NFC For Access Control

By: Brian Rhodes, Published on Mar 06, 2012

Led by door access gorilla, Assa Abloy / HID, NFC is getting a lot of unwarranted hype as the next big thing in access control. They envision mobile phones using Near Field Communication (NFC) technology replacing today's proximity and magstripe cards as the preferred choice of accessing facilities.

Despite the hype and parroting from the industry press, we have not seen any detailed, critical analysis of whether NFC makes sense for physical access control. As such, this report digs into the operational details to examine the drivers and barriers to NFC adoption.

Overview

Near Field Communications is derived from RFID technology, except that NFC chips can be changed and updated repeatedly. This flexibility means NFC can be programmed to behave like a 'digital wallet' one moment and a door access credential the next. Running the function on a device like a networked mobile phone means that you'll have access to the right credential when you need it. Your phone can become your access credential, allowing you to throw away your physical access card.

Key Questions

In our analysis, we see 4 main questions shaping the viability of NFC for physical access:

  • Is NFC Truly More Convenient? Clearly, convenience is the main driver for NFC proponents. However, what operational or logistical issues are created when using NFC enabled devices, like phones, as a physical access credential?
  • Is NFC Secure Enough for Access Control? Using a phone as a credential to access secure facilities raises new issues of how secure NFC is and the devices it runs on.
  • What infrastructure Changes Are Required? Physical security is a conservative industry with deep infrastructure already in place. What changes will need to be made? How much will they cost? How can it be justified?
  • Will Security Managers Accept NFC? Switching from cards to phones raises new operational concerns. Will security managers find this operationally easier or more difficult?
    • NFC format has a short 'read' range of only 1.5 inches - significantly shorter than proximity card readers
    • NFC requires new technology compatible readers on all system doors
    • New software for provisioning credentials will have to be adopted
    • End users will require training on how to properly use the NFC platform
    • Picture IDs will still be a requirement in many facilities
    • Any phone service interruption will block users from accessing facilities

    Is NFC Truly More Convenient?

    The most obvious benefit is eliminating duplication. Mobile phones, carried by nearly everyone now, can eliminate the need for carrying a card for physical access control. Most users will likely find this to be more convenient as it is one less object to carry around.

    However, many organizations will still require using cards. A common practice is using the access credential card as a picture ID card. Even if NFC replaces proximity cards, they will still need to print ID cards. If employees are forced to carry ID badges anyway, would they even bother using a cellphone for access?  This circumstance could largely undermine any benefit of moving to NFC.

    Weather could be a big negative with using NFC enabled devices. Users will have to present their phones in a variety of weather conditions, including rain and extreme cold. Will people be willing to expose an expensive smartphone to all weather conditions in lieu of a cheap piece of plastic?

    Get Notified of Video Surveillance Breaking News
    Get Notified of Video Surveillance Breaking News

    Using an NFC device for access may actually be more cumbersome and time consuming. An application needs to be started on the phone in order for the NFC chip to work. This is a big difference compared to waiving a card over a reader and gaining quick access. The requirement of starting a phone app will slow the entry process down.

    The concern of losing credential availability when a phone battery dies is a thorny issue. A variety of 'work around' plans exist, including the adoption of keypads at certain doors. Other solutions are being discussed, such as designing a 'hot button' onto NFC phones that enable an emergency reserve of power [link no longer available] allowing a single entry operation. However, this is purely theoretical at this point.

    A nagging issue with no easy solution is 'What happens if the phone bill doesn't get paid?' If the service to a phone is disconnected, this also disables the phone from being used as an access credential. A matter of financial responsibility very quickly impacts operational capabilities once NFC enabled access controls are introduced.

    Is NFC secure enough for access control?

    NFC's security attributes are equivalent or stronger than current proximity technologies. Many factors influence this:

    • The format's short 'read' range of only 1.5 inches. This hinders the ability to intercept or jam communication between devices as well as greatly hinder attempts to clone the credential since the code cannot be passively read. 
    • NFC has base transmission encoding equivalent to other security credentials using the 13.56 MHz band, and supports more stringent encryption than standard Proximity credentials. The same design attributes that warrant confidence in Proximity card formats are also present in NFC. 
    • No aspect of encryption of encoding changes from the reader back in an NFC enabled access control system. Applying NFC technology at the reader does not change the previous security condition of the access control system.
    • If a phone or NFC sponsoring device is lost, then that particular chip can be immediately invalidated by software update. Local passwords or PIN numbers will also play an important role in keeping devices secure. If a lost phone is picked up, fraudulent use is discouraged by requiring a password to energize the onboard chip for use.

    What EAC infrastructure changes are required?

    Existing installations will need to swap existing readers to models that accept NFC. This will be costly for the vast majority of users. Street pricing for early models of NFC compatible readers are roughly priced at $300 USD each. This price can average up to $400 - $500 USD per reader once installation labor is added to the hardware cost. For an average sized system of eight or ten doors, just this cost alone can approach an expense of $4,000 to $5,000 USD.

    Beyond the new readers and credentials, most existing enterprise-class access control systems are expected to have the ability to use NFC technology will little modification. However, a new method of issuing NFC based credentials has to be added to the system. In most cases this will be accomplished via additional software.

    Due to the short read range of NFC, some existing Proximity applications will not update without substantial redesign. For example, operating a gate from a card scan inside an automobile will not fall within the 1.5" read range. This type of application values the long-range provided by Proximity cards.  It is very unlikely that Proximity based readers will ever be totally replaced by NFC for these types of circumstances. If Proximity credentials must be carried anyway, this greatly diminishes the value of an NFC enabled access control system.

    The reliability/ availability of the underlying NFC host device will require some additional hardware. If a phone battery dies or the phone is broken or lost, the device may not be able to queue up the proper credential. This circumstance will require an alternate method of credentialing, most likely a PIN entry. This is already an issue for card based systems (i.e.. What if I forget my card?), and facilities have responded by locating keypads on specific openings. NFC will require a similar process to remain in place for the 'dead battery' circumstance.

    Will security managers accept NFC?

    Security managers will be forced to change the manner in which they issue and manage credentials. In many cases, credential settings will have to be 'pushed' or flashed to a cell phone rather than written to a card. This will mean that employees must be trained on new software systems, and routine credential changes or processing revokations will be different. However, the net effect of reducing cost of issuing badges, maintaining multiple credential databases, and immediately pushing changes to credential holders will be seen by many security managers as worth the effort.

    On the other hand, mobile phone management will become a security manager concern. Because security managers will be forced to support access control functionality on cellphones, they will be asked to choose between:

  1. Standardizing phones to simplify management
  2. Supporting a wide variety of devices to facilitate user choice

Either outcome will result in a set of difficulties for the security manager to manage. Phone users chose devices based on personal preference and may not approve of having this decision made for them. Alternatively, the security manager faces a difficult task supporting access control functions on a wide selection of NFC enabled phones. 

On the positive side, using NFC enabled phones instead of proximity cards could reduce operational costs significantly. For example, if an installation has 400 cardholders and a common proximity card cost $6 - $8 to buy, activate, print, and distribute, this user could save ~$3,000 during the 'turn over' life of newly issued cards. Actual savings might be moderately less as some proximity cards may still need to be issued.

Conclusion

While NFC has a number of advantages, overall we expect limited uptake over the next 5 - 10 years. Here are the key challenges and timing issues we anticipate:

  • Product Availability: Now, in 2012, the number of readers and management systems actively supporting NFC is low. However, we anticipate that this will grow significantly over the next few years as manufacturers view NFC as a major growth driver. In the next few years, users will have many mainstream options for using NFC.
  • Migration: Since NFC is not backwards compatible with existing readers, this will require users to fund non trivial upgrades. We believe this will delay adoption due to the significant expense and limited benefit precipitated by an upgrade.
  • Market Segment Fit: The best market fit for the technology appears to be a wherever a young and technologically savvy demographic dominates.  University campuses, for example, where exceptional cell phone ownership and usage occurs, are expected to be a good fit for NFC technology.  On the other hand, most small/medium businesses and government or municipal entities should not be expected to spend money on non-essential functionality upgrades.
  • No Killer Application: Overall, the biggest challenge may be the lack of a 'killer' reason for physical access control systems to move to NFC. Eliminating cards and making it easier for users to access facilities are both 'nice to have' features but with so many entrenched in existing systems, we simply do not foresee widespread adoption of NFC when it does not represent a dramatic improvement over current technologies.

1 report cite this report:

HID's SE Readers Examined on Oct 13, 2014
The HID card readers you may have used in the past are changing.  As old stocks of standards like R10 and R40 readers dwindle, new part numbers and...
Comments : PRO Members only. Login. or Join.

Related Reports on Access Control

Access Startup Multi-Mount Aims To Streamline Reader Installs on Dec 03, 2019
Startup Multi-Mount claims it makes installing access readers 'Fast', 'Secure,' and fit 'any size frame.' The company states its bracket 'fits most...
Directory of Access Reader Manufacturers on Nov 27, 2019
Credential Readers are one of the most visible and noticeable parts of access systems, but installers often stick with only the brand they always...
Top 2020 Trend - AI Analytics on Nov 22, 2019
170+ Integrators answered: What do you think will be the top industry trend in 2020? Why? For the 4th year in a row, AI/video analytics was...
Glass Doors and Access Control Tutorial on Nov 21, 2019
One of the biggest access challenges are locking and securing glass doors. Unlike wood or steel doors that can be modified to work with...
ISC East 2019 Show Report on Nov 21, 2019
IPVM has finished in New York City covering both days of the ISC East 2019 show. Here is a 6+ minute general walkthrough: Inside this report,...
Avigilon H4 Intercom Tested on Nov 20, 2019
Avigilon is well-known for video surveillance and access, but how well does the company's intercom work? We purchased and tested Avigilon's H4...
Top Manufacturers Gaining and Losing 2019 on Nov 18, 2019
2019 has been an explosive year for video surveillance, with the world's two largest manufacturers, Dahua and Hikvision, being sanctioned for human...
The Access Control Codes Guide: IBC, NFPA 72, 80 & 101 on Nov 07, 2019
For access, there is one basic maxim: Life safety above all else. But how do you know if all applicable codes are being followed? While the...
100+ Companies Profile Directory on Nov 06, 2019
While IPVM covers the largest companies in the industry regularly (like Axis, Dahua, Hikvision, etc.), IPVM strives to do a profile post on each...
Tailgating: Access Control Tutorial on Oct 31, 2019
Nearly all access control systems are vulnerable to an easy exploit called 'tailgating'. Indeed, a friendly gesture in holding doors for others...

Most Recent Industry Reports

Disruptor Wyze Releases Undisruptive Smartlock on Dec 06, 2019
While Wyze has disrupted the consumer IP camera market with ~$20 cameras, its entrance into smart locks is entirely undisruptive. We have...
Bosch Budget 3000i Cameras Tested on Dec 05, 2019
Bosch has long had a hole in its lineup for, as it describes, "competitively-priced cameras". Now, Bosch has released its 3000i series cameras...
Anixter Resisting Takeover From Competitor on Dec 05, 2019
Mega distributor Anixter is going to be acquired but by whom? Initially, Anixter planned to go private, being bought by a private equity firm....
Security Sales Course 2020 - Last Chance Save $50 on Dec 05, 2019
This sales course is customized for the current needs and challenges specific to professionals selling video surveillance and access control...
Ireland National Children's Hospital Chooses Hikvision End-to-End With Facial Recognition on Dec 05, 2019
The world's most expensive hospital project ever, the New Children's Hospital in Ireland, has chosen an all-Hikvision surveillance system including...
AVTech ~$70 IP Cameras Tested Vs Dahua and Hikvision on Dec 04, 2019
Taiwanese manufacturer Avtech is taking direct aim at low cost leaders Dahua and Hikvision with ~$70 starlight and white light illuminator...
Ultinous European Analytics Startup Company Profile on Dec 04, 2019
European analytics-startup Ultinous pitches customers to "Have your own video analysis service!" We spoke to Ultinous to better understand their...
Access Startup Multi-Mount Aims To Streamline Reader Installs on Dec 03, 2019
Startup Multi-Mount claims it makes installing access readers 'Fast', 'Secure,' and fit 'any size frame.' The company states its bracket 'fits most...
Resideo CEO To Step Down on Dec 03, 2019
Resideo's CEO, Mike Nefkins, is stepping down, just 18 months after being brought in to lead the now plagued spin-out. Inside this note, we...
Arcules CEO Retracts False GDPR Claim + Dahua and Milestone Claims Examined on Dec 03, 2019
Arcules CEO has retracted a false claim about his organization being a "fully compliant GDPR company" after IPVM reporting (Arcules CEO Threatens...