Will Smart Card Trump Prox?
Smart cards, like other steps along technology’s ever-evolving pathway, biometrics and megapixel cameras to name two others, share ingrained challenges.
New stuff is often more expensive than existing stuff. Bring something new in and, often, you have to upgrade other gear that is part of the total system to make it all work together. Then there are design, installation, maintenance and training costs as something new comes through the door.
Still, smart cards are hard knocking at security’s doors, networks and other transactional applications. But are they really welcome?
Obviously, when it comes to card access controls, proximity technology is prevalent with an enormous installed base. But the future for many could be smart cards. Why? Like every next step, there are numerous reasons: Costs are coming down to make it more affordable. Enterprises are using cards, badges and tags for diverse purposes with availability of multiple technology readers. There is a push for more secure credentials. Government and military uses, spurred by homeland security mandates, are seeping into corporate applications.
And, sooner or later, cards, badges and credentials used for networking and financial transactions will greatly impact that corporate door. Speaking of impact, there is also the anticipated influence of smartphones, enabled with near field communications (NFC) chips, as a substitute for or complement to cards for everything from opening a door, accessing a bank account to buying a drink and finding a friend while shopping.
Pilot Tests Step Up
There have been a number of pilots using NFC-enabled smartphones for secured door access control, including an HID Global project at Arizona State University.
In another case, featured at this year’s ISC West, Ingersoll Rand Security Technologies and The CBORD Group, a provider of campus card and integrated security solutions to colleges and universities, conducted a NFC trial at Villanova University where students and staff used a Web-based service from IR along with NFC and their own personal smartphones as their credential to access dormitories, academic buildings and administration offices.
“Using smartphones as badges saves time that can be better spent on other issues,” emphasizes John Bonass, Villanova systems manager. “Assigning the credential to the student’s phone takes less work than printing and delivering a badge, and since students are very protective of their phones, this should lead to a greatly reduced replacement rate. If a phone is lost or broken, a new ID can be reissued to the new phone without even having the students come to our office.”
Manufacturers and systems integrators today see varied levels of interest and sales in smart cards, ranging from government agencies that buy mostly smart cards to facilities that mostly use proximity. But virtually all agree that smart cards are a future and it is best to be prepared. Many of the higher level integrators serving a sophisticated base report a growing segment of what they install are smart card systems.
However, that by no means indicates that enterprise security leaders and their integrators are planning on totally abandoning proximity soon. Obviously, smaller and mid-sized access control systems don’t justify the benefits of smart cards.
But don’t use the word “hesitancy” to the Smart Card Alliance.
Just a few months ago, for example, the Smart Card Alliance Identity Council and Access Control Council pushed out two new resources for individuals and organizations looking for more education on Personal Identity Verification (PIV), PIV-Interoperable (PIV-I), and Commercial Identity Verification (CIV) credentials. Its white paper, “PIV-Interoperable Credential Case Studies,” and the brief, ”A Comparison of PIV, PIV-I and CIV Credentials” are available for free download to Securitymagazine readers on the Smart Card Alliance website, www.smartcardalliance.org.
Homeland Security’s Smart Card Impact
The trickle down of such alphabet soup abbreviations to enterprises started on the federal level in a reaction to the September 11th tragedy with Homeland Security Presidential Directive 12 (HSPD-12), which mandates a standard for a secure and reliable form of identification by all federal employees and contractors. It initiated development of a set of technical standards and issuance policies – Federal Information Processing Standard 201 (FIPS 201) – to deploy and support an identity credential across all federal agencies for physical and logical access.
PIV is the thing for federal agencies. Two additional credentials have been defined – PIV-I and CIV — with the goal of taking advantage of the infrastructure, including smart cards and readers, created by the government’s PIV program.
A variety of organizations, including large corporations, consulting firms and state and local governments, are all beginning to deploy PIV-I and CIV solutions, according to Randy Vanderhoof, executive director of the Alliance.
Still, smart cards are not migrating down yet to the small and mid-sized day-in and day-out access control application. At the government level, when a single card works across multiple organizations or agencies, that is a smart card benefit. For commercial organizations, that benefit is less apparent as compared to higher level security and multiple applications beyond security, say for healthcare and higher education.
A healthcare case in point is Blue Cross & Blue Shield of Rhode Island (BCBSRI), which needed to upgrade its workplace to a more efficient, secure, effective and sustainable environment. To meet both Health Insurance Portability and Accountability Act (HIPAA) requirements and to create a streamlined work environment, the company looked for a multifunction, high security and user friendly solution. A unique aspect: to install multi-function printers (MFPs), something BCBSRI had been considering for 10 years.
The company also wanted a one-card solution that allowed it to do more than open a door. It wanted the same card to be enabled for use with services such as cashless vending in the cafeteria, as well as for access control in the company gym and parking structures. In addition, BCBSRI wanted an elevated level of security in restricted areas, so a system enabling biometrics was also desirable.
Facility Embraces Multifunction Uses
The solution: readers and smart cards.
In moving to a new building, BCBSRI downsized from 600 units for printing, faxing and copying to 100 MFPs. In doing so, the company saved paper and ink, reduced carbon production by using fewer devices and increased document security using “secure print.” In the past, BCBSRI managed document security by having locally dedicated desktop printers, accessible only by staff near to the printer. Since the new MFPs were centrally located among groups of employees, multifunction secure access cards provided the security, and at a much higher level. Now, when an employee sends a job to print, it sits in the cloud until they arrive at the printer, scan their multipurpose smart card and request their specific job to output.
“If we didn’t have the cards, we couldn’t have had the multifunction devices,” says Tom Bovis, assistant vice president, corporate real estate/administrative services. As required by HIPAA, the cards also display the employee’s photo. For those needing access to restricted areas, including the data center and cash processing, their cards also contain biometrics. Following the card swipe these employees also enter a PIN to gain access to the most secure areas. “People are happy with the system,” says Bovis. “They’re impressed with how easy it is to use while still providing state-of-art security.”
Besides a smart card’s computing and memory capabilities as compared to proximity cards, other factors help make a migration case more than just in the government segment. One factor, for example: smart cards have the ability to verify that there is an exchange between the card and reader. And the “digital signature” is really an ultimate goal to provide personal identification and eliminate the problem of identity theft.
As with the shift from analog to digital IP video, migration from prox to smart card is not necessarily a rip out and total new install proposition. Migrate at a pace that is appropriate for your level of security as well as budgetary needs, according to knowledgeable integrators. Consider implementing multi-tech readers, for instance.
What about MiFare?
MiFare technology is a 13.56 MHz contactless technology and often considered to be a “smart card” technology. This is based on the ability to read and write to the card. In reality, MiFare is simply a memory card (as opposed to a processor card).
The MiFare contactless smart card and MIFARE card reader/writer were originally developed to handle payment transactions for public transportation systems. With a short read-range, MiFare is uniquely suited to perform increment/decrement functions. Although contact smart cards could also do the job, contactless readers are faster and easier to use, and there is virtually no maintenance on the readers, or wear and tear on the cards.
To date, use for contactless access control applications has been limited. This is due to the short read range when compared to the options available with proximity.
One exception: Louis Boulgarides, senior vice president of Universal Protection Security Systems, providing solutions to multi-tenant facilities, says he uses MiFare Ultralight paper cards which cost about 50 cents compared to much more expensive smart cards for visitor access control.
Like all technology, newer systems tend to be more secure and sophisticated, according to Dave Adams, senior product marketing manager at HID Global.
For 15 or 20 years, low-frequency (125 kHz) cards, often known as proximity cards, or just prox cards, were the standard in the security industry, offering efficient and effective access control. At their simplest, these cards allowed a person access to a building. Whoever had a company-issued card in their possession could enter the building; this could be an employee who was issued or card or a perpetrator who gained access using a lost or stolen card. Over time, companies began adding visual security, such as a photograph to the card to provide a basic form of authentication. Best security practices would require employees to wear their photo ID/access cards and that security staff are trained to challenge anyone without proper identification.
These low-frequency cards are now subject to cloning. There are devices available that allow someone to make a duplicate card, giving them unfettered access to a building. Unless the building also has security cameras or someone witnesses this person entering the building, there would be no way to know an unauthorized person had access. In contrast, high-frequency cards provide a higher level of security than traditional proximity cards. This is accomplished by using diversified keys and mutual authentication to deter anyone from gaining unauthorized access to the card or reader, and encrypted data storage to add an incremental level of protection to the information on the card. In addition, some vendors may be able to provide a proprietary format to large organizations, including monitored card numbers to provide an additional level of security.
An investment is required to migrate but there is also a return on that budget commitment. The ROI may be tangible, such as through improved insurance premiums due to better risk management. It could also be intangible, such as the cost savings associated with not having a disaster – something that could impact the organization’s workforce or customers and present long-term legal and reputational issues that would take years to overcome.
Today, high frequency cards are the standard in access control. Often known as contactless smart cards, this new technology has multiple layers of security embedded in the chip.
Secure Identity Object technology, honored at this year’s ISC West’s New Product Showcase, has three key benefits: portability, security and extensibility. Following are a few of the more common applications that can be added to a smart card:
• Biometrics – biometric templates such as fingerprints, iris or hand geometry, or vein patterns are securely stored on the card.
• Building automation – lights and climate-control systems are turned off and on as needed based on when employees are present.
• Cashless payment – provides a range of benefits from a simple cash replacement at point- of-sale to full management of employee benefits such as discounts, free entitlements, and hospitality or loyalty accounts.
• Secure print authentication – eliminates waste and manages printer use by printing documents only when an employee has presented their access control card to the print device.
• Time and attendance – enables quick throughput of employees during shift changes by eliminating time-consuming manual interactions.
• Medical records management – a multi-function credential including this function can be issued to students at a university or employees in high-risk jobs to provide immediate access to their medical records. Hospitals also issue cards to serve as a record during a patient’s stay.
Also, multiple physical and logical access applications can now be embedded into NFC-enabled smartphones and other mobile access platforms for improved convenience and security.
A more fully featured discussion by Adams is accessible on the Securitymagazine website, www.securitymagazine.com.