NFC For Access Control

Author: Brian Rhodes, Published on Mar 06, 2012

Led by door access gorilla, Assa Abloy / HID, NFC is getting a lot of unwarranted hype as the next big thing in access control. They envision mobile phones using Near Field Communication (NFC) technology replacing today's proximity and magstripe cards as the preferred choice of accessing facilities.

Despite the hype and parroting from the industry press, we have not seen any detailed, critical analysis of whether NFC makes sense for physical access control. As such, this report digs into the operational details to examine the drivers and barriers to NFC adoption.

Overview

Near Field Communications is derived from RFID technology, except that NFC chips can be changed and updated repeatedly. This flexibility means NFC can be programmed to behave like a 'digital wallet' one moment and a door access credential the next. Running the function on a device like a networked mobile phone means that you'll have access to the right credential when you need it. Your phone can become your access credential, allowing you to throw away your physical access card.

Key Questions

In our analysis, we see 4 main questions shaping the viability of NFC for physical access:

  • Is NFC Truly More Convenient? Clearly, convenience is the main driver for NFC proponents. However, what operational or logistical issues are created when using NFC enabled devices, like phones, as a physical access credential?
  • Is NFC Secure Enough for Access Control? Using a phone as a credential to access secure facilities raises new issues of how secure NFC is and the devices it runs on.
  • What infrastructure Changes Are Required? Physical security is a conservative industry with deep infrastructure already in place. What changes will need to be made? How much will they cost? How can it be justified?
  • Will Security Managers Accept NFC? Switching from cards to phones raises new operational concerns. Will security managers find this operationally easier or more difficult?

Important technical details will impact adoption. These include:

  • NFC format has a short 'read' range of only 1.5 inches - significantly shorter than proximity card readers
  • NFC requires new technology compatible readers on all system doors
  • New software for provisioning credentials will have to be adopted
  • End users will require training on how to properly use the NFC platform
  • Picture IDs will still be a requirement in many facilities
  • Any phone service interruption will block users from accessing facilities

Is NFC Truly More Convenient?

The most obvious benefit is eliminating duplication. Mobile phones, carried by nearly everyone now, can eliminate the need for carrying a card for physical access control. Most users will likely find this to be more convenient as it is one less object to carry around.

However, many organizations will still require using cards. A common practice is using the access credential card as a picture ID card. Even if NFC replaces proximity cards, they will still need to print ID cards. If employees are forced to carry ID badges anyway, would they even bother using a cellphone for access?  This circumstance could largely undermine any benefit of moving to NFC.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

Weather could be a big negative with using NFC enabled devices. Users will have to present their phones in a variety of weather conditions, including rain and extreme cold. Will people be willing to expose an expensive smartphone to all weather conditions in lieu of a cheap piece of plastic?

Using an NFC device for access may actually be more cumbersome and time consuming. An application needs to be started on the phone in order for the NFC chip to work. This is a big difference compared to waiving a card over a reader and gaining quick access. The requirement of starting a phone app will slow the entry process down.

The concern of losing credential availability when a phone battery dies is a thorny issue. A variety of 'work around' plans exist, including the adoption of keypads at certain doors. Other solutions are being discussed, such as designing a 'hot button' onto NFC phones that enable an emergency reserve of power allowing a single entry operation. However, this is purely theoretical at this point.

A nagging issue with no easy solution is 'What happens if the phone bill doesn't get paid?' If the service to a phone is disconnected, this also disables the phone from being used as an access credential. A matter of financial responsibility very quickly impacts operational capabilities once NFC enabled access controls are introduced.

Is NFC secure enough for access control?

NFC's security attributes are equivalent or stronger than current proximity technologies. Many factors influence this:

  • The format's short 'read' range of only 1.5 inches. This hinders the ability to intercept or jam communication between devices as well as greatly hinder attempts to clone the credential since the code cannot be passively read. 
  • NFC has base transmission encoding equivalent to other security credentials using the 13.56 MHz band, and supports more stringent encryption than standard Proximity credentials. The same design attributes that warrant confidence in Proximity card formats are also present in NFC. 
  • No aspect of encryption of encoding changes from the reader back in an NFC enabled access control system. Applying NFC technology at the reader does not change the previous security condition of the access control system.
  • If a phone or NFC sponsoring device is lost, then that particular chip can be immediately invalidated by software update. Local passwords or PIN numbers will also play an important role in keeping devices secure. If a lost phone is picked up, fraudulent use is discouraged by requiring a password to energize the onboard chip for use.

What EAC infrastructure changes are required?

Existing installations will need to swap existing readers to models that accept NFC. This will be costly for the vast majority of users. Street pricing for early models of NFC compatible readers are roughly priced at $300 USD each. This price can average up to $400 - $500 USD per reader once installation labor is added to the hardware cost. For an average sized system of eight or ten doors, just this cost alone can approach an expense of $4,000 to $5,000 USD.

Beyond the new readers and credentials, most existing enterprise-class access control systems are expected to have the ability to use NFC technology will little modification. However, a new method of issuing NFC based credentials has to be added to the system. In most cases this will be accomplished via additional software.

Due to the short read range of NFC, some existing Proximity applications will not update without substantial redesign. For example, operating a gate from a card scan inside an automobile will not fall within the 1.5" read range. This type of application values the long-range provided by Proximity cards.  It is very unlikely that Proximity based readers will ever be totally replaced by NFC for these types of circumstances. If Proximity credentials must be carried anyway, this greatly diminishes the value of an NFC enabled access control system.

The reliability/ availability of the underlying NFC host device will require some additional hardware. If a phone battery dies or the phone is broken or lost, the device may not be able to queue up the proper credential. This circumstance will require an alternate method of credentialing, most likely a PIN entry. This is already an issue for card based systems (i.e.. What if I forget my card?), and facilities have responded by locating keypads on specific openings. NFC will require a similar process to remain in place for the 'dead battery' circumstance.

Will security managers accept NFC?

Security managers will be forced to change the manner in which they issue and manage credentials. In many cases, credential settings will have to be 'pushed' or flashed to a cell phone rather than written to a card. This will mean that employees must be trained on new software systems, and routine credential changes or processing revokations will be different. However, the net effect of reducing cost of issuing badges, maintaining multiple credential databases, and immediately pushing changes to credential holders will be seen by many security managers as worth the effort.

On the other hand, mobile phone management will become a security manager concern. Because security managers will be forced to support access control functionality on cellphones, they will be asked to choose between:

  1. Standardizing phones to simplify management
  2. Supporting a wide variety of devices to facilitate user choice

Either outcome will result in a set of difficulties for the security manager to manage. Phone users chose devices based on personal preference and may not approve of having this decision made for them. Alternatively, the security manager faces a difficult task supporting access control functions on a wide selection of NFC enabled phones. 

On the positive side, using NFC enabled phones instead of proximity cards could reduce operational costs significantly. For example, if an installation has 400 cardholders and a common proximity card cost $6 - $8 to buy, activate, print, and distribute, this user could save ~$3,000 during the 'turn over' life of newly issued cards. Actual savings might be moderately less as some proximity cards may still need to be issued.

Conclusion

While NFC has a number of advantages, overall we expect limited uptake over the next 5 - 10 years. Here are the key challenges and timing issues we anticipate:

  • Product Availability: Now, in 2012, the number of readers and management systems actively supporting NFC is low. However, we anticipate that this will grow significantly over the next few years as manufacturers view NFC as a major growth driver. In the next few years, users will have many mainstream options for using NFC.
  • Migration: Since NFC is not backwards compatible with existing readers, this will require users to fund non trivial upgrades. We believe this will delay adoption due to the significant expense and limited benefit precipitated by an upgrade.
  • Market Segment Fit: The best market fit for the technology appears to be a wherever a young and technologically savvy demographic dominates.  University campuses, for example, where exceptional cell phone ownership and usage occurs, are expected to be a good fit for NFC technology.  On the other hand, most small/medium businesses and government or municipal entities should not be expected to spend money on non-essential functionality upgrades.
  • No Killer Application: Overall, the biggest challenge may be the lack of a 'killer' reason for physical access control systems to move to NFC. Eliminating cards and making it easier for users to access facilities are both 'nice to have' features but with so many entrenched in existing systems, we simply do not foresee widespread adoption of NFC when it does not represent a dramatic improvement over current technologies.

1 report cite this report:

HID's SE Readers Examined on Oct 13, 2014
The HID card readers you may have used in the past are changing.  As old stocks of standards like R10 and R40 readers dwindle, new part numbers and...
Comments : PRO Members only. Login. or Join.

Related Reports on Access Control

Directory of Video Intercoms on Nov 13, 2018
Video Intercoms, also known as Video Door-Phones or Video Entry Systems, have been growing in the past decade as more and more IP camera...
Beware Amazon Go Store Hype (Tested) on Nov 13, 2018
IPVM's trip to and testing of Amazon Go's San Francisco store shows a number of significant operational and economic issues that undermine the...
Axis 2N Intercom Tested on Nov 08, 2018
Axis expanded its video intercom business buying Czech-based 2N in 2016. Despite competing against owner Axis' intercoms, 2N recently registered as...
Haven Targets School Security with Lockdown Lineup on Nov 08, 2018
Haven, a US startup founded in 2014 as a residential-focused company, has now raised funding and is offering a lineup of commercial grade locks for...
Directory Of Video Doorbells on Nov 06, 2018
Video doorbells are one of the fastest growing categories in video surveillance, especially among residences. The optimal placement of these...
HID: Stop Selling Cracked 125 kHz Credentials on Nov 05, 2018
HID should stop selling cracked 125 kHz access control credentials, that have been long cracked and can easily be copied by cheap cloners sold on...
Worst Products on Nov 03, 2018
Security integrators periodically report on their favorite and worst products to IPVM. These are known integrators who IPVM pays to answer surveys....
Solar-Powered, Smart-Phone-Based Access Kit (VIZPin) Examined on Nov 02, 2018
Cloud-based access control company VIZPin is releasing a solar-powered and smart phone based access control system for gates and other remote...
Building Occupancy Codes and Access Control Tutorial on Nov 01, 2018
A building or room's classification can greatly impact which building codes must be followed. In terms of access control, these 'occupancy codes'...
Resideo IPOs, Then Plunges on Oct 31, 2018
ADI and Honeywell Homes management have been touting their spinout and IPO for months, including appearing on Wall Street as they widely shared on...

Most Recent Industry Reports

'Sticker' Surveillance Camera Developed (CSEM Witness) on Nov 16, 2018
The Swiss Center for Electronics and Microtechnology (CSEM) has announced what it calls the: world’s first fully autonomous camera that can be...
ISC East 2018 Mini-Show Final Report on Nov 16, 2018
This is our second (updated) and final show report from ISC East. ISC East, by its own admission, is not a national or international show, billed...
Facial Detection Tested on Nov 16, 2018
Facial detection and recognition are increasingly offered by video surveillance manufacturers. Facial detection detects faces in an image/video...
Throughtek P2P/Cloud Solution Profile on Nov 15, 2018
Many IoT manufacturers either do not have the capabilities or the interest to develop their own cloud management software for their devices....
ASIS Offering Custom Research For Manufacturers on Nov 15, 2018
Manufacturers often want to know what industry people think about trends and, in particular, the segments and product they offer.  ASIS and its...
Hikvision Silent on "Bad Architectural Practices" Cybersecurity Report on Nov 14, 2018
A 'significant vulnerability was found in Hikvision cameras' by VDOO, a startup cybersecurity specialist. Hikvision has fixed the specific...
French Government Threatens School with $1.7M Fine For “Excessive Video Surveillance” on Nov 14, 2018
The French government has notified a high-profile Paris coding academy that it risks a fine of up to 1.5 million euros (about $1.7m) if it...
Integrator Credit Card Alternative Divvy on Nov 13, 2018
Most security integrators are small businesses but large enough that they have various employees that need to be able to expense various charges as...
Directory of Video Intercoms on Nov 13, 2018
Video Intercoms, also known as Video Door-Phones or Video Entry Systems, have been growing in the past decade as more and more IP camera...
Beware Amazon Go Store Hype (Tested) on Nov 13, 2018
IPVM's trip to and testing of Amazon Go's San Francisco store shows a number of significant operational and economic issues that undermine the...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact