I subscribe to a clipping service which delivers pointers to web documents to my inbox for items I’m interested in (described by keywords). Just last week, it pulled in a document about “The Changing role of the Access Control credential.” Well, access control is one of my favorite topics, so I jumped right in to it. Only later did I discover that the article in question had actually been published almost a year ago. (The clipping service is always adding new sources, and scans all of the available documents on the new source so – from time to time – I did get somewhat outdated links)
Still, it was interesting, especially when I read: “The next generation of access control credentials are expected to do more than provide door access.” I chuckled, because I’d written something very similar a decade ago when, after that year’s RSA Conference I commented on the fact that all the security vendors wanted to talk about was converging physical and logical access (that is, building and computer access) via smartcards and proximity cards. The work did start back then, but it evidently hasn’t progressed very far.
Back then, RFID (Radio Frequency Identification) was seen as the technology that would make it all happen. Some were touting it as the final nail in the coffin of passwords. You may have noticed that that didn’t actually happen.
I closely followed one experiment with the RFID enabled proximity cards for both physical and logical access. The HMO (Health Maintenance Organization) I belonged to issued cards to their doctors and other practitioners. When I visited my doctor he only had to sit down at the keyboard in the examining room and was automatically logged in to the system and able to pull up my records with no further authentication needed. The same card, when in the vicinity of a locked door that the doctor was authorized to use, would open the lock so he could go through. Initially, it seemed like a very good system.
That is, until the day I noticed that the computer in the examining room in which I was waiting kept jumping from the “please log in” screen to one which appeared to give me access to patient records! There was obviously no shielding in the walls, and a doctor accessing the computer in the next room was also activating the one in the room I was in. I pointed this out to my doctor when he arrived and, I was pleased to notice, the next time I visited the office that system was gone.
RFID technology can be read from 1 meter to 100 meters away depending on the frequency used. One meter is far too short for something to be used for continuous logical access (one of the best uses of proximity cards for computers – authorization happens when the card is read and the session is ended when the card is removed from proximity) – imagine if your screen went blank whenever you leaned back! Longer ranges, though, bring up the image of all the PCs in your office responding (and logging you in, then out) as you walk down the hallway.
Using such a card as a single factor authentication device also presents the problem of lost or stolen cards – there’s no check on what someone else can do if their holding your credentials.
Over the years, Near Field Communication (NFC) technology has gained popularity, especially as compared to RFID. The major benefit is that NFC allows two-way communication (RFID is limited to one-way). The NFC device can also store data (such as authorizations). Given the two-way nature, whenever the card is used – either for physical or logical access – that data can be updated, modified or removed, or even have new authorizations added. Still, having possession of the device is all that’s necessary for the authorization to work.
The answer there, of course, is two-factor authentication (2FA) which is gaining ground through the NFC-enablement of smartphones. It’s estimated that 2.3 percent of cellular handsets, or 35.4 million, shipped in 2011 were NFC-enabled. In 2014, the NFC attach rate is projected to reach around 20 percent and in 2016, 44 percent. This equates to shipments of 377 million NFC-enabled handsets in 2014, and 918 million in 2016. And those are conservative estimates.
Having to authenticate to the device, either through the use of a PIN or with the ever increasing number of phones that read fingerprints, faceprints and even voiceprints, before using it as a proximity device overcomes most of the problems of a misplaced device. A stolen one, of course, could be immediately de-provisioned as soon as it was reported and wiped the first time it was used after that.
It isn’t too farfetched to believe that the NFC-enabled smartphone will become the cornerstone of the Life Management Platform of the future.
Register now for my upcoming webinar “Authorization as a Calculated Risk” coming up on September 26 where we’ll explore the future world of access control. I’ll be joined by some surprise guests from the industry who can deliver unique insights on current developments in the field.