Identity management with virtual credentials - adding a new dimension to the access control industry

Use of virtual credentials to manage identity is opening the access control industry to new solutions

Today's mobile phones are so much more than communication devices - they have become an indispensable consumer appliance for numerous personal, professional and entertainment applications. With the advent of Near Field Communications (NFC) technology, these mobile phones can now also be used to hold your identity keys and used to carry out numerous secure transactions, Dr. Tam Hulusi, senior vice president at HID Global, delves into the issues involved with trusting identities on NFC and other virtualized credential platforms.

Near Field Communication technology - Explained

A short-range wireless communication technology standard, NFC enables the exchange of data between devices over short distances such as a few centimetres. NFC is one of several new platforms that can be used to hold virtualized credentials that previously were stored on contactless smart cards and used to open doors. The same contactless credentials that are programmed to provide various levels of facility access can now be loaded onto a mobile handset and used with NFC for secure access. Users benefit immensely as it eliminates the need to carry any other access credentials, while making it easier for security managers to track who is entering and exiting monitored access points.

Benefits of Near Field Communication

NFC enables physical access, cashless payment and other exciting capabilities, but the only way to make them secure is by establishing an identity methodology. This methodology must be based on a comprehensive chain of custody in which all system end points can be validated. Only in this way can identity transactions between the end points be trusted at any time.

Contactless payments and contactless access control go hand-in-hand with NFC

The value of contactless transactions is expected to reach $5.6 billion, and there is also strong interest in mobile payments

Contactless payments and contactless access control go hand-in-hand with NFC-enabled phones can make several contactless transactions including cashless payment and transit ticketing, data transfers including electronic business cards and access to online digital content. This makes it easy to combine multiple virtual credentials on a single device for things like secure facility access and the ability to make cashless payments at the facility's canteen. Cashless payment is rapidly growing in popularity, and contactless payments are becoming increasingly popular in Canada. According to an August 2010 study by Technology Strategies International, an Oakville, Ontario-based tech market research firm, a significant chunk of transactions in Canadian stores will be carried out using cashless payment systems by 2014. The value of contactless transactions is expected to reach $5.6 billion, and there is also strong interest in mobile payments.

The changing face of "identity" and identity management

We often think about identity in terms of the card that carries it. Clearly, though, "identity" can now take the shape of a mobile phone, a USB stick or some other medium. These and other virtualized credentials expand the concept of identity beyond traditional I.D. cards to include many different credential form factors.

This new way of thinking is driving fundamental changes in how we deliver and manage secure identity. Today's new form factors for credentials improve user convenience and flexibility. But they also raise questions about how to ensure that all identities can be trusted. For instance, if a user's identity resides on a mobile phone, how can one be sure that the device is trusted and secure? Or if a user loses a USB stick that houses his/her identity, how does one disable that device without affecting the user's identity/credential residing on another device?

Virtualized credentials will enable a new era of more convenient and secure transactions

Factors involved in virtualized credentials' authentication and management

Managing virtualized credentials can be a complex process. In one typical example, a server would first send a person's virtualized credential over a wireless carrier's connection to the person's mobile phone. To "present" the person's virtualized credentials at a facility entry point, the phone is held close to an IP-based access controller connected to another server. Throughout the process, there must be a way to ensure that the credential is valid. Both endpoints, plus all of the systems in between, must be able to trust each other. There needs to be a transparently-managed chain of trust going from one end to the other.

The basis for modern transactional systems has been the ability to trust the identification of a person, computer, web site, check, or a credit card. Unfortunately, the effort required to authenticate them has grown exponentially. There is, however, an aspect of secure identity systems that simplifies the problem: like mobile networks, secure identity systems are closed systems. To use them, you generally must complete a background check and sign a legal document to construct the basic blocks describing your identity. It's this strong authentication and binding that endows a secure identity system's basic blocks with inherent trust.

To even have a current and valid set of identity blocks usually means that one has passed this bar and is a member in good standing of the closed system. It also means that the blocks and the systems supporting them can be simpler and constructed so that they use industry standards. This is the approach taken with TIP [Trusted Identity Platform], which enables the validation of all endpoints, or nodes (such as credentials, printers, readers and NFC phones) in the network so that transactions between the nodes can be trusted.

Data security, privacy and reliability are ensured in the TIP environment using symmetric-key cryptography, so that all nodes can execute trustworthy transactions

Benefits of the Trusted Identity Platform [TIP]

TIP is a framework for creating, delivering and managing secure identities in a virtualized credential environment. At the heart of the TIP framework is the Secure Vault, which serves known nodes within a published security policy. TIP delivers three critical capabilities: plug- and-play secure channels between hardware and software; best-in-class key management and secure provisioning processes; and seamless integration with information technology infrastructures.

Data security, privacy and reliability are ensured in the TIP environment using symmetric-key cryptography, so that all nodes can execute trustworthy transactions. Once a "handshake" is accomplished between the Secure Vault and a node device, then the device is deemed to be "trusted" in the network. Trusted devices no longer must communicate with the Vault and may operate independently. In this way, the transaction between nodes, such as a credential and a reader, is trusted and the resulting transaction, such as opening a door or logging onto a computer, can also be deemed trusted.

NFC-based access systems and other virtualized credentials will enable a new era of more convenient and secure transactions. Delivering on this promise will require a simple but protected, fully scalable and standards-based identity delivery system. These systems will need to support a wide variety of identity nodes - ranging from readers and cards to NFC-equipped mobile phones - that each can be registered as a "trusted node" so that it can be securely provisioned anywhere in the world.

Dr. Tam Hulusi, Senior vice president HID Global