RFID: The 'Almost Everything' Tool
RFID seems to be able to do everything, including access control, ID management and asset protection.
What do the lowly ant, a Denver Broncos wide receiver, a pallet of clock radios and a graphic designer coming late for work at her advertising agency all have in common? Radio frequency identification technology, that’s what.
For enterprise security professionals, RFID is at the heart of many electronic access control systems, opening doors upon presentation of a card, keyfob, credential or tag. RFID seems to be able to do everything, beyond door access – solutions that are essential in transportation and logistics, a secure twist on passports, identifying a lost dog, protecting Italian-designed leather jackets at a Fifth Avenue boutique, identifying the whole shebang from healthcare items and school equipment to library books and vehicles on a toll road.
There’s no doubt, RFID is ubiquitous. Take those ants. University researchers have successfully glued RFID micro-transponders to live ants in order to study their behavior. This trend towards increasingly miniaturized RFIDs continues.
Shouldering Radio Signals
National Football League players have RFID tags in their shoulder pads that actively send out radio signals. In 2014, according to reports in Sports Illustrated, the league partnered with Zebra Technologies to install its radio frequency identification system, called MotionWorks, in 18 stadiums, including Wembley in London. Though a major motivator for using the technology is to improve the TV experience for football fans by identifying and showing various players in action, at least three teams – the 49ers, Lions and Saints – use RFID in practice, too.
When it comes to tollways, longer range RFID transponder-based services (branded as E-ZPass, SunPass or FasTrak) make it easy for drivers to pay tolls. Some private parking lots and garages now piggyback on the tech approach. And cities such as New York use the tollway technology to monitor traffic to adjust to congestion.
Retailers and agencies along the supply chain have vastly embraced RFID technology. As examples, Walmart and the United States Department of Defense both have published requirements that their vendors place RFID tags on shipments to improve supply chain management. The application has moved from containers to pallets to item-level tagging, when it makes business sense. In a way to multi-task, Walmart, which uses RFID for inventory purposes, also uses it as anti-employee-theft and anti-shoplifting technology. If a product with an active RFID tag passes exit-scanners at Walmart outlets; not only does it set off an alarm, but it also tells security personnel exactly what product to look for in the shopper’s cart.
RFID tags for animals represent one of the oldest uses. Originally meant only for ranches and animals roaming in rough terrain, RFID has become crucial in animal identification management including the identification of lost and then found home-bound pets. Some companies have even tried, without much success, to market RFID chips injected into children and adults. The U.S. Food and Drug Administration, by the way, has approved the use of RFID chips in humans.
Not for injection as yet, runners at various marathons now wear RFID chips with readers placed along the track or on mats over which the runners pass.
Passports Go RFID
Touching travelers more personally, the United States and other countries have rolled out RFID-enabled passports. In the U.S., so-called ePassports store the same information that is printed within the passport, and include a digital picture of the owner. Relative to security, basic access control (BAC) is now more common as part of the passport experience. BAC is a mechanism specified to ensure only authorized parties can wirelessly read personal information from passports with an RFID chip. It uses data such as the passport number, date of birth and expiration date to negotiate a session key. This key can then be used to encrypt the communication between the passport’s chip and a reading device.
In healthcare, RFID-based solutions such as WaveID leverage existing building access badges to provide secure twofactor authentication, easily switch users in shared workstation environments and comply with privacy-focused Health Insurance Portability and Accountability Act (HIPAA) requirements.
Still, for physical security professionals, RFID most often pulls door control duty. RFID systems can be classified by the type of card or tag and reader. Specific to enterprise and government access control, RFID is most often packaged as proximity cards and prox readers. There are active [battery within], battery-assisted passive and passive short- and long-range read-only, read-write once and read-write multiple contactless approaches. That’s a lot of potential choices.
Still, a bare-bones RFID system comprises a tag with an integrated circuit (IC) for storing and processing information, modulating and demodulating a radio frequency signal, collecting DC power from a reader signal, an antenna for receiving and transmitting the signal as well as a reader that sends an interrogating signal.
Typically for access control, fixed RFID readers create a specific interrogation zone, which can be controlled. The RFID tag then responds with its identification and other information. This may be only a unique serial number for identifying a person authorized for access into a building or room; or it may be product-related information such as a stock number, lot or batch number, production date or other specific information for object-based RFID applications. In other applications, mobile readers may be hand-held or mounted on carts or vehicles.
Range and Data Vary
Range and the amount of data transmitted can show the differences among RFID choices. Common proximity cards often are based on mature 125 kHz devices as distinct to newer 13.56 MHz contactless smartcards. The former are inexpensive per card, limited to short distances to and from a reader, are read-only and transmit a small amount of data – building and personal ID, for example. The latter have the ability, at somewhat longer distances, to transmit more data that can be, to one degree or another, written to the IC chip for transaction updating.
Then there are emerging RFID subsets such as near field communication (NFC), which uses prox-matching 13.56 MHz, and Bluetooth, especially low energy Bluetooth LE frequently marketed as Bluetooth Smart and which uses 2.4 GHz frequencies. Both NFC and Bluetooth Smart fit into designs aimed at end users and their smartphones, tablets and laptop computers. Currently, NFC has some growing appeal for door controls while Bluetooth Smart’s advantages center its longer-range capabilities and growing applications in healthcare, beacons and security.
Yet another RFID-enabled strategy, according to integrator Bill Hapner, regional sales manager at G4S Secure Integration, is real-time locating systems (RTLS) to automatically identify and track the location of objects or people, usually within a building or other contained area. Similar to vanilla RFID, wireless RTLS tags attach to objects or worn by people while fixed reference points receive wireless signals from tags to determine location.
Nowadays, RTLS focuses on object tracking – automobiles through an assembly line, pallets of merchandise in a warehouse or medical equipment in a hospital. Emerging are people tracking applications – another step beyond plain RFID. No matter the use, however, the physical layer of RTLS technology is usually some form of radio frequency identification communications.
With so much to choose from with door access RFID and RTLS, “keep your eye on return on investment and know who the players are” and their technology strengths and weaknesses, says Hapner. He contends that – sooner or later – typical access cards will go away, as everyone has a smartphone. Of course, facing an investment in legacy RFID solutions that get the job done and increasing concern over privacy and transmitted data security, a tradeoff to smartphones seems yet to come for many.
But Hapner and some other integrators see eventual growth in beacons. “Instead of a $300 reader, use a $50 beacon,” he contends.
Often used interchangeably, the terms “iBeacons” (Apple’s copyright confection) and generic “beacons” allow mobile apps (running on iOS and Android devices) to listen for signals from the beacons (similar but different than readers in RFID card apps) and react.
What about Beacons?
Beacons, about the circumference of a large apple in the early days, can now be mere stickers affixed to walls or objects. In retail situations, these beacons, using Bluetooth Smart technology, can normally realize the nearest people and then deliver prearranged messages to the person’s mobile devices. Originally developed for retail use to enhance a shopper’s experience, the technology can apply, suggests Hapner, to security and conventional access control uses. Starwood Hotels and Resorts has a pilot program to replace hotel room keys with beacons. Major League Baseball is using them to reach securely out to fans in stadiums to offer them seat upgrades.
Beacons can make ROI sense as they emerge beyond retail. The hardware is low in terms of cost of investment and power required while such proximity detection devices support a range up to 230 feet although, with door control applications, can be more typically eight to 10 feet.
Of course, there are other innovative retail solutions that still embrace contactless tech. For instance, a new mobile-enabled self-checkout concept from Diebold combines core capabilities of the automated teller machine (ATM) with the convenience of contactless mobile payments and self-checkout. Consumers scan items they want to purchase while shopping in-store via their smartphone or other mobile device. Once ready to pay, they simply tap their phone at the self-checkout unit to pay for the items when exiting. Payment is made via preloaded card information found in the consumers’ mobile wallet, within the retailer’s mobile app or cash inserted into the terminal. Cash-back can also be offered through the checkout terminal, which can function as an ATM.
As compared to cards and readers that mandate insertion of a card, swipe or reading of a barcode, there are credentials that are read by being passed along the exterior of the reader or within a set range of the reader.
Types include low frequency (LF) and high frequency (HF) proximity cards, often implemented as a read-only technology for building access. The LF cards and tags function with a very limited memory and communicate at 125 MHz. On the other hand, HF RFID cards and tags communicate at 13.56 MHz (conforming to the ISO 14443 standard). These cards are often protected memory types.
Another type is the Gen 2 UHF (ultra high frequency) card that operates at 860 MHz to 960 MHz. The read range of passive UHF systems can be as long as 39 feet, and UHF RFID has a faster data transfer rate but can be sensitive to interference. Product manufacturers have found ways of designing tags, antennas and readers to keep performance high even in difficult environments, however.
Multi-mode communication cards – These cards have multiple methods of communications, including hybrid or dual interface. At times, contactless cards can also include magnetic stripe or barcode, depending up the card’s multi-tasking needs.
Hybrid cards –These have multiple ICs typically attached to separate interfaces, such as a Mifare chip (from Eindhoven, Netherlands-based NXP Semiconductors) and widely used in contactless smartcards and proximity cards, especially for transit applications.
Dual interface cards – These cards have one chip controlling more than one communication interface.
Multi-component cards – These types are for a specific market solution such as fingerprint sensors, one-time password that displays data for online banking or so-called vault cards.
Near field communication (NFC) is a set of communication protocols that enable two electronic devices, one of which is usually a portable device such as a smartphone or tablet, to establish communication by bringing them within four inches.
NFC devices can work in any of three modes:
- NFC card emulation enables NFC-enabled devices such as smartphones to act like smartcards for access control among applications;
- NFC reader/writer enables NFC-enabled devices to read information stored on inexpensive tags embedded in labels or smart posters; and
- NFC peer-to-peer, which enables two NFC-enabled devices to communicate with each other to exchange information in an ad hoc fashion.
With Bluetooth, most all smartphones have the wireless technology built in without the NFC fuss and boast read range of up to 328 feet depending if it is longer range vanilla Bluetooth or shorter range Bluetooth Smart. The technology is especially geared to small and mid-sized businesses.
Whether typical proximity, RFID smartcard/smart tag, NFC or Bluetooth, expect more use of RFID as various makers integrate their technology solutions as objects handled with building information modeling (BIM) apps.
Netflix, the world’s leading Internet subscription service for movies and TV shows, has a corporate culture which focuses on providing a high performance environment that allows its employees the freedom to innovate. In addition, Netflix’s workforce is highly mobile and has recently experimented with multiple ways to use mobile devices as physical and logical access devices.
One of these pilot deployments, mobile access, was implemented with HID Global and uses smartphones enabled with digital keys to open doors by presenting the smartphone to access control readers, just like existing low frequency proximity keyfobs and tags. The pilot is at Netflix headquarters in Los Gatos, California. “Only having to carry one device for so many daily tasks is excellent,” says Alison Brown, facilities, operations and events manager at Netflix. Additionally, Netflix is a big advocate of smartphones and other mobile platforms, as well as the bring-your-own-device mobility deployment model for its employees. An access control solution that combines improved security with the convenience of opening doors with a smartphone is obviously attractive.
To begin the process of “socializing” the use of a mobile phone for physical access control, Netflix offered employees the opportunity to use small, coin-shaped RFID disks affixed to the back of an employee’s current mobile phone.
The mobile access pilot focused on one of the company’s buildings that houses its data science and engineering facilities, finance, IT operations and legal teams. To implement the solution, integrator Howell Electric upgraded five existing card readers on the exterior of the building and two existing card readers on interior doors, replacing them with readers that handle a broad continuum of application requirements, using smartcards, NFC-enabled mobile devices or both. The readers communicate with an access control platform.
Netflix launched the pilot by providing 16 employee participants with Samsung Galaxy S III handsets operating on a Verizon or AT&T network. The phones were equipped with a microSD card and a range extender. The microSD cards support near field communications in card emulation mode, adding the capability to securely store and emulate user credentials.
The secure element of the microSD card was provisioned with the Seos applet. Then, the HID Mobile Keys app, which provides the user interface and user access to the digital keys, was installed on the smartphone. A Corporate 1000 Program iCLASS Elite credential format with its custom authentication key was then provisioned over-the air as digital keys to each of the individual smartphones used in the pilot.
“I love the idea of mutually authenticated reader-badges,” says Bill Burns, director, Netflix IT networking and security. “It reduces the threat of badge skimming and replay attacks.” Other participants cited improved security, as well.
“Technically, physical security is better since it requires that a person know the phone can be used as a key, know the passcode to get into the phone and know how to activate the key,” adds Netflix desktop analyst David Tsai.
Concerning worldwide public transit, RFID in the form of contactless cards, NFC-enabled smartphones and even emerging wearables such as wristwatches brings convenience to transit riders. However, such a step forward can prove perplexing to transit systems facing interoperability and security challenges, among others.
Which spotlights such organizations as the Open Standard for Public Transport (OSPT) Alliance and its Cipurse open, vendor-neutral standard. It provides an advanced foundation for developing highly secure, interoperable and flexible transit fare collection solutions, observes Laurent Cremer, executive director of the alliance with headquarters in Munich, Germany.
According to Cremer, many public transit systems currently collect fares using closed-loop applications and contactless smartcards. “The majority of these collection systems rely on legacy technology that provides only a basic level of security and can cost more to license, acquire, deploy and maintain,” he points out. With newer payment technologies, multi-application cards and near field communication, there is a compelling need for a more secure fare collection such as Cipurse. “It is stimulating innovation and market opportunities” for transit executives and developers that work with transit agencies, adds Cremer.
The alliance brings together an assortment of vendors that translates into more product choices and capabilities than with proprietary systems. Cipurse includes a unique cryptographic protocol as well as guards against counterfeiting, cloning, eavesdropping, man-in-the-middle attacks and other security threats.