The Next Generation of Access Control: Virtual Credentials

For decades, we have carried our identities around on magnetic stripe (magstripe) and smart cards, but in today’s mobile world, we now have the opportunity to embed them on a variety of portable devices. This will enable us to use products like smart...

The latest 13.56 MHz read/write contactless solutions enhance security through data encryption and mutual authentication, and also support multiple applications such as biometric authentication, cashless vending and PC log-on security. Contactless solutions have provided reliable service for nearly a decade while becoming the standard for efficient, secure and effective access control.

Now, the industry is developing a new access control architecture for a new era of advanced applications, mobility and heightened security threats. This architecture will enable a new class of portable identity credentials that can be securely provisioned and safely embedded into both fixed and mobile devices. This will improve security while enabling the migration of physical access control technology beyond cards and readers into a new world of configurable credentials and virtualized contactless solutions.

Managing the coming generation of portable, virtualized credentials involves a number of complex steps. In one typical example, a server would first send a person’s virtualized credential over a wireless carrier’s connection to the person’s mobile phone. To “present” the person’s virtualized credentials at a facility entry point, the phone is held close to an NFC-enabled secure access control reader.

Throughout the process, there must be a way to ensure that the credential is valid. Both endpoints, plus all of the systems in between, must be able to trust each other. In other words, there needs to be a transparently managed chain of trust extending from one end to the other. This chain of trust requires the creation of a trusted boundary within which all cryptographic keys governing system security can be delivered with end-to-end privacy and integrity. This is the only way to ensure that all network endpoints, or nodes (such as credentials, printers, readers and NFC phones) can be validated, and all subsequent transactions between the nodes can be trusted.

One of the first such bounded environments is HID Global’s Trusted Identity Platform (TIP). At the heart of the TIP framework is the Secure Vault, which serves known nodes within a published security policy. TIP establishes a scalable framework and delivery infrastructure for delivering three core capabilities: plug-and-play secure channels between hardware and software; key management and secure provisioning processes; and integration with information technology infrastructures. The environment can also support multiple usage models such as cloud-based applications that require service delivery across the Internet without compromising security.

With the establishment of a trusted boundary, it now becomes possible to deploy a new generation of readers and credentials that enable the use of portable virtual credentials on mobile devices, while also providing advanced security and performance functionality. This next-generation platform must go beyond the traditional smart card model to introduce a new, portable credential methodology based on a secure, standards-based, technology-independent and flexible identity data structure. HID Global calls this data structure the Secure Identity Object (SIO), which can exist on any number of identity devices and works with a companion SIO interpreter on the reader side.

Device-independent data objects and their companion interpreters behave like traditional cards and readers, but use a significantly more secure, flexible and extensible data structure. They offer three key benefits: First, because they are portable, they can reside on traditional contactless credentials and many different mobile formats, ensuring interoperability and easy migration. Second, their device independence enhances trusted security by enabling them to act as a data wrapper to provide additional key diversification, authentication and encryption while guarding against security penetration. And third, since they use open standards, these device-independent identity objects improve flexibility and can grow in security capabilities while traditional architectures remain stuck in a fixed definition.


Interoperability and Migration

Next-generation readers using standards-based, device-independent data structures will enable access control solutions that can operate on multiple device types with varying security capabilities. It will be possible for an identity object stored on one device to be ported to — and interoperate with — another device, with ease and without strict constraints.

We Recommend