NFC Smartphones Replace Card Keys In Pilot Program
Secure identity provider HID Global announced Tuesday it has completed two pilot programs that enable employees to open doors using NFC-enabled smartphones. The pilots were conducted at the headquarters of Internet subscription service Netflix and enterprise mobility provider Good Technology.
Good partnered with HID Global on a pilot deployment of digital keys that were provisioned over-the-air to its employees' smartphones and used to open doors in the company's headquarters in Sunnyvale, Calif. The purpose of the pilot was to explore the benefits of mobile access control technology and its potential for enhancing security as compared to Good's use of low-frequency proximity-based photo ID badges, while improving user convenience.
Beginning in August, Good provided 10 employees ranging from C-level executives on down, with Samsung Galaxy S III handsets that were equipped with a microSD card and a range extender from Device Fidelity inside the device. The Galaxy S III and most Android phones have a slot for a microSD card to extend the storage capability of the phone, but "in this case we're using the secure SD card with a secure element to do the heavy lifting to get this to work," said Chris Webber, senior product marketing manager for secure mobile platforms at Good, who was a pilot participant. "We did it this way because U.S. versions of the [Galaxy] S III phones... don't have access to the secure element built into those phones and this was the easiest way to run the pilot with our credentials and make it operate like a regular phone."
The goal was to help HID determine whether there were any stumbling blocks to using mobile access control compared with photo ID badges. "The results were definitely positive," said Webber. "The only thing that needed to change was user behavior" to use the phone to get inside Good headquarters. "It did take a little bit of learning for people to unlock their phones." He said swiping a cell phone is more secure than using a badge because it requires two-factor authentication to get inside a building: a PIN to unlock the smartphone and then the HID Mobile Keys app to gain entry.
"Any of these folks [remember] the old paradigm with a plastic badge who have forgotten them and have had to turn around and go back and do the embarrassing walk of shame up to IT or tailgate up to someone else," he noted. Because most people are accustomed to carrying their mobile phones with them at all times, Webber said it's one fewer thing to have to remember.
Over 80% of the pilot users said the smartphone was more convenient to use than their current access card, and all said the look of the "door unlock" app on their phones was intuitive and easy to use. More than 83% of the participants said physical security at Good was improved by using a smartphone rather than a card to open unlocked doors; and 67% said other people who saw them using their smartphone to access the building expressed interest in learning more about how they could do it, too, according to Good.
Netflix offered employees the opportunity to affix HID's coin-shaped MicroProx Tags to their current mobile phone to gain entry to the building. The tag was held up to the reader in order to gain secure entry, HID said. During the mobile access pilot, 56% of the respondents were using ProxKeys and the other 44% were using MicroProx Tags. The mobile access pilot was conducted at a Netflix building that houses its data science and engineering facilities, finance, IT operations, and legal teams. Like at Good, employee participants were given Samsung Galaxy S III handsets which were equipped with an NFC-enabled microSD card and a DeviceFidelity range extender to store and emulate user credentials.
"I love the idea of mutually authenticated reader-badges," said Bill Burns, director of Netflix IT networking and security, in a statement. "It reduces the threat of badge skimming and replay attacks." According to HID, more than 80% of the 16 participants found the application for unlocking a door to be "intuitive," and almost 90% described it as easy to use. About 75% said they would be willing to load the app onto their own smartphone, and about the same figure said they were questioned by other people who saw them using their device to enter the building and expressed an interest in it.
Good's Webber said they are planning to continue the mobile access pilot and are hoping to extend it for other use cases. "What we're working on is figuring out when to leverage this secure technology to provide deeper encryption for corporate data and to leverage that secure element to store credentials to do more things." That might include the ability to store credentials on a mobile device that would provide or deny access to a hotel room and that deactivate the day someone checks out, he said.
"It boils down to providing a secure way to protect corporate data and applications," said Webber, and "through our partnership with HID, we see this as extending out to not just protecting data, but physical offices and physical entry."