Using BYOD Smartphones for Converged Access Control


The Bring Your Own Device (BYOD) mobility deployment phenomenon - where you're allowed to use your smartphone for work -- is growing in popularity as today's smartphones simultaneously grow in capabilities.

We can use our phones to access computers, networks and associated information assets, and to open doors and enter secured areas. Deploying these applications in a BYOD environment requires security assessment, proper planning and the right technology and provisioning infrastructure.

Physical access control is among the most recent capabilities added to today's smartphones. This requires a new identity representation that operates within a trusted boundary so that BYOD devices and their transactions can be trusted within the access control managed network. The boundary provides a secure communications channel for transferring information between NFC-enabled phones, subscriber identity module (SIM) cards, and other secure media and devices.

Using this framework, organizations can issue digital cards and keys to mobile devices via an internet portal (similar to the traditional model for purchasing plastic credentials, but connecting the BYOD via a USB or Wi-Fi- enabled connector), or from an over-the-air from a service provider (akin to how today's smartphone users download apps and songs). Digital ID's representing cards and keys can also be shared with authorized users via NFC "tap-n-give" provisioning, depending on the organization's security policies.

This secure mobile provisioning model eliminates the traditional risk of plastic card copying and makes it easier to issue temporary credentials, revoke or cancel credentials when they are lost or stolen, and monitor and modify security parameters if required, such as when the threat level increases. Organizations also can offer dynamic, context-based rule-setting, such as invoking two-factor authentication, and they can support variable security levels and use additional data elements. For instance, two-factor authentication could be dynamically invoked when there is an elevated threat level, and an application could be pushed to the phone that requires the user to enter a 4-digit pin or to gesture-swipe before it sends the message to open the door.

Smartphones can also generate One Time Password (OTP) soft tokens for securely logging on to another mobile device or desktop computers for accessing the network. As physical and logical access control applications move to BYOD smartphones, there are several issues to address. First, all applications and other ID credentials must be containerized between personal and enterprise use. Apps also must be enabled for use with digital keys and cards (i.e., to support PIN entry to "unlock" key usage for authentication or signing). Additionally, middleware APIs must be standardized so that ID credential functionality can be exposed to the application.

It is an interesting time in the industry as the coming generation of BYOD mobile access control solutions are sure to deliver improved convenience and management flexibility while ensuring highly secure transactions between smartphones, computer and networking resources, the physical access control system, and new cloud-based and over-the-air identity delivery infrastructure.