Anyone choosing a new ID card solution will be faced by a potentially confusing choice of technologies and providers – so where do they start? SecurityNewsDesk talks to the experts.
When it comes to choosing an ID card solution, the first step is to be absolutely clear about what you want to achieve. That’s the advice from Alain Picard, General Manager at Databac Group Ltd, a leading manufacturer of ID cards.
Before getting bogged down with what the market has to offer, users should identify the specific requirements of the site to be protected – the level of security required, the number of people and doors to be covered, ease of use, the likely wear and tear the system will be subject to and the acceptable costs of setting up and running the system.
“If you have an existing access control system, then obviously you need a card solution that’s compatible with it, and that narrows down the choice.”
But even if you are dealing with existing card readers you should not feel limited, he says; with the latest ID card solutions, you may find new and smarter ways to use your old access system.
“You should consider improving the way you use your system – for example by introducing a multi-function card solution that combines various uses and replaces separate cards with a single one.”
These cards can be designed to incorporate multiple reading technologies, allowing a single card to be used to do different jobs – for example access control, time and attendance and cashless vending. Combining for example magnetic stripe with proximity technology on one badge allows it to be read by a magnetic stripe reader for hourly wage tracking and a proximity reader for access control.
Another advantage of this combined-card approach, says Alain, is that different technologies have different strengths and by combining them together you get a well-rounded multiple-read badge.
Swipe this way
So what are the main technologies?
Barcode technology is well established as a popular choice for supply chain management, inventory control and asset management. It has the advantages of a fast, accurate read rate, ease of production and use. The biggest advantage is that it’s cheap and the down-side is that it’s a comparatively low security technology. This said, a layer of additional protection can be added: TDSi offers a patented IR version (Microcard) with a security code fixed at the point of manufacture so its identity cannot be altered.
Going up a level, magnetic stripe offers on-site read/write capabilities so is still a relatively low cost solution because users can produce and manage their own cards. Mag-stripe is very familiar as the technology used on bank cards and in hotels. They are potentially vulnerable to magnets, which can erase the data encoded on the stripe. Bank cards use low-coercivity mag-stripes, which can be erased by ordinary magnets; high coercivity mag-stripes cannot be so easily erased and are more commonly used for access control.
A variation of mag-stripe is TSSI’s WaterMark magnetic stripe technology, which builds a permanent pattern into the magnetic tape during manufacture and gives each card a secure machine-readable identity. This WaterMark number ensures that the mag-stripe cannot be copied, altered or erased.
Smarter access
Smart cards are more expensive and more sophisticated. There are lots of different types of smart card and they can be used in a wide range of access control and secure identification applications – and new uses continue to emerge.
One thing all these cards have in common is an embedded integrated circuit chip (ICC) that can be either a microprocessor or just a memory chip. Memory cards merely hold data, while microprocessor cards hold data and carry out intelligent functions such as encryption or authentication. The data typically carried by a smart card might be an embedded photo, a PIN or password, biometric information or specific application data depending on the function that the card is being used for.
Contact smart cards feature a contact plate which physically connects to the reader to allow the transaction to be carried out. Contactless smart cards (proximity cards or RFID cards) carry embedded antennae that operate at different frequencies to give different read ranges. They can be either passive (powered by an electromagnetic signal from the reader) or active (with their own battery – and more expensive).
Contactless smart cards are widely used in applications such as access control, public transport, secure ID, cashless vending, parking and electronic passports.
Other variations of smart cards combine both contact and contactless reading technology, for greater flexibility in use, and can feature one chip or two.
The management and production of cards is an important issue for users – do you want to print your own ID cards on site (at the reception desk for example) or do you need a high security or high volume bureau service to supply cards for you? One of the leaders in the field is PayneSecurity, who will rebrand to Essentra Security later this year.
Aiming at users including education, local authorities, health and transport sectors, the company offers a range of card production options covering standard personalised PVC up to contactless smart cards, issued in bulk or fulfilled and individually attached to a personalised carrier letter. Securitworld, part of the card solutions business of Payne Security, supplies (to trade) desktop card printers from leading manufacturers Magicard, Datacard, Evolis and HID Fargo. It also supplies a useful range of ID accessories to support ‘low issuance’ customers using less than 50 cards per week up to multi-site, high volume desk top card issuance for larger organisations such as universities and corporations.
Blue badgers
And high volume doesn’t mean low security, points out general manager Simon Jones.
“We produce, and individually dispatch, thousands of personalised Blue Badge disabled parking permits every day. These have to be robust and have personalised security features to prevent counterfeiting.”
Before the company was brought in to help make the scheme more robust it was estimated that fraud – including the reproduction of fake badges – was costing an estimated £46million each year. Payne Security has been able to raise the level of security features on the new badge, making it much more difficult to reproduce.
And of course administering any major ID card scheme is as important as the physical production of cards. In the case of the Blue Badge scheme, the whole system has been streamlined. Whilst previously a number of different platforms were used, now local authorities are adopting a nationally available online application form, which local people can use to apply or report lost or stolen badges.
One other type of card worth mentioning is Wiegand Wire. Weigand is an old work-horse solution which has been steadily replaced by new technologies, yet it still has some important advantages says Databac – and crucially it has some big users who want to stick with the technology.
Earlier this year Databac confirmed that it would continue to produce cards incorporating Wiegand technology “for as long as there is market demand”, as competitors have discontinued production.
The big advantages of Wiegand cards are that they are relatively low cost, yet secure. They are also very robust and used in manufacturing plants, government facilities, hospitals, airports and other institutions where security is a primary concern. Other applications include railways, power stations and areas with strong magnetic forces, as the alloy used in Weigand cards is not affected by magnetic fields
Depending on the number of wires in the code strip, several hundred million codes can be created. Code strips are factory encoded and buried within the card, making duplication or counterfeit virtually impossible. Attempts to reach the wires will destroy the card and impair the unique pulse-generating properties of the wire.
Can you NFC it?
But if some people think Weigand’s days are numbered, are smart cards and every other type of traditional ID card equally destined to be superceded by something even more powerful – the use of NFC (Near Field Communications) enabled smart phones as an ID?
Integrating traditional physical access technology into a smart phone has obvious attractions. You immediately save on the cost of producing the cards and it may be more convenient for the user, with no card to carry, to remember or to lose. Just hold your phone up to the reader and in you go.
From the system manager’s perspective it could be very easy to control who gets through which door, with updates sent remotely (and access even granted before a new user arrives on site).
On the down side, NFC phone access doesn’t really help on sites where the requirement for site users and visitors to wear visible ID badges is a key security measure. But it’s easy to imagine hybrid solutions with a combination of low cost (even disposable) ID badges and NFC phones, replacing more sophisticated and expensive smart cards.
There are a lot of stakeholders on the technology side who are pushing NFC for all sorts of mainstream applications and momentum is building. There may be significant hurdles to cross and details to sort out – not least being questions of personal privacy and guarantees of security – but in many areas of daily life NFC applications are likely to become accepted and normal.
One of the pioneers in this emerging field is HID Global. The company believes that mobile access control can be more secure than traditional physical access technology because you can add multifactor authentication, such as promoting a one time password or PIN and even using GPS functionality to locate if you are really in front of the reader.
The dividing line between what is, and isn’t likely to be acceptable in the security sector might be best seen in the aviation industry: NFC may never replace passports, but perhaps it will replace boarding cards.
The card game
Certainly the established leaders in physical ID card sector don’t see the market diminishing any time soon – if anything there are emerging applications that will boost demand, says Simon Jones of Payne Security.
“The ID card model is well proven and the fact is that it works for organisations of all sizes, from SME’s upwards. At the top of the market there’s also a lot of new interest among local authorities for travel card schemes. We are working closely with IT developers to deliver solutions into this market. The education sector is another area of strong demand. We are fully aware of developments in NFC but we don’t see any immediate prospect the physical card market reducing.”
But HID Global says it sees potential for the move to mobile access control particularly in the hospitality and enterprise vertical and residential markets. The company is working with “four SIM card manufacturers, nine or 10 manufacturers of handsets that support NFC, and mobile operators around the world,” reported Denis Hébert at the company’s annual global strategy briefing in April.
There is, he admitted “a gap between where we want to be from a technology perspective and a policy perspective.”
But gaps are there to be crossed.
In June, HID Global confirmed a partnership with smart card leader Oberthur Technologies to enable HID’s Seos digital keys applet to be embedded in Oberthur Technologies NFC SIM cards. In short this will make it possible to use NFC smartphones for a wide range of applications which have been typical uses for smart cards. In the past year, HID Global conducted mobile access pilots with Netflix, Good Technologies and Arizona State University.
HID Global has developed its Seos applet as part of an ecosystem of interoperable solutions for “issuing, delivering and revoking digital keys on NFC-enabled mobile devices”. These, says the company, can be used to open doors to homes, hotels, offices, hospitals, universities and commercial buildings. Seos includes standards-based smart card technology and cryptography for both interoperability and security.
And if you want to see what door access using NFC looks like, there’s a nice video case study on YouTube and another video on the website of parent company ASSA ABLOY about its Seos mobile access ecosystem.