Tyco Slaps Down HID

SSN has an interesting article: NFC Access Control: Cool and Coming, But Not Close. Here was my favorite part:

'“I’m still a naysayer,” said Jay Hauhn, chief technology officer at Tyco Integrated Security... "I’m not convinced NFC will be widely adopted,” Hauhn said. “It sounds cool, but it’s a challenge. NFC won’t be successful unless it’s convenient, secure and less complex. The end user won‘t buy it because it‘s cool. They will buy it because it solves a problem.”

Despite Hauhn’s reservations, the buzz for NFC access control is real, especially when it comes from industry insiders such as Debra Spitler, vice president of mobile access solutions at HID Global, based in Irvine, Calif."

'Industry insiders' ??? HID is a non stop sales campaign for NFC. What else do you expect them to say?

That said, I am impressed that Tyco came out so forcefully against NFC. It speaks volumes especially since people like him try very hard not to publicly criticize their 'partners'.

NFC, for physical access control, faces vast challenges.


I totally agree with this remark: "NFC won’t be successful unless it’s convenient, secure and less complex."

Let's look at the current state of these three:

  • Convenient: NFC is gaining traction here, but it is not the only new credential platform being pushed in "Mobile Access' credentials world. Apple will sidestep NFC for the near future, and Bluetooth Low Energy is a cheaper (license free) method of wireless proximity communication. Assa/HID pump NFC to no end because: surprise! They make profits from licensing NFC credentials. Most mobile phones support BLE (not just smartphones), and inexpensive fobs are already being introduced for those who want 'smart locks' but do not carry 'smart phones'.
  • Secure: It's not that NFC is less/more secure than existing credential types. It's just that those types are 'secure enough' that people aren't motivated to change. Prox/iClass may be vulnerable to snooping, but guess what? Security managers don't care.
  • Less Complex: NFC loses big time here. How will security offices manage credentials on NFC-enabled devices that they likely don't own? What about the demographic swaths that don't carry smartphones? What happens when phone batteries die? What happens when the employee's cell phone bill doesn't get paid? In the meantime, most will continue flashing their plastic ID badge while those alligators get wrestled.

One of the dissappointments I have found in the NFC world today is that no one can garantee the compliance to the NFC protocols. Samsung Galaxy S2 was able to read MiFare Classic from an AT&T phone running Android 2, when AT&T decided to update the firmware on the phone to 4.0.4 they decided to drop the NFC capability even though it was in the phone. Then when Samsung Galaxy S4 came out, Samsung decided to change from the NXP to the Broadcom NFC devices which changed the way it read credentials.

My point here is and I have seen the massive push by HID for SEOS is that they cannot garantee that the end point devices will work. So how do you expect the consumer to have a choice if the SEOS must rely on specific technology. And that is just the techonlogy side.

Apple may have more luck in this arena since they are traditionally built to just say, this is my product, if you want it do it our way. For the others Microsoft now owning Nokia and Google with the Android market, its unclear how this is going to pan out. Is HID big enough to influence the consumer market???

During the HID show cases, they have not been able to demonstrate the governance of using NFC as a security credential. Its too easy to come up with a piece of software and concept, how is it going to be managed and secured? I think on a small scale it can be a neat technology and ease of use for employees, but for large businesses it can be a nightmare to secure and manage.

One positive aspect is that the NFC device in card emulation mode (i.e., employee badge, student ID), is that the battery can be dead as the NFC reader is providing the "power" (see ISO 14443/ISO18092). In a fully integrated NFC deploymet the "access control" segement can also be remotely deleted from the user's phone (i.e., they quit or lose the phone). Of course, this doesn't offset the investment, interoperability issues, and updates to name a few things IT and Security will need to manage.