Tokenization is gaining momentum also in mobile identification
Be it payments, identification or Access Control, smart cards recognize their defeat to contactless and mobile solutions. Nevertheless, technology must also take into account security, not only convenience to the user.
Tomaž Frelih, photo: archive Četrta pot
Implementation of a secure Access Control system is a significant project that requires qualified experts. Cards, especially older models, can succumb to anyone ill-intentioned, as counterfeiting tools are readily available online for less than a hundred euro. "It is not advisable to purchase your Access Control system piece by piece relying on arbitrary importers of components from the Far East. While it is true that you can buy a card for less than one euro, you also have to know that the same type of card with appropriate built in security may cost several times more. You can think of an analogy in terms of an empty CD medium and a CD medium containing licensed music or software," explained Tomaž Frelih, Systems Department Director in Četrta pot.
Mobile app and cloud solutions to open doors
Would you like to open doors with your mobile phone? While this functionality is not really applicable in the business world, it is all the more desired in the consumer market. Even more so, as its implementation needs no card readers or NFC chips in the door frame because all the communication takes place over the Internet.
The mobile phone triggers a request in the cloud, and a command is sent to the latch in the door, which is connected to the Internet the same way as the whole smart home. This is how the user can open doors remotely (for instance to a relative, postman, courier delivery, …) even while being located on the other side of the world. This sounds attractive but is only suitable for applications where security is not the primary concern or is ensured by the system provider. We know of several security breach cases where both prominent players and small startups have put emphasis on convenience and "forgot" everything about security. This is why there were incidents of opening apartments to guests in the Airbnb system, vehicles in the car sharing services, homes to parcel delivery (Amazon) … Solutions based on cards are not any better in this respect – they may even be more prone to misuse as updates are more challenging to implement. The triviality of the security solution for hotel systems as implemented by a Swedish manufacturer was unveiled last year exposing an immense issue that affects about a million hotel doors in about 40 thousand hotels all over the world. "Četrta pot considers security a very serious issue and not something that can be subject to compromise, and applies this approach to every component in our system. In relation to security, we use cutting-edge card technologies and protect all devices and communication with cryptographic algorithms. Special attention with regard to security was paid in the implementation of mobile identification on Android and iOS mobile devices where we have introduced the tokenization technology and secure token generation, as tested globally in the banking sector, while ensuring simplicity of use. Our products have been certified, and the company holds certificates under ISO-27001 and ISO-27018 security standards for IT security," Frelih explained the measures on ensuring identification and Access Control security.
Mobile identification implementation
Studies have shown that people rarely separate from their mobile phones. Moreover, 70 percent of people keep their phones close at hand 24 hours a day. These devices are no longer just a means of voice communication. These devices have turned into small computers and are very good at "pretending" that they are something else, for instance, a camera, accelerometer, valet or credit cards, and naturally they can also be used as a means of identification. In the modern world, it is much more likely that you will carry a smartphone on you, rather than an identification card or tag. However, the use of mobile identification has brought on a number of security issues.
As opposed to cards, which are certified in terms of security, a smartphone is by default not secure or is more vulnerable to any fraud. Nevertheless, a smartphone has the advantage that the cards cannot offer – it can access the Internet and download applications. "You can imagine that it would be close to suicide if you stored security keys in your phone," illustrated Frelih. "This is why tokenization has been introduced, offering the possibility of creating an encrypted code or token with limited validity (e.g. one day) for each phone by a secure cryptoserver.” This token is then stored in the phone, and upon establishing a connection, the reader receives the token from the phone, decodes the token, and determines user identity and token validity. While this security mechanism is not 100% secure, it sufficiently reliable and has increasingly been used in mobile payments (Google Pay, Apple Pay, Samsung Pay …).
The article was published on 20 June 2019 in the FINANCE business newspaper, and on 21 June on the FINANCE website.