NFC For Access Control

Author: Brian Rhodes, Published on Mar 06, 2012

Led by door access gorilla, Assa Abloy / HID, NFC is getting a lot of unwarranted hype as the next big thing in access control. They envision mobile phones using Near Field Communication (NFC) technology replacing today's proximity and magstripe cards as the preferred choice of accessing facilities.

Despite the hype and parroting from the industry press, we have not seen any detailed, critical analysis of whether NFC makes sense for physical access control. As such, this report digs into the operational details to examine the drivers and barriers to NFC adoption.

Overview

Near Field Communications is derived from RFID technology, except that NFC chips can be changed and updated repeatedly. This flexibility means NFC can be programmed to behave like a 'digital wallet' one moment and a door access credential the next. Running the function on a device like a networked mobile phone means that you'll have access to the right credential when you need it. Your phone can become your access credential, allowing you to throw away your physical access card.

Key Questions

In our analysis, we see 4 main questions shaping the viability of NFC for physical access:

  • Is NFC Truly More Convenient? Clearly, convenience is the main driver for NFC proponents. However, what operational or logistical issues are created when using NFC enabled devices, like phones, as a physical access credential?
  • Is NFC Secure Enough for Access Control? Using a phone as a credential to access secure facilities raises new issues of how secure NFC is and the devices it runs on.
  • What infrastructure Changes Are Required? Physical security is a conservative industry with deep infrastructure already in place. What changes will need to be made? How much will they cost? How can it be justified?
  • Will Security Managers Accept NFC? Switching from cards to phones raises new operational concerns. Will security managers find this operationally easier or more difficult?
    • NFC format has a short 'read' range of only 1.5 inches - significantly shorter than proximity card readers
    • NFC requires new technology compatible readers on all system doors
    • New software for provisioning credentials will have to be adopted
    • End users will require training on how to properly use the NFC platform
    • Picture IDs will still be a requirement in many facilities
    • Any phone service interruption will block users from accessing facilities

    Is NFC Truly More Convenient?

    The most obvious benefit is eliminating duplication. Mobile phones, carried by nearly everyone now, can eliminate the need for carrying a card for physical access control. Most users will likely find this to be more convenient as it is one less object to carry around.

    However, many organizations will still require using cards. A common practice is using the access credential card as a picture ID card. Even if NFC replaces proximity cards, they will still need to print ID cards. If employees are forced to carry ID badges anyway, would they even bother using a cellphone for access?  This circumstance could largely undermine any benefit of moving to NFC.

    Weather could be a big negative with using NFC enabled devices. Users will have to present their phones in a variety of weather conditions, including rain and extreme cold. Will people be willing to expose an expensive smartphone to all weather conditions in lieu of a cheap piece of plastic?

    Get Video Surveillance News In Your Inbox
    Get Video Surveillance News In Your Inbox

    Using an NFC device for access may actually be more cumbersome and time consuming. An application needs to be started on the phone in order for the NFC chip to work. This is a big difference compared to waiving a card over a reader and gaining quick access. The requirement of starting a phone app will slow the entry process down.

    The concern of losing credential availability when a phone battery dies is a thorny issue. A variety of 'work around' plans exist, including the adoption of keypads at certain doors. Other solutions are being discussed, such as designing a 'hot button' onto NFC phones that enable an emergency reserve of power allowing a single entry operation. However, this is purely theoretical at this point.

    A nagging issue with no easy solution is 'What happens if the phone bill doesn't get paid?' If the service to a phone is disconnected, this also disables the phone from being used as an access credential. A matter of financial responsibility very quickly impacts operational capabilities once NFC enabled access controls are introduced.

    Is NFC secure enough for access control?

    NFC's security attributes are equivalent or stronger than current proximity technologies. Many factors influence this:

    • The format's short 'read' range of only 1.5 inches. This hinders the ability to intercept or jam communication between devices as well as greatly hinder attempts to clone the credential since the code cannot be passively read. 
    • NFC has base transmission encoding equivalent to other security credentials using the 13.56 MHz band, and supports more stringent encryption than standard Proximity credentials. The same design attributes that warrant confidence in Proximity card formats are also present in NFC. 
    • No aspect of encryption of encoding changes from the reader back in an NFC enabled access control system. Applying NFC technology at the reader does not change the previous security condition of the access control system.
    • If a phone or NFC sponsoring device is lost, then that particular chip can be immediately invalidated by software update. Local passwords or PIN numbers will also play an important role in keeping devices secure. If a lost phone is picked up, fraudulent use is discouraged by requiring a password to energize the onboard chip for use.

    What EAC infrastructure changes are required?

    Existing installations will need to swap existing readers to models that accept NFC. This will be costly for the vast majority of users. Street pricing for early models of NFC compatible readers are roughly priced at $300 USD each. This price can average up to $400 - $500 USD per reader once installation labor is added to the hardware cost. For an average sized system of eight or ten doors, just this cost alone can approach an expense of $4,000 to $5,000 USD.

    Beyond the new readers and credentials, most existing enterprise-class access control systems are expected to have the ability to use NFC technology will little modification. However, a new method of issuing NFC based credentials has to be added to the system. In most cases this will be accomplished via additional software.

    Due to the short read range of NFC, some existing Proximity applications will not update without substantial redesign. For example, operating a gate from a card scan inside an automobile will not fall within the 1.5" read range. This type of application values the long-range provided by Proximity cards.  It is very unlikely that Proximity based readers will ever be totally replaced by NFC for these types of circumstances. If Proximity credentials must be carried anyway, this greatly diminishes the value of an NFC enabled access control system.

    The reliability/ availability of the underlying NFC host device will require some additional hardware. If a phone battery dies or the phone is broken or lost, the device may not be able to queue up the proper credential. This circumstance will require an alternate method of credentialing, most likely a PIN entry. This is already an issue for card based systems (i.e.. What if I forget my card?), and facilities have responded by locating keypads on specific openings. NFC will require a similar process to remain in place for the 'dead battery' circumstance.

    Will security managers accept NFC?

    Security managers will be forced to change the manner in which they issue and manage credentials. In many cases, credential settings will have to be 'pushed' or flashed to a cell phone rather than written to a card. This will mean that employees must be trained on new software systems, and routine credential changes or processing revokations will be different. However, the net effect of reducing cost of issuing badges, maintaining multiple credential databases, and immediately pushing changes to credential holders will be seen by many security managers as worth the effort.

    On the other hand, mobile phone management will become a security manager concern. Because security managers will be forced to support access control functionality on cellphones, they will be asked to choose between:

  1. Standardizing phones to simplify management
  2. Supporting a wide variety of devices to facilitate user choice

Either outcome will result in a set of difficulties for the security manager to manage. Phone users chose devices based on personal preference and may not approve of having this decision made for them. Alternatively, the security manager faces a difficult task supporting access control functions on a wide selection of NFC enabled phones. 

On the positive side, using NFC enabled phones instead of proximity cards could reduce operational costs significantly. For example, if an installation has 400 cardholders and a common proximity card cost $6 - $8 to buy, activate, print, and distribute, this user could save ~$3,000 during the 'turn over' life of newly issued cards. Actual savings might be moderately less as some proximity cards may still need to be issued.

Conclusion

While NFC has a number of advantages, overall we expect limited uptake over the next 5 - 10 years. Here are the key challenges and timing issues we anticipate:

  • Product Availability: Now, in 2012, the number of readers and management systems actively supporting NFC is low. However, we anticipate that this will grow significantly over the next few years as manufacturers view NFC as a major growth driver. In the next few years, users will have many mainstream options for using NFC.
  • Migration: Since NFC is not backwards compatible with existing readers, this will require users to fund non trivial upgrades. We believe this will delay adoption due to the significant expense and limited benefit precipitated by an upgrade.
  • Market Segment Fit: The best market fit for the technology appears to be a wherever a young and technologically savvy demographic dominates.  University campuses, for example, where exceptional cell phone ownership and usage occurs, are expected to be a good fit for NFC technology.  On the other hand, most small/medium businesses and government or municipal entities should not be expected to spend money on non-essential functionality upgrades.
  • No Killer Application: Overall, the biggest challenge may be the lack of a 'killer' reason for physical access control systems to move to NFC. Eliminating cards and making it easier for users to access facilities are both 'nice to have' features but with so many entrenched in existing systems, we simply do not foresee widespread adoption of NFC when it does not represent a dramatic improvement over current technologies.

1 report cite this report:

HID's SE Readers Examined on Oct 13, 2014
The HID card readers you may have used in the past are changing.  As old stocks of standards like R10 and R40 readers dwindle, new part numbers and...
Comments : PRO Members only. Login. or Join.

Related Reports on Access Control

Ex-Integrator Now Growth Strategist Interviewed on Apr 24, 2019
For more than a decade, Scot MacTaggart was a security integrator (at PA-based PSX). In late 2018, he left the industry. He is now a Growth...
19 Facial Recognition Providers Profiled on Apr 23, 2019
IPVM interviewed 19 facial recognition providers at ISC West to understand their claimed accuracy, success and positioning. 9 from China, where...
ACRE Acquires RS2, Explains Acquisition Strategy on Apr 19, 2019
ACRE continues to buy, now acquiring RS2, just 5 months after buying Open Options. One is a small access control manufacturer from Texas, the...
Access Control Course Spring 2019 - Last Chance on Apr 19, 2019
 Register for the Spring 2019 Access Control Course----Closed IPVM offers the most comprehensive access control course in the industry. Unlike...
Door Operators Access Control Tutorial on Apr 17, 2019
Doors equipped with door operators, specialty devices that automate opening and closing, tend to be quite complex. The mechanisms needed to...
Alarm.com Favorability Results 2019 on Apr 15, 2019
The once dot com startup has evolved to become a core provider for home security and is now expanding into commercial. In their first entry in...
ISC West 2019 Report on Apr 12, 2019
The IPVM team has finished at the Sands looking at what companies are offering and how they are changing their positioning. See below for 50+...
Spring 2019 50+ New Products Directory on Apr 08, 2019
We are compiling a list of new products for Spring 2019 and have over 50 already. Contrast to Fall 2018 New Products Directory and Spring 2018...
Startup GateKeeper Aims For Unified Physical / Logical Access Token on Apr 04, 2019
This startup's product claims to 'Kill the Password' you use to keep your computers safe.  They have already released their Gatekeeper Halberd...
Airship VMS Profile on Apr 03, 2019
Airship has been developing VMS software for over 10 years, however, with no outside investment, and minimal marketing, the company is not well...

Most Recent Industry Reports

Verkada Salesman: IPVM "Stuck In A The Stone Age" on Apr 25, 2019
Verkada is 'tackling dinosaurs' and battling those, like IPVM, who are 'stuck in a the stone age'. Verkada's recent sales recruiting promotion...
The HIVIDEO $31 Face Detection DVR Tested on Apr 25, 2019
Face detection in a $31 DVR? That is what "HIVIDEO" (not to be confused with Hikvision, even if the company intends to do that) was promoting at...
Amazon Marketing Pro Installs of Amazon Security Systems on Apr 25, 2019
Is Amazon a threat to conventional providers like ADT, Vivint and Brinks Home Security? Many say no. Now, Amazon is advertising free in-home...
Ex-Integrator Now Growth Strategist Interviewed on Apr 24, 2019
For more than a decade, Scot MacTaggart was a security integrator (at PA-based PSX). In late 2018, he left the industry. He is now a Growth...
19 Facial Recognition Providers Profiled on Apr 23, 2019
IPVM interviewed 19 facial recognition providers at ISC West to understand their claimed accuracy, success and positioning. 9 from China, where...
Locking Down Network Connections Guide on Apr 23, 2019
Accidents and inside attacks are risks when network connections are not locked down. Security and video surveillance systems should be protected...
Hikvision Admits USA Sales Falling on Apr 22, 2019
Hikvision, in a new Chinese financial filing, has admitted that its USA sales are now falling. Less than a year after the US government passed a...
Speco Ultra Intensifier Tested on Apr 22, 2019
While ISC West 2019 named Speco's Ultra Intensifier the best new "Video Surveillance Cameras IP", IPVM testing shows the camera suffers from...
Arecont Favorability Results 2019 on Apr 22, 2019
Arecont's net negativity remained the same in IPVM's 2019 integrator study, though integrator's feeling became relatively more neutral compared to...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact