You may have read about a recent pilot at Arizona State University, where 30+ students used their smartphones augmented with NFC (near field communication) to access facilities at the college. Instead of building access cards, the students used their smartphones.
The pilot has fueled an already intense industry interest regarding the use of NFC and smartphones. NFC-enabled smartphones are entering into the market, with Samsung, Blackberry, HTC (and others) introducing new models this year. The industry interest in NFC today is primarily focused on “tap to pay” at retail point-of-sale environments. I’ll be speaking more about Google Wallet and ISIS (competing payment systems) in a future blog post. The next logical application of NFC after payments will be authentication, including to physical access control systems (PACS).
Per review of available information, the pilot has some interesting technical details.
- First, the students were issued fully-personalized smartphones for the pilot. The phones already possessed the HID iClass credential stored in the NFC secure element (the smart card embedded in the NFC chipset).
- The smartphones (primarily Blackberry, but also iPhone) did not have native NFC capabilities. Instead ASU leveraged NFC chipsets from Device Fidelity. The Blackberry used the microSD card with an embedded NFC chipset (including antenna). The antenna from the chipset was extended to the exterior of the phone to better facilitate access to the PACS door reader. In the case of the iPhone—which does not have a microSD port—the pilot used an innovative phone case with embedded NFC capability.
- The users activated an app on the phone prior approaching the door. The application enabled the use of the iClass credential for 30 seconds. The students initially ran into some application usability problems because of the timeout period.
- The pilot did not require any modification the Lenel PACS because the smartphones emulated HID iClass cards.
The pilot is an important first step towards using NFC-enabled mobile devices for PACS access, but don’t expect this capability at work anytime soon. NFC smartphones are a rare breed. Gartner estimates that 50% of smartphones will have NFC capability by 2015, which improves the viability of opening doors with phones. Second, management needs to catch up with raw technology: consider the integration, scalable provisioning of credentials to employee-owned phones and binding those credentials to identity repositories in the enterprise.
I am expecting that the percentage of NFC-enabled phones will increase to a tipping point where their usage for broad scale authentication becomes viable. The mobile device management vendors will pick up the ability to manage and provision enterprise credentials to the secure element in a way that does not compromise the user’s payment credentials. Finally, those enterprise credentials will be both proprietary and standards-based, including HID iClass, X.509 certificate, OAuth, SecurID OTP, and OATH-based OTP. The credentials will enable access to both physical and logical systems.
I discuss NFC smartphones my “Mobility and Authentication” document, which will be published in the coming weeks. Two other documents—Let’s Get Logical: The Convergence of Physical Access Control and Identity Systems and Road Map: Replacing Passwords with Smart Card Authentication (subscription required)—discuss PACS systems and contactless authentication.