NFC For Access Control

By: Brian Rhodes, Published on Mar 06, 2012

Led by door access gorilla, Assa Abloy / HID, NFC is getting a lot of unwarranted hype as the next big thing in access control. They envision mobile phones using Near Field Communication (NFC) technology replacing today's proximity and magstripe cards as the preferred choice of accessing facilities.

Despite the hype and parroting from the industry press, we have not seen any detailed, critical analysis of whether NFC makes sense for physical access control. As such, this report digs into the operational details to examine the drivers and barriers to NFC adoption.

Overview

Near Field Communications is derived from RFID technology, except that NFC chips can be changed and updated repeatedly. This flexibility means NFC can be programmed to behave like a 'digital wallet' one moment and a door access credential the next. Running the function on a device like a networked mobile phone means that you'll have access to the right credential when you need it. Your phone can become your access credential, allowing you to throw away your physical access card.

Key Questions

In our analysis, we see 4 main questions shaping the viability of NFC for physical access:

  • Is NFC Truly More Convenient? Clearly, convenience is the main driver for NFC proponents. However, what operational or logistical issues are created when using NFC enabled devices, like phones, as a physical access credential?
  • Is NFC Secure Enough for Access Control? Using a phone as a credential to access secure facilities raises new issues of how secure NFC is and the devices it runs on.
  • What infrastructure Changes Are Required? Physical security is a conservative industry with deep infrastructure already in place. What changes will need to be made? How much will they cost? How can it be justified?
  • Will Security Managers Accept NFC? Switching from cards to phones raises new operational concerns. Will security managers find this operationally easier or more difficult?
    • NFC format has a short 'read' range of only 1.5 inches - significantly shorter than proximity card readers
    • NFC requires new technology compatible readers on all system doors
    • New software for provisioning credentials will have to be adopted
    • End users will require training on how to properly use the NFC platform
    • Picture IDs will still be a requirement in many facilities
    • Any phone service interruption will block users from accessing facilities

    Is NFC Truly More Convenient?

    The most obvious benefit is eliminating duplication. Mobile phones, carried by nearly everyone now, can eliminate the need for carrying a card for physical access control. Most users will likely find this to be more convenient as it is one less object to carry around.

    However, many organizations will still require using cards. A common practice is using the access credential card as a picture ID card. Even if NFC replaces proximity cards, they will still need to print ID cards. If employees are forced to carry ID badges anyway, would they even bother using a cellphone for access?  This circumstance could largely undermine any benefit of moving to NFC.

    Weather could be a big negative with using NFC enabled devices. Users will have to present their phones in a variety of weather conditions, including rain and extreme cold. Will people be willing to expose an expensive smartphone to all weather conditions in lieu of a cheap piece of plastic?

    Get Notified of Video Surveillance Breaking News
    Get Notified of Video Surveillance Breaking News

    Using an NFC device for access may actually be more cumbersome and time consuming. An application needs to be started on the phone in order for the NFC chip to work. This is a big difference compared to waiving a card over a reader and gaining quick access. The requirement of starting a phone app will slow the entry process down.

    The concern of losing credential availability when a phone battery dies is a thorny issue. A variety of 'work around' plans exist, including the adoption of keypads at certain doors. Other solutions are being discussed, such as designing a 'hot button' onto NFC phones that enable an emergency reserve of power [link no longer available] allowing a single entry operation. However, this is purely theoretical at this point.

    A nagging issue with no easy solution is 'What happens if the phone bill doesn't get paid?' If the service to a phone is disconnected, this also disables the phone from being used as an access credential. A matter of financial responsibility very quickly impacts operational capabilities once NFC enabled access controls are introduced.

    Is NFC secure enough for access control?

    NFC's security attributes are equivalent or stronger than current proximity technologies. Many factors influence this:

    • The format's short 'read' range of only 1.5 inches. This hinders the ability to intercept or jam communication between devices as well as greatly hinder attempts to clone the credential since the code cannot be passively read. 
    • NFC has base transmission encoding equivalent to other security credentials using the 13.56 MHz band, and supports more stringent encryption than standard Proximity credentials. The same design attributes that warrant confidence in Proximity card formats are also present in NFC. 
    • No aspect of encryption of encoding changes from the reader back in an NFC enabled access control system. Applying NFC technology at the reader does not change the previous security condition of the access control system.
    • If a phone or NFC sponsoring device is lost, then that particular chip can be immediately invalidated by software update. Local passwords or PIN numbers will also play an important role in keeping devices secure. If a lost phone is picked up, fraudulent use is discouraged by requiring a password to energize the onboard chip for use.

    What EAC infrastructure changes are required?

    Existing installations will need to swap existing readers to models that accept NFC. This will be costly for the vast majority of users. Street pricing for early models of NFC compatible readers are roughly priced at $300 USD each. This price can average up to $400 - $500 USD per reader once installation labor is added to the hardware cost. For an average sized system of eight or ten doors, just this cost alone can approach an expense of $4,000 to $5,000 USD.

    Beyond the new readers and credentials, most existing enterprise-class access control systems are expected to have the ability to use NFC technology will little modification. However, a new method of issuing NFC based credentials has to be added to the system. In most cases this will be accomplished via additional software.

    Due to the short read range of NFC, some existing Proximity applications will not update without substantial redesign. For example, operating a gate from a card scan inside an automobile will not fall within the 1.5" read range. This type of application values the long-range provided by Proximity cards.  It is very unlikely that Proximity based readers will ever be totally replaced by NFC for these types of circumstances. If Proximity credentials must be carried anyway, this greatly diminishes the value of an NFC enabled access control system.

    The reliability/ availability of the underlying NFC host device will require some additional hardware. If a phone battery dies or the phone is broken or lost, the device may not be able to queue up the proper credential. This circumstance will require an alternate method of credentialing, most likely a PIN entry. This is already an issue for card based systems (i.e.. What if I forget my card?), and facilities have responded by locating keypads on specific openings. NFC will require a similar process to remain in place for the 'dead battery' circumstance.

    Will security managers accept NFC?

    Security managers will be forced to change the manner in which they issue and manage credentials. In many cases, credential settings will have to be 'pushed' or flashed to a cell phone rather than written to a card. This will mean that employees must be trained on new software systems, and routine credential changes or processing revokations will be different. However, the net effect of reducing cost of issuing badges, maintaining multiple credential databases, and immediately pushing changes to credential holders will be seen by many security managers as worth the effort.

    On the other hand, mobile phone management will become a security manager concern. Because security managers will be forced to support access control functionality on cellphones, they will be asked to choose between:

  1. Standardizing phones to simplify management
  2. Supporting a wide variety of devices to facilitate user choice

Either outcome will result in a set of difficulties for the security manager to manage. Phone users chose devices based on personal preference and may not approve of having this decision made for them. Alternatively, the security manager faces a difficult task supporting access control functions on a wide selection of NFC enabled phones. 

On the positive side, using NFC enabled phones instead of proximity cards could reduce operational costs significantly. For example, if an installation has 400 cardholders and a common proximity card cost $6 - $8 to buy, activate, print, and distribute, this user could save ~$3,000 during the 'turn over' life of newly issued cards. Actual savings might be moderately less as some proximity cards may still need to be issued.

Conclusion

While NFC has a number of advantages, overall we expect limited uptake over the next 5 - 10 years. Here are the key challenges and timing issues we anticipate:

  • Product Availability: Now, in 2012, the number of readers and management systems actively supporting NFC is low. However, we anticipate that this will grow significantly over the next few years as manufacturers view NFC as a major growth driver. In the next few years, users will have many mainstream options for using NFC.
  • Migration: Since NFC is not backwards compatible with existing readers, this will require users to fund non trivial upgrades. We believe this will delay adoption due to the significant expense and limited benefit precipitated by an upgrade.
  • Market Segment Fit: The best market fit for the technology appears to be a wherever a young and technologically savvy demographic dominates.  University campuses, for example, where exceptional cell phone ownership and usage occurs, are expected to be a good fit for NFC technology.  On the other hand, most small/medium businesses and government or municipal entities should not be expected to spend money on non-essential functionality upgrades.
  • No Killer Application: Overall, the biggest challenge may be the lack of a 'killer' reason for physical access control systems to move to NFC. Eliminating cards and making it easier for users to access facilities are both 'nice to have' features but with so many entrenched in existing systems, we simply do not foresee widespread adoption of NFC when it does not represent a dramatic improvement over current technologies.

1 report cite this report:

HID's SE Readers Examined on Oct 13, 2014
The HID card readers you may have used in the past are changing.  As old stocks of standards like R10 and R40 readers dwindle, new part numbers and...
Comments : PRO Members only. Login. or Join.

Related Reports on Access Control

Pelco CEO Out, Seeking New Industry CEO, New CEO Found on Oct 15, 2019
Just 2 months after Pelco was sold, Pelco's CEO is out, with Pelco bringing in an outside President and searching for a new CEO from the industry,...
Access Control Course Fall 2019 - Save $50 Last Chance on Oct 14, 2019
Register Now - Fall 2019 Access Control Course. Save $50 through October 10th. Thursday, October 17th is the last day to register. IPVM offers...
HID Fingerprint Reader Tested on Oct 09, 2019
HID has released their first access reader to use Lumidigm optical sensors, that touts it 'works with anyone, anytime, anywhere'. We bought and...
Fail Safe vs. Fail Secure Tutorial on Oct 02, 2019
Few terms carry greater importance in access control than 'fail safe' and 'fail secure'. Access control professionals must know how these...
Access Control Mustering Guide on Sep 30, 2019
In emergencies, determining where employees are located can be critical for knowing whether they are in danger. Access systems can be used for...
Access Control Mantraps Guide on Sep 26, 2019
One of access's primary goals is keeping people out of places they should not be, but slipping through open doors (ie: Tailgating) is often...
Access Control Time & Attendance Guide on Sep 24, 2019
Access control systems can do more than lock doors. With little or no extra equipment, they can be used to track labor hours for employees...
Open Access Controller Guide (Axis, HID, Isonas, Mercury) on Sep 19, 2019
In the access control market, there are many software platforms, but only a few companies that make non-proprietary door controllers. Recently,...
Directory of 70 Video Surveillance Startups on Sep 18, 2019
This directory provides a list of video surveillance startups to help you see and research what companies are new or not yet broadly known. 2019...
Fingerprints for Access Control Guide on Sep 09, 2019
Users can lose badges, but they never misplace a finger, right? The most common biometric used in access are fingerprints, and it has become one...

Most Recent Industry Reports

Altronix Claims Tango 'Eliminates Electricians' on Oct 15, 2019
Power supply provider Altronix claims its new Tango power supply 'eliminates the need for an electrician, dedicated conduit and wire runs'. In...
Hikvision Dissolves North American Business Unit, Splits Canada and USA on Oct 15, 2019
Hikvision has dissolved its North American Business Unit, splitting up US and Canada operations as the PRC-government owned manufacturer faces...
Camera Focusing Tutorial on Oct 14, 2019
Camera focus is fundamental to quality imaging. Mistakes can significantly reduce details, making cameras less effective. In this guide, we...
"UL Has Blood On Their Hands" Alleges The Interceptor / Keith Jentoft on Oct 14, 2019
"UL has blood on their hands" alleges Keith Jentoft of "The Interceptor Project". We examined The Interceptor in-depth last year, see: The...
Access Control Course Fall 2019 - Save $50 Last Chance on Oct 14, 2019
Register Now - Fall 2019 Access Control Course. Save $50 through October 10th. Thursday, October 17th is the last day to register. IPVM offers...
Axis HD Analog Encoder Tested on Oct 11, 2019
Two years after declaring "Everything is IP", Axis has released their first HD analog encoder, the P7304, with support for AHD, CVI, TVI, and SD...
Dahua Celebrates PRC 70th Wearing Communist Party Hammer and Sickle on Oct 11, 2019
Dahua celebrated the PRC's 70th anniversary with a video of various Dahua employees wearing China Communist Party hammer and sickle pins as shown...
Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Network Optix NxWitness 4.0 Tested on Oct 10, 2019
Network Optix released Nx Witness 4.0, proclaiming new features like a deep learning analytics metadata SDK, increased H.265 support, and UX...
HID Fingerprint Reader Tested on Oct 09, 2019
HID has released their first access reader to use Lumidigm optical sensors, that touts it 'works with anyone, anytime, anywhere'. We bought and...