Campus ID News
Card, mobile credential, payment and security
slider MutualAuth 1

Mutual authentication secures contactless

Crytptography is vital, still many default to weaker card serial numbers

CampusIDNews Staff   ||   Sep 21, 2016  ||   , ,

When students at Sarah Lawrence College replace a lost student ID card, they unknowingly get a little something extra in that card – added security.

Every new ID card issued by the Yonkers, New York-based college is now equipped with a contactless chip embedded within. “We are not fully contactless yet,” says Brian Lutz, associate director of systems administration for the school. “We are doing it slowly as people get new IDs. It has been a more gradual migration.”

A few of the college’s offices are already fully deployed, using contactless credentials to unlock all doors, and a new building was just brought online that is fully equipped with contactless readers throughout. The plan is to have the entire campus switched over within the next few years.

As they make this transition, Sarah Lawrence is doing something that many campuses in the country have neglected to do. They are transitioning to a mutual authentication-based, secure, contactless environment.

“We are spending a little more money to use the full mutual authentication, but we saw that investment as worth the added security,” Lutz says.

The vast majority of college campuses in the nation are nowhere near that level of security, says Grey Bartholomew, product manager of CBORD, the company deploying the new ID system at Sarah Lawrence.

“If you look at the customer base, 90% of college campuses are still using mag stripe,” Bartholomew says. “Then you look at the 10% who use contactless and probably 90% of those are using the card serial number only.” He says that only the other 10% of that 10% are using mutual authentication – taking advantage of the true security enabled by contactless technology.

What’s the difference?

Credential security comes in levels, says Sami Nassar, vice president of cyber security at San Francisco-based NXP Semiconductors. “If we look at the most basic form of ID, it would be to write the serial number for a card on a piece of paper and laminate that,” he says. “Obviously you can put the same name on another piece of paper, meaning you would have more than one, and this would be very easy to duplicate and not be very secure.”

[pullquote]90% of campuses still use mag strip and of the 10% using contactless, probably 90% of those are using the card serial number only. Only the other 10% of that 10% are using mutual authentication – taking advantage of the true security of contactless.[/pullquote]

Slightly more secure would be to encode that serial number within a barcode, mag stripe or a chip. But if you are simply storing a serial number in an unprotected manner, it can still be readily changed or replicated. So it is still very unsecure.

Up another level, you can store the number on the card in a manner that cannot be changed or cloned. And at the highest level, mutual authentication comes into play. Using mathematical algorithms, mutual authentication prohibits ID numbers from being shared until both the card and reader have proven they are valid and authorized to share data, Nassar says.

Simply serial numbers

But even when systems are capable of using that high-level mutual authentication, some implementations – including many college campuses – opt not to use it. Instead, some default to a low security approach in which the card broadcasts its serial number to any reader it encounters.

“With just the card serial number, the reader is broadcasting and saying ‘hey, is anybody out there,’ and then if a contactless card comes along, the card sends its serial number immediately without getting that mutual authentication,” Bartholomew says.

While there are some security conscious outliers on college campuses, Bartholomew says the vast majority of contactless campuses are satisfied with the lower level of security. “It is the entry-level way to get into contactless technology without breaking the bank or investing in specific readers to enable mutual authentication,” Bartholomew says.

From the perspective of most campuses, contactless is a means to ease transactions, adding convenience rather than increasing security, he explains. “They are looking at it as a way to make the transaction faster and more convenient. Contactless cards give you that capability,” Bartholomew says.

When convenience is the goal, the serial number-only protocol seems to be enough.

Using a handshake

But not all college systems rely on a broadcast serial number, says Dan Gretz, senior director for market development at Blackboard.

Related Posts

|| TAGS:
Subscribe to our weekly newsletter


Alert Enterprise mobile credential interview
Jun 20, 24 / ,

Alert Enterprise discusses its mobile credential and unified physical security layer

In a recent interview with CampusIDNews, Mike Harris from Alert Enterprise discusses the company's support for mobile credentials from Wavelynx, HID, and SafeTrust in Apple Wallet. Alert Enterprise offers a unified physical security layer that sits in between an organization's people and it's access control systems, automating access management throughout the organization. Our unified physical […]
Photo ID camera webinar
Jun 20, 24 /

15-minute webinar: How do I select a camera for my campus card office?

  This Wednesday, June 26, 1:00 EST, Chris Corum (CampusIDNews) and David Stallsmith (ColorID), will discuss the current state of cameras and photo capture options for ID offices. Stallsmith, Director of Product Management for ColorID, has helped hundreds of card programs explore camera options, and he will share his insight in this episode of the […]
Notre Dame mobile credential

Notre Dame launches mobile credentials with CBORD, Allegion

Last week, the University of Notre Dame community began adding student IDs to their mobile devices. With the help of partners CBORD and Allegion, the successful launch saw thousands of credentials issued in the initial days. Students, faculty and staff can choose to provision the credential to either their Apple Wallet or Google Wallet. To […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Attn: friends in the biometrics space. Nominations close Friday for the annual Women in Biometrics Awards. Take five minutes to recognize a colleague or even yourself.

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2024 CampusIDNews. All rights reserved.