HID 'Twist and Go' Access ControlBy Brian Rhodes, Published on Sep 30, 2014
Credential giant HID Global is making it easier to use cell phones as credentials. Instead of pushing buttons to turn on an app, users need only to raise and tilt their phones in a concept HID calls 'Twist & Go'.
We examine how HID has implemented gesture controls in their mobile credential, the limitations on deploying this with existing systems and what competitive impact this may have.
"Twist & Go"
Implementing an idea patented a year ago, HID uses smartphone movements to activate access credentials. The process is easier to demonstrate than describe, as shown by this animation of a credential read:
The user raises their phone upward to the reader, then rotates it 90 degrees clockwise to enact a credential read from the phone to the reader.
Gesturing is available as part of HID's Mobile Access platform useable with Android and iOS based smartphones. However, an enabled phone is only part of the required product needed from HID to make it work, a point the datasheet describes as:
"(Twist & Go) is sold only as part of a complete solution that requires the following components:
- New, mobile-enabled readers (iCLASS SE or multiCLASS SE with factory-installed components)
- HID Mobile Access Service Bundle, with Mobile IDs, HID Secure Identity Services portal (a hosted service), and HID Mobile Access App"
In order to adopt Twist & Go, a whole new credential management platform, credential type, and reader upgrade is likely required.
For those interested, the full video promoting "Twist & Go" is embedded below:
NFC or BLE
Twist & Go works with most smartphones. Rather than being reserved only as an NFC credential, Twist & Go uses Bluetooth Low Energy as well. Not only are more phones equipped with BLE vs NFC, but the potential transmit range with BLE is much longer; up to 100 feet vs 2" - 4". Special access applications, like parking lot gates, benefit from this longer range.
Phone Accelerometer Based
Rather than relying on inexpensive MEMS accelerometers, Twist & Go uses the board units integrated into smartphones. These are generally higher-quality and more dependable than unpowered, semi-disposable circuitry.
No Backward Compatibility
Adopting Twist & Go takes more than just adding mobile credentials to a system; it also requires upgrading to HID's latest readers (iClass/Multiclass SE) that recognize gesture credentials.
This means that essentially all access systems will need a reader upgrade, with only those installed in the last six months potentially having the right models. The cost of this upgrade alone will be several hundred to thousands of dollars for most systems.
Credential Problems Solved
Gesturing mitigates 'spoofing' risk by essentially keeping the credential turned off until deliberately activated. Unlike a card that can be passively energized and read without the user being aware, gesturing requires physical possession of the smartphone first, greatly dropping the risk.
From a usability standpoint, Twist & Go means users will not need to call up an app and press buttons on the phone at a reader. With the credential app running in the background, users will only need to gesture the phone to activate a credential.
As we first examined in HID's Gesture Credentials Patents, "Twist & Go" is just one possible implementation described in the patents. With low-energy MEMS accelerometers, it is possible to produce unpower contactless-style credentials like iClass cards or fobs that use gesturing.
Also, while "Twist & Go" is a simple movement, it is not the only gesture pattern described by the patent documents:
Indeed, "Twist & Go" may be the first of several 'standard' gestures that activate different features or reference different credentials for a range of systems.
While 'Twist & Go' makes smartphone credentialing easier to use, HID still has a big uphill battle before widespread commercial adoption of Mobile Credentials is a reality. For many security and IT departments, the prospect of using employee phones (BYOD) is still a policy issue. Combined with the credential redundancy required anyway for lost or dead phones, unpaid service bills, and photo ID badges, mobile phone based credentials create more problems than they solve.