NFC: Not Ready for Primetime

Avatar
Brian Rhodes
Published Oct 01, 2012 04:00 AM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

NFC continues to be the biggest buzzword in access control. HID, the principal manufacturer of the technology for EAC applications, is eager to evangelize its benefits every chance it gets. In this ASIS webinar, HID boldly claims to be ready to "revolutionize the access control industry". Does NFC stand ready to change EAC as we know it, or do major questions remain? In this note, we review the webinar, the key claims it made, and focus on what issues security professionals should be wary about when considering NFC.

Background

In our previous posts on NFC, we identified significant gaps in adoption. While the tone of this webinar, moderated by ASIS, is long on potential and promise of NFC, it is alarmingly thin on concrete details.

The three major problems discussed, but not fully addressed are:

  • How are existing Access Control systems upgraded to use NFC?
  • How should NFC adopters manage different mobile devices?
  • How are the process gaps in NFC deployment methods being addressed?

In the sections below, we take each question and explain how the webinar responded to, or answered the issues:

Upgrading Existing EAC Systems

When directly questioned on the best strategy for transitioning a current non-NFC system to an NFC enabled system, HID answer was essentially a 'shrug of the shoulders' with the statement "NFC adoption is the burden of the EAC companies to handle". While this may be true at some level, if HID expects NFC to be a reality, and continues to pitch it every chance they get, the EAC companies will need cooperation in overcoming the burden.

While incorporating NFC readers into EAC is not dramatically different than comparative types, installing and using credential management systems that work with NFC is a relative unknown - especially for the integrators and users who will have to make it operational. It is either deeply ignorant or manipulative for HID to dismiss such fundamental operational issues as a burden of someone else when you are pitching such a solution.

Using Mobile Devices

Who owns the device hosting NFC credential? That fundamental question is going to be answered on a case-by-case basis. The question forces the "BYOD, or Bring-Your-Own-Device" issue to the forefront - either companies must centrally issue and manage employee mobile devices, or they must learn to work with and support a broad array of privately owned devices.

Industry insights delivered to your inbox weekly.

Sign up to get notified of new reports, investigations, research and more.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

One of the biggest assumptions of NFC, both in terms of adoption and affordability, is that card holders will use their own phones and tablets to host credentials. Rather than issue plastic cards, credentials will be wirelessly transferred to these device, therefore trimming the expense and labor of generating physical credentials from operating costs.

In most cases, issuing company-owned phones to employees will not be an option, and we expect that many will opt for BYOD support for NFC. However, the presentation did little to provide answers for the problem of how to manage so many different devices, outside of describing a loose workflow concept involving yet-to-be released software.

Furthermore, based on data gathered from a Cisco case study, at least 67% of all Cisco-BYOD devices do not include NFC chips:

--

While NFC chip adoption is expanding, these incremental increases are not applying to major mobile device manufacturers like Apple, whose products (still) do not include NFC chips. Until the world's biggest mobile device manufacturers consistently include NFC in their offerings, workarounds must be developed for non-compliant devices or companies must standardize on supported devices. Either option impacts the economy of 'going NFC' significantly.

Process Gaps

At the end of the webinar, HID also briefly discussed problematic gaps in NFC's production deployment. The three questions they addressed were:

What Happens When My Battery Dies?: This is still a major problem with current devices. However, HID suggested that even if no power is available to make a call, enough power remains for the low-demand NFC transaction. In addition, HID described future plans for readers designed with the ability to passively energize a phone's NFC coil. However, at the current time, both phone designers and reader manufacturers have yet to fully address the problem.

What Happen When I Need to Open a Door While I'm on My Phone?: HID's 'solution' offered two options for this problem. First, for 'low security applications', credentials can be written to a device in such a way that NFC always possesses the right credentials, and no interruption in phone service is required to update the NFC chip. The phone call is interrupted only as long as it take to wave the phone in front of a reader. However, the also relies on the reader itself being wired to the network to have current access credentials.

For 'high security' applications where this method is not an option, HID suggested that mobile apps and phone hardware design still needs to be developed to answer the problem.

When will the Credential Provisioning Ecosystem be Available?: This question centers on the software portal needed to write/revoke, buy, and distribute NFC credentials to mobile devices. While HID displayed several whiteboard flows and software flowcharts of this software, no production release has been made. Until this happens, there is a major gap in issuing and managing NFC credentials. HID explained that a solution should be expected as early as 'the end of 2012', but the fact remains that until this point - regardless of final cost - NFC is simply not ready for production deployment.