smart cards are moving into new market segments like retail point-of-sale such as payWave, based on chip card technology. Migrating to smart cards offers stronger security and the benefit of combining multiple applications and both physical and logical access control into a single solution. These same layers of technology can also reside on NFC-enabled smartphones.

Advances in the physical supply of security cards are simplifying production and distribution, while making the cards more secure with added layers of credential management.

Additionally, the range of printer/encoders will continue to expand, offering viable options to all sizes of business. Small businesses will focus on a printer/encoder’s ease of use, mid-size organisations typically will need intuitive solutions that are not only easy to use but also scalable, while large organisations will focus on high card throughput to support growing requirements for staff, contractors and visitors, as well as the ability to deploy a wide variety of risk-appropriate solutions.

NFC tags for protection

The next trend to develop in 2013 will see trusted NFC tags change the way we secure assets and protect consumers.

As the ‘Internet of things’ becomes more of a reality, new NFC tracking, auditing and origination services will emerge for conferring trust on to documents, protecting consumers from counterfeit goods and enabling a host of other applications that involve our interaction with physical items.

Holders of government certificates, legal agreements, warranties and other important documents have traditionally protected them from fraud by having them physically signed or notarised by a person acting in a trusted role. However, such documents are at risk of forgery and duplication. There has been no easy way to authenticate the value or ownership of physical items including luxury products or the warranty status of purchased equipment.

Now, authentication tags can be attached to a document with an electronically signed and cryptographically secure digital certificate of authenticity from the owner or trusted certification entity. Impossible to clone or duplicate, these NFC tags can be embedded in a product or incorporated in tamper-resistant stickers that can be attached to products and equipment. Identity certificates that have been electronically signed and cryptographically secured can be provisioned to the tags using a cloud-based service, and users can verify authenticity with complete confidence at any time in the product or document’s lifetime. With NFC-enabled smartphones, this authentication process can be performed anywhere, at any time, using a smartphone application.

Last on the list of developing trends, visitor management technology will be integrated increasingly with access control systems to improve security and efficiency. Paper-based systems will continue to phase out as temporary proximity credentials are provided to guests and visitors instead.

The integration of a visitor management system with an existing access control system enables front-desk attendants to provide guests with temporary proximity credentials. The information entered into the visitor management system during check-in is passed to the access control system so that a proximity card for the visitor can be activated. When the visitor leaves and is checked out by the visitor lobby system, the card is automatically deactivated.

Integrating visitor management with access control also eliminates the problem of having a supply of live cards at the reception desk for those who have forgotten their employee badges. Such a system  has a record of all visitors who have been provided an access card, so there is a complete audit trail, including information about the dates and times when cards were active.