Organizations struggling with the contactless conundrum
Legacy 125-kilohertz proximity technology is still in place at around 70% to 80% of all physical access control deployments in the U.S. and it will be a long time before that changes, says Stephane Ardiley, product manager at HID Global.
The above scene, however, is starting to play out more frequently as corporations, educational institutions and government agencies migrate from older technologies to contactless. Case in point, U.S. federal agencies are replacing prox or in some cases even magnetic stripes with contactless smart cards in order to comply with government mandates, Ardiley explains.
Still, it will be years before contactless card shipments overtake proximity in the Americas. IMS Research predicts that in 2016 contactless shipments will eclipse proximity, says Paul Everett, senior manger for the security team at the consultancy. Obviously, obstacles to contactless adoption still remain, even more than a decade after international standards were first released and nearly two decades following wide scale product availability.
Opinions vary as to the root cause of the delay. Many cite high replacement costs for some enterprises. Others blame the supply chain, noting that physical access control dealers and local security integrators have been slow to push clients to new technology. They believe it is easier and more profitable to stick with the older solutions that they have been selling for years and fully understand.
Still there are many reasons a migration from older access technologies is inevitable. The biggest is the increase in security. “Proximity cards and mag stripes are basic technologies when it comes to physical access control,” Ardiley says. “There is no security, they’ve been hacked, there’s no protection of data, no privacy, everything is in the clear and it’s not resistant to sniffing or common attacks.”
Unlike prox technology, contactless smart cards are resistant – some would say impossible – to clone
In most cases the cards have the ID number printed on the back. If someone obtains the card they can take that number, encode a new card and use it to gain access, Ardiley says.
Unlike prox technology, contactless smart cards are resistant – some would say impossible – to clone. The data in the card is encrypted and the communication between a card and reader is secure, says Ardiley.
Despite the security risks, prox isn’t going away anytime soon, says Jason Hart, executive vice president for identity management and cloud solutions division at the Identive Group. “Some people are oblivious to the risk and those who aren’t accept prox as a convenience tool rather than a physical security tool,” he explains.
Many of the enterprises that feel this way deployed prox a long time ago and simply haven’t looked back since, Hart explains. “Customers were sold on that fact that it’s secure and they never really questioned it,” he says. “They deployed in the early 1990s and haven’t done any assessment of the security technology since then.”
The lengthy lifecycle of a physical access control system is another reason prox remains prominent, Hart says. Physical access systems can have life spans as long as 20 years and swapping out can be time consuming and expensive.
IMS Research puts the life spans anywhere between 10 and 15 years, Everett says. When new systems are deployed they typically choose smart cards, so at least enterprises are not replacing old prox systems with more prox technology, he notes.
Some enterprises don’t feel the need to move because the security profile doesn’t demand it, says Dave Helbock, a senior security specialist at XTec. “Do you want to keep the local populace out or do you want high security?” he asks. “Do you need to card into every door or suite or do you just have one on the front door and in the garage?” Depending on an enterprise’s answers to questions like these, they may find prox sufficient for their current needs.
Some contactless cards are comparable in price to prox so the main issue Comes down to the cost to swap out readers
The other factor is that prox technology still works very well for its intended function – passing a short numeric string to a reader quickly and reliably. “Prox is very well established and the problem you face is that if it works, why change it?” says Everett. “People are resistant to change because it does the job on the low security side.”
A security breach can lead to change. Hart says the use of prox technology – due to either cloning or lax access rules – has enabled unauthorized individuals to access facilities.
Often such breaches lead to a discussion about high-security credentials, but so too can an IT department’s desire for convergence of credentials, Hart says. In addition to greater security, smart cards create opportunities for additional applications such as logical or network access control.
“Enterprises need to think about physical access control as one piece of a larger ecosystem,” Hart says. “Pick one point and then grow from it.”
The same contactless technology that gets an employee in the front door securely could also then be used to make purchases from a cafeteria or vending machines. Even more importantly, the credential could be used for logical access to secure networks and web sites, Ardiley says.
These reasons would seem on the surface to be enough to encourage mass migration if other factors were not at play. But factors such as replacement cost fight against migration at every turn.
Vendors are understandably hesitant to talk about cost as quantity and a host of other variables can factor in, but this does not remove the reality of the issue.
Typically, prox cards cost $3 to $5 each, sources say, though it is not uncommon for small volume issuers to pay double this amount. Price can vary depending on printing options, lead times, quantity and other features.
Pricing for contactless cards runs the gamut. Contactless smart cards with small memory and older technology are often cheaper than prox at just $1 to $2 per card, sources say. There are many mid-range options that are comparable in price to prox as well. At the expensive end of the spectrum, contactless smart cards with large memory, high-end cryptographic capabilities and the latest security features can cost $8 to $12 or more, sources say.
Some may scoff at the cost of the higher end cards but vendors say the tangible and intangible benefits of increased functionality and security warrant the added expense.
As for the readers, again, on the low end the cost for contactless readers is often lower than or comparable to prox, sources say. Multi-technology readers with different features are more expensive but can provide greater longevity and the flexibility to support legacy cards as the migration to contactless proceeds.
Since some contactless cards are comparable in price to prox, the main issue for an enterprise often comes down to the costs to swap out readers. A smaller organization with a handful of doors might not think twice, but for an enterprise with hundreds or even thousands of doors the cost of readers can be intimidating.
While the capital investment up front may be daunting, there are potential long-term savings from making the switch to an open-standard contactless smart card. Theoretically, open standard products free end users from being locked into a single vendor for cards and readers. “Contactless smart cards enable a move away from a proprietary to a vendor neutral position,” Ardiley says.
Contactless smart cards operate on the ISO 14443 or ISO 15693 standards. If an enterprise deploys technology that uses one of these technologies it should be able buy cards and readers from any vendors as long as the standards are supported. “You don’t want to get locked into one technology,” Hart says. “We’ve seen a lot of problems sticking with a one vendor implementation.”
Using standards-based technology also means a certain amount of future proofing. As long as the new technology adheres to the same standard, enterprises should be able to upgrade without ripping and replacing, Hart says.
The access control supply chain has grown accustomed to proprietary technology and, sources say, the idea of open standards and open sourcing makes some dealers and system integrators nervous. They want to protect the lucrative recurring sale of cards and readers into their client base, but they fear that the switch to open standards – where these products could be purchased anywhere – could hurt business, insiders say.
“Prox is easy and repeatable and they are making handsome profits on legacy systems and repeat sales,” says one security source. “Replacing a physical access system is a big deal and usually stays in place for a decade or more. Where is the incentive to move to new, more secure system? Prox works today for physical access – even though it’s a weak system.”
There’s also a comfort level with prox that many dealers may not have with contactless technology, sources say. They know how it works and how to deploy the system quickly and easily. With contactless there is still a learning curve some are struggling to get over.
These same industry sources, however, stress that the progressive dealers and integrators who are embracing contactless and other new technologies stand to benefit in the long run. Like with any other supply chain, in the end the laggards are ultimately left behind.
For an enterprise considering a switch from prox to contactless there are a number of issues to consider. To start an organization should conduct a thorough site survey to find out what kind of card technologies and formats are already deployed, Hart says. “A lot of times it’s difficult for an organization to know all the different card technologies deployed,” Hart says. “A satellite office might use a different technology and the car park might use something else.”
Depending on the technologies deployed and the vendor’s involved this can be a difficult task. “Sometimes the vendor will have proprietary information and won’t want to provide it,” Hart says. There are inexpensive software and hardware tools available that can enable an enterprise to independently check the card formats and systems they have deployed.
Next an organization needs to determine where they want the new technology to be deployed, Hart says. Are there additional doors or areas that need to be secured, and if so, what needs to be done to enable those locations?
The next step is either a pilot or full rollout, depending on how an enterprise wants to move forward. XTec recommends having a small group of employees with new cards tap against a reader for a period of time just to make sure the cards are working correctly, says Helbock. “You can do a storage room or other space just to make sure everything works,” he says.
Once the proof of concept is completed and bugs are worked out, Helbock recommends a phased rollout. “It’s difficult to convert all cards and switch out all readers at one time,” he says.
Once a population has the new contactless cards, it’s best to make the switch as quickly as possible. “There will be a little bit of pain but the quicker you do it the better off you’ll be,” Helbock says.
Some organizations will opt for new readers that can accommodate both contactless and prox to ease transition, Hart says.
On the back end, if the prox physical access system uses the Wiegand Protocol it will work with the new contactless smart cards and readers, Ardiley says. “It’s changing the physical reader but the rest of the components should be able to accommodate the changes,” he adds.
There are some exceptions, says John Schiefer, manager for system deployment at XTec. In the case of a federal PIV deployment the legacy infrastructure will work. If PIV-I is being used with the same system, however, an additional physical access controller might be necessary to handle and check the other data.
An issue that too often goes unnoticed when making the switch from prox to contactless is the end user’s experience, Ardiley says. Whereas the prox credentials could come in the general vicinity of the readers and open the door, contactless smart cards might require a tap and hold before the transaction is completed.
Enterprises need to educate employees on how the technology is different than prox so that they use it properly. If there are complaints of cards not working it may well be a simple case of user error.
Making the switch from prox to contactless is a big step but it offers users the ability to accomplish more with a lesser risk of intrusion. With contactless credentials enterprises can achieve additional functionality, flexibilty and increased security. The perception of higher cost is often a misperception, but it continues to inhibit deployment. It’s really a matter of educating enterprise on the true costs and benefits of these systems, and then finding a progressive local dealer to assist with rollout.
Contactless smart cards and the ISO 14443 technology are far from new technologies as electronic passports that use the same technology have been in circulation for almost six years and the technology had deployment even prior to that.
The existing, entrenched prox infrastructure is the main reason the technology has been slow to spread in the U.S., says Paul Everett senior manager for the security team at IMS Research. Prox technology accounts for about 40% of revenue for physical access control technologies and represents 45% of the unique shipments.
Contactless smart card shipments will overtake prox by 2016, Everett predicts. Most enterprises aren’t making the switch now because the systems they have work. Until those systems reach end-of-life there’s not a lot of need to upgrade a system that is still functional. “New installations will use smart cards but those with a large installed base of prox are not going to swap out unless there’s another reason to do so,” he adds.
Physical access control provider, Quantum Secure, sees U.S. interest in contactless smart card mainly within the federal government and its contractors, says Vic Ghai, vice president and chief technology officer for products at the company. In other sectors, it has been more pilots than installs. “Historically we have seen many pilots for contactless smart cards but it doesn’t go beyond that,” he adds.
Quantum Secure has more than 80 customers in the U.S., 10% of which use contactless smart cards, Ghai says. Those customers are either federal agencies or enterprises that have contracts with the government.
Outside of federal agencies and contractors, interest has been primarily from health care and airport sectors, says Ghai.
Just as contactless takes hold in the U.S, near field communication is coming quickly on its heels purporting to do away with the plastic card format all together.
Most agree that if this is to become reality, it is still many years away. It’s will be years before NFC becomes a standard feature, like Bluetooth, in handsets, says Paul Everett senior manager for the security team at IMS Research.
NFC has to find its way into the majority of devices for it to be a viable option. Even then there are some concerns with how one handset manufacturer may deploy the technology versus another, says Jason Hart, executive vice president for identity management and cloud solutions division at the Identive Group. There have been issues with some of the early NFC handset antennas and problems with data transmission.
There are also the ever-present issues with “bring your own device,” such as who owns the data on the handset and how can we manage the security issues when one device is used for both personal and corporate access, Hart says.
Enterprises that opt for contactless smart cards based on open standards, however, should be better prepared to make the transition from cards to handsets down the road as both technologies use the same family of ISO standards.
While widespread use of NFC for physical access is certainly a ways off, it hasn’t stopped vendors from creating applications, Hart says. Identive has a PIV applet that can mimic the same functions as the government credential and another that uses the PLAID contactless standard for mutual authentication of credentials and readers.