Campus ID News
Card, mobile credential, payment and security
slider MutualAuth 1

Mutual authentication secures contactless

Crytptography is vital, still many default to weaker card serial numbers

CampusIDNews Staff   ||   Sep 21, 2016  ||   , ,

When students at Sarah Lawrence College replace a lost student ID card, they unknowingly get a little something extra in that card – added security.

Every new ID card issued by the Yonkers, New York-based college is now equipped with a contactless chip embedded within. “We are not fully contactless yet,” says Brian Lutz, associate director of systems administration for the school. “We are doing it slowly as people get new IDs. It has been a more gradual migration.”

A few of the college’s offices are already fully deployed, using contactless credentials to unlock all doors, and a new building was just brought online that is fully equipped with contactless readers throughout. The plan is to have the entire campus switched over within the next few years.

As they make this transition, Sarah Lawrence is doing something that many campuses in the country have neglected to do. They are transitioning to a mutual authentication-based, secure, contactless environment.

“We are spending a little more money to use the full mutual authentication, but we saw that investment as worth the added security,” Lutz says.

The vast majority of college campuses in the nation are nowhere near that level of security, says Grey Bartholomew, product manager of CBORD, the company deploying the new ID system at Sarah Lawrence.

“If you look at the customer base, 90% of college campuses are still using mag stripe,” Bartholomew says. “Then you look at the 10% who use contactless and probably 90% of those are using the card serial number only.” He says that only the other 10% of that 10% are using mutual authentication – taking advantage of the true security enabled by contactless technology.

What’s the difference?

Credential security comes in levels, says Sami Nassar, vice president of cyber security at San Francisco-based NXP Semiconductors. “If we look at the most basic form of ID, it would be to write the serial number for a card on a piece of paper and laminate that,” he says. “Obviously you can put the same name on another piece of paper, meaning you would have more than one, and this would be very easy to duplicate and not be very secure.”

[pullquote]90% of campuses still use mag strip and of the 10% using contactless, probably 90% of those are using the card serial number only. Only the other 10% of that 10% are using mutual authentication – taking advantage of the true security of contactless.[/pullquote]

Slightly more secure would be to encode that serial number within a barcode, mag stripe or a chip. But if you are simply storing a serial number in an unprotected manner, it can still be readily changed or replicated. So it is still very unsecure.

Up another level, you can store the number on the card in a manner that cannot be changed or cloned. And at the highest level, mutual authentication comes into play. Using mathematical algorithms, mutual authentication prohibits ID numbers from being shared until both the card and reader have proven they are valid and authorized to share data, Nassar says.

Simply serial numbers

But even when systems are capable of using that high-level mutual authentication, some implementations – including many college campuses – opt not to use it. Instead, some default to a low security approach in which the card broadcasts its serial number to any reader it encounters.

“With just the card serial number, the reader is broadcasting and saying ‘hey, is anybody out there,’ and then if a contactless card comes along, the card sends its serial number immediately without getting that mutual authentication,” Bartholomew says.

While there are some security conscious outliers on college campuses, Bartholomew says the vast majority of contactless campuses are satisfied with the lower level of security. “It is the entry-level way to get into contactless technology without breaking the bank or investing in specific readers to enable mutual authentication,” Bartholomew says.

From the perspective of most campuses, contactless is a means to ease transactions, adding convenience rather than increasing security, he explains. “They are looking at it as a way to make the transaction faster and more convenient. Contactless cards give you that capability,” Bartholomew says.

When convenience is the goal, the serial number-only protocol seems to be enough.

Using a handshake

But not all college systems rely on a broadcast serial number, says Dan Gretz, senior director for market development at Blackboard.

|| TAGS:
Subscribe to our weekly newsletter


May 26, 23 / ,

Penn State adds mobile ordering to campus app

Penn State has added a mobile ordering feature to its comprehensive campus mobile app, Penn State Go. The Penn State Eats Mobile function is available for use by students on the flagship University Park campus, as well as across the university's Commonwealth Campuses.
May 26, 23 / ,

NAU leverages delivery robots to support late-night dining

Northern Arizona is leveraging Starship delivery robots and the mobile ordering app in a clever way to prop up late night dining, and putting a twist on the ghost kitchen concept. The university has launched its Hole in the Wall dining window that now serves either pickup or robot delivery for students by offering a number of dining concepts all from a single, concession-style window.
May 25, 23 / ,

HID's Technology Partner Program helps companies develop mobile solutions

Trusted identity solutions provider, HID Global, has announced its HID Origo Technology Partner Program, the company’s first program dedicated to partners with a focus on mobile technologies. The Origo Technology Partner Program is designed to help technology partners by providing the ideal platform for organizations to design, test, and market products that integrate with HID Origo via APIs and SDKs.
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Join us, @NACCUorg, and @TouchNet to explore how campus card programs can successfully navigate the sales and procurement process. Join the webinar on June 6, 2 pm EDT.

Webinar: Learn how the University of Arizona uses campus cards, mobile ordering, kiosks, lockers, and robots to revolutionize campus dining. April 7, 2-2:30 EDT. Register Now at

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2023 CampusIDNews. All rights reserved.