In the latest Research Note issued by IHS, Blake Kozak – the company’s senior analyst in the sphere of security and building technologies – discusses how the new NFC and Apply Pay features of the iPhone 6 could be the “lightning rod” to finally spark changes in the way that mobile credentials are used for access control.
For more than four years now, one of the most talked about trends has been Near Field Communication (NFC). NFC was supposed to change the face of the access control world by eliminating the need for cards, subsequently reducing the administrative burden on organisations of all sizes while at the same time increasing security.
However, this scenario has not yet come to pass, with suppliers to date offering little more than pilot projects and limited real world installations.
Of course, NFC isn’t a new concept. In 2006, Nokia released the first NFC phone. Four years later, Samsung issued the first Android NFC phone before announcing its inaugural Secu-NFC technology a year later. According to Samsung, the Secu-NFC chip combines an NFC controller and a secure element storing personal information and security keys with advanced encryption technologies.
Then, last year, Samsung and Visa announced a major partnership for mobile payments.
Today, the list of NFC-enabled phones is extensive. Examples include Alcatel, Asus, BlackBerry, Nexus, HTC, Kyocera and LG (among many others).
Barriers to NFC’s implementation in access control
Historically, most NFC installations were instigated by partnerships between handset manufacturers and financial institutions, in turn producing closed systems with limited opportunity for developers to expand the concept to uses beyond mobile payment.
IHS believes this has been one of the main barriers to the implementation of NFC in the access control sector.
On Tuesday of this week, Apple announced that NFC would be a feature of the new iPhone 6. While Apple Pay is primarily a mechanism for secure mobile payments, there appears to be plenty of opportunity for other applications since iOS 8 will also have an Apple Pay application programming interface (API) available for developers.
Already, many retailers and restaurants have implemented Apple Pay within their own applications, allowing patrons to skip lines and pay/order directly from a mobile device. According to Apple, the mobile payment transaction occurs by assigning a unique device account number which is encrypted and securely stored in the secure element (a dedicated chip inside the iPhone). When a purchase is made, the device account number alongside a transaction-specific dynamic security code is used to process the payment. On that basis, the actual credit or debit card numbers are never shared with merchants or transmitted with payment.
The true benefit of this announcement for the access control sector is the potential use of the open API for developers. Although Samsung Galaxy has an embedded SE and countless other devices offer subscriber identification module (SIM)-based SE, there has been limited traction for access control.
There are many forms of secure element, including the universal integrated circuit card (UICC), NFC SIM, embedded SE, external (sticker or sleeve) and microSD. The most used formats are UICC and embedded, with the new iPhone 6 featuring an embedded SE.
According to the 2014 IHS report on NFC, 18.2% of cellular handsets shipped in 2013 were NFC-enabled (up from about 8% in 2012). IHS forecasts the number of phones that are NFC-enabled to reach about 1.17 billion by 2018.
The report also estimates that, in 2013, around 70% of NFC secure element implementations within cellular handsets were embedded while 27% resided on the SIM card.
What does this mean for the access control sector?
Apple’s announcement addresses one of the barriers the access control sector has faced with regards to NFC (ie loading an identifier onto the secure element). With the API mentioned by Apple, it’s possible that access control manufacturers – among others in the supply chain – could load and command an identifier directly onto the secure element. Currently, most providers of NFC-based access control are using encryption methods located in the sandbox (host operating system) of the handset only rather than the SE.
By using host card emulation (HCE), providers are able to offer NFC outside of the SE. Although this isn’t deemed a Best Practice method, the only other means to provide mobile access control through NFC would be to partner with all the cellular carriers and providers which can be an incredibly arduous process. By partnering, the access supplier is allowed access to the SE, which is typically either embedded or in the SIM card.
One example of such a partnership is HID and Oberthur Technologies. In 2013, HID announced a partnership with Oberthur Technologies to carry Seos digital keys on NFC SIM cards.
As mentioned above, the Apple announcement could make it easier for access control suppliers to provide mobile credentials with the true security afforded by the secure element.
Beyond the buzz, the market opportunity for access control remains unclear. Only time will tell if Apple providing mobile payment will ‘jump start’ NFC usage for access control. Some access control manufacturers speculate that the use of the secure element may not always be necessary and that the encryption provided for access control data on the handset is sufficient for most end users.
Impact on the access control sector
How quickly could this announcement impact access control? Today, data suggests that less than 3% of retailers (or 220,000 out of about nine million) will be using the mobile payments at the start. One of the main reasons for low adoption is the lack of infrastructure in stores.
However, every credit card in the US, for example, will be required to have EMV Chip and PIN technology by October 2015. As a result, merchants could decide to move forward with NFC capabilities since they will need to upgrade their system in any case.
Interestingly enough, Apple is initially only launching in the US which has the lowest penetration rate of mobile payments compared with all other regions. There is a tremendous upside though. Access control end users already have the infrastructure in place to support NFC (eg the smart card reader, 13.56 MHz). While some pieces of the system (such as incompatible hardware and software) may need upgrading, the system is mostly ready.
Unlike the retail space, which has to replace millions of terminals and retrain employees, access control is already primed for the transition.
Overall, Apple could instigate change for the access control sector. However, adoption will remain low due to the other barriers which have not been addressed, such as mobile phone issuance to colleagues and identifying which department in an organisation will manage the mobile credentials. In most cases, the phone would be managed by IT and the security credential would be managed by the Security Department.
New policies and procedures will have to be created and many end users will still be issued with badges for identification purposes.
Bluetooth: a viable alternative to NFC
Bluetooth is becoming a viable alternative to NFC. Security suppliers have been working for the past several years to partner with NFC and implement it beyond pilot projects but to little avail.
As a result, many are turning to Bluetooth, which is deemed by many to be a more robust option for security purposes such as access control since, for instance, the read range can be modified.
Additionally, Bluetooth has a longer history with smart phones than NFC. Bluetooth was introduced in 2000 and NFC in 2006.
While the Apple announcement sets the ball rolling for NFC in the physical security space by providing more outlets for app developers to create a unique user experience, other barriers still need to be overcome before a state of critical mass is attained.