Campus ID News
Card, mobile credential, payment and security
slider MutualAuth 1

Mutual authentication secures contactless

Crytptography is vital, still many default to weaker card serial numbers

CampusIDNews Staff   ||   Sep 21, 2016  ||   , ,

When students at Sarah Lawrence College replace a lost student ID card, they unknowingly get a little something extra in that card – added security.

Every new ID card issued by the Yonkers, New York-based college is now equipped with a contactless chip embedded within. “We are not fully contactless yet,” says Brian Lutz, associate director of systems administration for the school. “We are doing it slowly as people get new IDs. It has been a more gradual migration.”

A few of the college’s offices are already fully deployed, using contactless credentials to unlock all doors, and a new building was just brought online that is fully equipped with contactless readers throughout. The plan is to have the entire campus switched over within the next few years.

As they make this transition, Sarah Lawrence is doing something that many campuses in the country have neglected to do. They are transitioning to a mutual authentication-based, secure, contactless environment.

“We are spending a little more money to use the full mutual authentication, but we saw that investment as worth the added security,” Lutz says.

The vast majority of college campuses in the nation are nowhere near that level of security, says Grey Bartholomew, product manager of CBORD, the company deploying the new ID system at Sarah Lawrence.

“If you look at the customer base, 90% of college campuses are still using mag stripe,” Bartholomew says. “Then you look at the 10% who use contactless and probably 90% of those are using the card serial number only.” He says that only the other 10% of that 10% are using mutual authentication – taking advantage of the true security enabled by contactless technology.

What’s the difference?

Credential security comes in levels, says Sami Nassar, vice president of cyber security at San Francisco-based NXP Semiconductors. “If we look at the most basic form of ID, it would be to write the serial number for a card on a piece of paper and laminate that,” he says. “Obviously you can put the same name on another piece of paper, meaning you would have more than one, and this would be very easy to duplicate and not be very secure.”

[pullquote]90% of campuses still use mag strip and of the 10% using contactless, probably 90% of those are using the card serial number only. Only the other 10% of that 10% are using mutual authentication – taking advantage of the true security of contactless.[/pullquote]

Slightly more secure would be to encode that serial number within a barcode, mag stripe or a chip. But if you are simply storing a serial number in an unprotected manner, it can still be readily changed or replicated. So it is still very unsecure.

Up another level, you can store the number on the card in a manner that cannot be changed or cloned. And at the highest level, mutual authentication comes into play. Using mathematical algorithms, mutual authentication prohibits ID numbers from being shared until both the card and reader have proven they are valid and authorized to share data, Nassar says.

Simply serial numbers

But even when systems are capable of using that high-level mutual authentication, some implementations – including many college campuses – opt not to use it. Instead, some default to a low security approach in which the card broadcasts its serial number to any reader it encounters.

“With just the card serial number, the reader is broadcasting and saying ‘hey, is anybody out there,’ and then if a contactless card comes along, the card sends its serial number immediately without getting that mutual authentication,” Bartholomew says.

While there are some security conscious outliers on college campuses, Bartholomew says the vast majority of contactless campuses are satisfied with the lower level of security. “It is the entry-level way to get into contactless technology without breaking the bank or investing in specific readers to enable mutual authentication,” Bartholomew says.

From the perspective of most campuses, contactless is a means to ease transactions, adding convenience rather than increasing security, he explains. “They are looking at it as a way to make the transaction faster and more convenient. Contactless cards give you that capability,” Bartholomew says.

When convenience is the goal, the serial number-only protocol seems to be enough.

Using a handshake

But not all college systems rely on a broadcast serial number, says Dan Gretz, senior director for market development at Blackboard.

|| TAGS:
Subscribe to our weekly newsletter


CampusIDChat: HID adds to higher ed team

HID Global's Director of End User Business Development for Higher Education, Tim Nyblom introduces the newest member of HID's higher ed team, Amy Surprenant. The pair also discuss the latest in mobile credentials and how administrators can prepare their campuses for the jump.
Jan 26, 23 / ,

Baylor adds Starship robot delivery

Baylor University has added robot delivery from Starship Technologies to its dining services offerings with the help of Grubhub. The initiative will see Baylor deploy a fleet of 20 delivery robots on the Waco, TX campus.
Jan 26, 23 /

NACCU Annual Conference registration now open

The National Association of Campus Card Users (NACCU) has opened registration for its Annual Conference. This year’s conference will be held April 16-19 in Austin, Texas and will feature a packed schedule of informative events and sessions with both campus card professionals and corporate vendors.
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Join us, @NACCUorg, and @TouchNet to explore how campus card programs can successfully navigate the sales and procurement process. Join the webinar on June 6, 2 pm EDT.

Webinar: Learn how the University of Arizona uses campus cards, mobile ordering, kiosks, lockers, and robots to revolutionize campus dining. April 7, 2-2:30 EDT. Register Now at

As supply chain issues in 2021 persist, identity solutions provider @ColorID discusses ways campuses can to overcome potentially troublesome delays until the situation eases.

A dining services push at the @UBuffalo is reinforcing the utility of self-service checkout. @CBORD is improving the food service experience using the GET app, as well as Nextep kiosks and Oracle’s Micros Simphony POS.

Did you miss our recent webinar? No worries - watch it on-demand. Leaders from @NAU and the @UAlberta joined Ryan Audus, Touchnet, and Andrew Hudson, @CR80News, to discuss innovative mobile services and the future of mobile tech in higher ed. Watch now:

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2023 CampusIDNews. All rights reserved.