The prospects and applications of NFC technology in access control systems

Introduction : In the past few years, we have seen the rapid rise of the security industry. As a field of security, will the development of access control be different? NFC standards, biometrics, wireless, etc. will become the focus of our attention. Although the current application of NFC technology is concentrated in electronic payment, in the future NFC technology will be further integrated into access control solutions, thus bringing new development opportunities to the security market.

　　In the past few decades, we have used plastic cards to verify identity and other card applications, but with the popularity of smartphones, users expect to complete these applications in a more convenient way. The emergence of NFC technology just meets this demand. NFC technology can achieve data exchange within a close distance of a few centimeters, thereby enabling a variety of contactless applications and transactions for NFC-enabled mobile phones, including payment and bus tickets, keys (access cards), data transmission (including e-commerce cards) and browsing network data.

　　At present, the application of NFC technology is concentrated in electronic payment, but in the future, NFC technology will be further integrated into access control solutions, thus bringing new development opportunities to the security market. Users only need to configure the virtual credential card into the NFC mobile phone to open the access control. This not only saves users from the trouble of carrying other access control credential cards, but also allows security managers to easily monitor the entry and exit of people at the entrance. At the same time, the NFC-based access control system will create a more convenient and secure transaction platform. Security managers can not only remotely send, change and cancel virtual credential cards, but this platform is built on a standard identity authentication system, which can support various identity authentication nodes (including card readers, cards, mobile phones equipped with NFC, etc.) to register as "trusted nodes" to ensure that they can be configured securely anywhere in the world.

　　Global application and development of NFC technology in access control field

　　As users' demand for mobility grows, NFC technology is being widely used in many fields, including mobile payment and transactions, transportation payment, customer loyalty programs, and network information access. More and more mobile device manufacturers, such as Nokia, Samsung (Google), Research in Motion (RIM), LG, and ZTE, are launching NFC-enabled mobile phones, which will further promote the application and development of NFC technology in the field of mobile access control.

　　Clarion Hotel in Stockholm, Sweden, has tried NFC technology for the first time, replacing hotel room cards with NFC-enabled mobile phones. Clarion Hotel cooperated with HID Global's parent company ASSA ABLOY, Choice Hotels Scandinavia, TeliaSonera, VingCard Elsafe and Giesecke & Devrient to select some Clarion Hotel guests as participants and provide them with Samsung mobile phones with NFC functions and related software. Guests can use their mobile phones to check in before arriving at the hotel, and digital room cards will be sent to their mobile phones at the same time. After arrival, guests can check in directly without queuing up to register, and can open the door by placing their mobile phones close to the door lock. When leaving the room, the door will automatically lock, and guests can check out directly through their mobile phones.

　　In addition, HID Global successfully conducted mobile access control trials in enterprises, verifying that employees can open doors with NFC-enabled smartphones without compromising enterprise security. The mobile access control experiment conducted at Netflix's US headquarters proved that using smartphones to open doors has many advantages and improves security. The double verification of the card reader and the credential card reduces the threat of credential card information being stolen and repeatedly misused. Because only the user knows that the phone can be used as a key, has the password to enter the phone, and knows how to activate the virtual key in the phone, and most people will not lend their phones, this can prevent the virtual credential card from being abused.

　　At present, the application of NFC technology at home and abroad is still under development, and to popularize the technology, it must be achieved through extensive cooperation in the industry. HID Global has actively cooperated with NFC device manufacturers, such as jointly launching an NFC-enabled contactless smart card reader platform with Sony of Japan, which is specifically used in laptops and mobile devices, and protects the reliability and integrity of identity information storage by storing keys in the security components of the platform, and by embedding access control functions and near-field wireless communication (NFC) functions into laptops and other mobile devices, mobile-based access control, computer security login, car and ship ticket fare payment, point-of-sale charges and loyalty programs are realized.

　　HID Global and NXP Semiconductors have jointly launched a global NFC mobile access control solution. The functions of contactless smart cards used by employees to enter company buildings and garages can now be applied to mobile phones that support NFC and store virtual access control credentials. These virtual credentials are stored in the NXP embedded Secure Element (eSE) component in the mobile phone and are compatible with the currently widely used access control readers and systems. HID Global's iCLASS SE reader combined with NXP's MIFARE DESFire and NFC technology can ensure higher interoperability in access control management and enable enterprises to accelerate the application of NFC technology.

　　Authentication ecosystem ensures the security of NFC technology applications

　　The only way to ensure the security of NFC technology applications is to provide a complete chain of custody to ensure the secure exchange of identity information between terminals, and to verify all endpoints in the system or network.

　　HID's Trusted Identity Platform (TIP) is an authentication system that provides an authentication transport framework to enable the delivery of secure products and services. It transforms card readers, laptops, NFC-enabled phones and other products into trusted authentication nodes that can exchange information securely regardless of their location or connection method. In simple terms, the infrastructure is a central security repository that delivers services to known endpoints (such as credentials, readers and printers) over a secure network connection and based on public encryption key management security policies.

　　Only after the TIP node protocol is implemented, the endpoint will be enabled, recognized by the "Secure Vault" and registered as a reliable network member. The endpoint can then communicate with the "Secure Vault". Endpoints such as credential cards, card readers and printers communicate with the "Secure Vault" through software workflows, and their access and processing rules are strictly controlled by HID Global's "Key Management Policies and Specifications" - only authenticated devices can join the network (unlike the Internet where any computer can access any website), thus forming an implicit and strict authentication mechanism.

　　TIP messages between endpoints are encrypted using industry-standard cryptographic methods to allow secure messaging that complies with public security policies. These TIP message packets are protected by two nested symmetric keys and contain Secure Identity Object (SIO) information. Multiple SIOs can be nested in a TIP message to provide multiple instructions to a variety of different devices, such as access cards, smartphones, and computers. If necessary, each device can have different access control characteristics. For example, the simplest SIO emulates the credential program data on an iCLASS card.

　　Once the authentication between the "Secure Vault" and the endpoint device is successful, the device is considered "trusted" in the network. Trusted devices no longer need to communicate with the secure vault and can work independently. In this way, the information transmission between endpoints (such as credential cards and card readers) is "trusted", and the resulting information transmission (such as opening a door or logging into a computer) is also considered "trusted".

　　NFC mobile devices can be supported as TIP endpoints and can be programmed with different SIOs to emulate cards or more complex applications that can not only be authorized to pass through the access control system, but also implement complex access control rules interpreted by itself.

The trend of mobility and integration in the access control market is beginning to emerge

　　Portable authentication credentials will make it easy for users to obtain, provide, share and modify personal electronic keys stored in electronic wallets. With access control information and records stored in NFC-enabled phones instead of door locks, users can more easily secure places and things. The system can remotely cancel virtual credentials stored in smartphones, reissue credentials, and change who can use the virtual credential and when.

　　As more and more users seek a "unconstrained" security experience, solutions that are interoperable, flexible, and open standards for applying credentials to mobile devices will become popular. All the identity information users need to open the office door or log into the corporate computer is securely embedded in the phone, not stored on a plastic card that may be copied or stolen, and users do not need to remember passwords (or write them on sticky notes and then stick them on the computer monitor).

　　To support this trend, virtual credential cards will be embedded in NFC-enabled mobile phones, and identity information management will be transferred to the cloud. Users can freely log in to Software as a Service and internal enterprise applications through their own terminals (Bring Your Own Device), and use their own NFC mobile phones to implement access control applications. At the same time, mobile access control solutions support open standards, provide interoperable products, and effectively respond to future changes in access control infrastructure, thereby ensuring that companies can still use today's technology investments in the future, reduce investment costs, and improve the convenience and efficiency of access control system management.

　　On the other hand, access control systems will continue to converge at the card and NFC-enabled mobile device levels. Users increasingly want to open building doors, log into the network, access applications and other systems, and securely access the network remotely with a single credential card without the need for a one-time dynamic password (One-time Password Token) or key card. Using a single credential card is more convenient and can perform strong authentication for key systems and applications throughout the IT infrastructure, thus greatly improving security. This approach enables enterprises to leverage existing credential card investments, increase computer desktop network logins, and establish a fully interoperable, multi-layer security solution across corporate networks, systems and facilities, reducing deployment and operating expenses. Converged solutions also help enterprises meet regulatory requirements, enforce consistent policies, achieve consistent audit records across the enterprise, and cut costs by consolidating tasks.

　　Mobile access solutions are the ideal platform for convergence. With the adoption of NFC, there will be greater interest in extending the use of contactless card technology beyond building access to identity authentication in the IT space. Access security teams will begin to work more closely with information security teams. Mobile apps will generate one-time dynamic passwords or receive them via SMS, and various other access keys and virtual credentials will be sent to mobile phones over the air through a convenient, cloud-based provisioning model that eliminates the risk of credential duplication and can issue temporary credentials, cancel lost or stolen credentials, and monitor and modify security parameters when needed. This trend will also help improve the economic benefits of biometric models by turning smartphones into portable databases for storing templates, simplifying system startup, supporting an unlimited number of user groups across multiple locations, and eliminating the redundant wiring requirements required for template management. However, this trend will also lead to the need for sufficient cloud-based security data so that smartphones can be used to log into networks and applications. As for the migration of data to the cloud, the most effective way may be federated identity information management, in which users can access multiple applications after being authenticated at a central portal.

　　Due to the current popularity of NFC technology and the need to improve the relevant industry chain, it is impossible for NFC-enabled smartphones to completely replace smart cards in the next few years. Mobile access control virtual credential cards in NFC smartphones will coexist with smart cards and identity cards so that companies can choose to use smart cards, mobile devices, or both in their access control systems.