Episode Four: Unlocking the

This is an excerpt from Unlocked — an ASSA ABLOY podcast series on campus security. Unlocked explores the security issues and challenges that colleges and universities face as they strive to create a safe and secure learning environment. Visit intelligentopenings.com/unlocked to hear more.

How We Got Smart Before diving into the current broken cards and physical wear on the technologies, it helps to readers. Prox solved these problems. understand where we came from. Lower maintenance costs, increased In 1960, a young engineer from IBM user convenience, and new options named Forrest Parry invented the for form factors like fobs made the . Once prox card a winner. But the low- ubiquitous on campus doors, more frequency proximity technology is reliable and secure technologies not without its limitations. are quickly eclipsing the mag stripe.

Mag stripe cards are simple. A card gets swiped in a reader. That reader then reads a sequence of numbers Outside of higher stored on the stripe of that card. education and If the number matches what’s stored in the system’s older hotels, hardly Whether installing a new door access database, the door unlocks. system for your campus or upgrading from a legacy system you have a lot of Many campuses still use the mag anyone still uses decisions to make. stripe card for their door access. This is mainly because the cards are mag stripe cards You first must choose the right access inexpensive, the cost to replace the software and locking hardware. You existing swipe readers is high, and for door access. also need to find a knowledgeable other systems aside from security and trustworthy integrator to install still rely on that technology—namely and service your system. And you campus one-card systems that use need to determine which card the card for dining, laundry, Like the mag stripe, the prox card is technology is right for your campus. vending and other purchases. unencrypted and static—making them easy to clone or forge. You also And this last task is not always as Yet, outside of higher education and can’t encode additional information easy as it might seem. older hotels, hardly anyone still uses onto the prox cards, like multiple IDs. mag stripe cards for door access. A common misunderstanding for In the 90’s the Out of these security limitations and campus IT professionals that deal industry made a wholesale shift frustrations came the contactless with physical access security is from mag stripe to the new, “smart card” as we know it today. differentiating between the access contactless technology called The biggest technology difference cards. How do you know which prox—known more officially as between smart cards and prox cards is technology is the right one for you? “low-frequency proximity”. the frequency of the chip inside. Prox cards use a low-frequency 125kHz A lot of technology is packed into When the prox card came on the technology, whereas the new breed of the cards. And there are a lot of scene, everyone was thrilled. smart cards use a high-frequency marketing materials surrounding 13.56 MHz technology. which cards are best for you. It can The mag stripe card was cumbersome be difficult to figure out exactly what and inefficient. Not to mention your campus needs. administrators felt the financial sting and maintenance headaches from And what you don’t. Smart Card vs. Prox Smart “One Cards” Although a massive install base of prox The difference in frequencies between A source of confusion unique to technology exists, the last five years the prox card and the smart card can higher ed when it comes to smart have a seen a transition to smart card also affect performance. But not in the cards, is the term itself “smart card”. technologies. According to Eric Widlitz, way you might . While smart card is used universally vice president of sales at Vanderbilt in other verticals of the physical Industries, he sees no reason not to Schools that purchase the smart, security industry, in higher ed we make the transition. or contactless, card for the sake of tend to refer to them as convenience for their students can be contactless cards. “You certainly have a gigantic install surprised to find out the read range is base of prox technology that you’ll limited on the smart card. Why? Well here’s a little history continue to support for a long time lesson. A bunch of years ago smart moving forward,” says Widlitz. “But This is because the difference in cards became popular on a handful smart card technologies today from a frequencies on the card can have of large universities for student cost perspective are pretty much the an impact and effect on the card’s purchases like vending and laundry, same price. And in some cases, may read range. You typically get a slight and for meal plans. What we now even cost less money than a reduction in read range with smart call One Card systems. These smart .” cards. And the read time and the cards were of the contact chip communication time between card variety. The eventual problem with It’s well known that smart cards are a and reader is a little longer. them was the money was stored more secure credential than prox. But “offline” on purses on the card. As another advantage that smart cards “You definitely take a little hit on the networked, “online” systems gained have over prox is the ability to store and convenience side on the speed and in popularity these smart card secure other useful information on the read range that you have. But you have systems became irrelevant. card itself. the insurance that your information Just about all those smart card is secure on that card and that people systems have been ripped out and can’t take that information off your replaced on the campuses who card,“ says Widlitz. used them. “From a cost This is something to keep in mind And because of that experience, perspective, today’s when your campus starts discussing the term “smart card” when talking the benefits of smart cards. Fortunately, to campus folks who also deal smart card as people get accustomed to longer with the one card, side read times of EMV credit cards they are of the credential has left a bad technologies are less prone to notice the slight increase taste in their mouth. That is why of speed on the contactless cards most vendors dealing with the pretty much the over the prox. payment side refer to the newer technology cards almost exclusively same price as a To recap, here are three reasons to as contactless. choose a over proximity card. In a prox card. Or why you might So you see how confusion can arise consider upgrading from an existing when a one card vendor calls them some cases, they may prox card installation: contactless, and a security vendor calls the same card a smart card. even cost less.” 1. Contactless smart cards are safer. They can’t be copied, Most people in the security industry or “skimmed” in the way prox will use the term smart card to Widlitz explains: “A prox card is kind of cards can. encompass pretty much all types of like a license plate. It will transmit one 2. They can cost the same—or in contactless cards that aren’t prox. ID number to the system and that is all some cases—cost less than prox. it is capable to do. And it’s not secure. 3. They can store additional data On a smart chip, you have multiple and be used for other applications, containers that you can store different like transit systems. applications in. Each one of those containers is secured. Think about it “There is absolutely no good reason like a filing cabinet, and you have a key today—starting with a new, fresh to each one of the drawers on the filing install—why you would ever put in cabinet. There’s an key that proximity technology or put in mag secures the information on the card for stripe technology,” says Widlitz. each one of those applications. It can be used for multiple applications where “You should always think about you can’t use any of the previous types moving forward with some sort of of technologies for that.” smart card technology.” “If you are considering purchasing a smart card and only plan to use the serial number, it’s no different than using a prox card.”

Trust in a Handshake

For colleges and universities, one of the And if they authenticate each other, something goes wrong at that initial biggest benefits of smart cards is that then the smart card will start releasing communication, then the card and they are more secure than the prox the information that’s being asked for.” reader will stop communicating and the card. This is because of something door will remain locked. called mutual . So, the performs a couple tests that the smart card Without delving into the details of According to Widlitz, mutual needs to go through to make sure it’s the cryptographic authentication, authentication works like this: “In the communicating with the right type it’s important to know that this secure simplest of terms, a reader will boot up of card. And if they have that correct technology is available today and at a chip, start a chip, they’ll start talking handshake together then the process a comparable cost to older, less to each other. And they do a kind of will continue, and they will continue to secure technologies. handshake to authenticate each other. talk to each other. If that handshake or

Beware the CSN Pitfall

Another common point of confusion to use it as intended for. Every chip has a “I’ve seen it not only at schools, but at watch out for is the CSN, or Card Serial unique identification number on it. But large enterprises,” says Widlitz. “And Number. Smart cards have not one, but it is not secured in any way, shape or many times, it’s because people don’t two numbers encoded on the card. form on that card. If you are considering understand. Or they may have a reader purchasing a smart card and only plan on the wall—it’s very simple today to One is the key that is used to use the serial number, it’s no different build a reader that will just read to mutually authenticate with the reader. than using a prox card. This is because everybody’s serial numbers.” The other is the card serial number—also there is a single unique identifier on it referred to as the UID or unique identifier. that’s being transmitted openly and in Sometimes campuses may not have a This is a number burned into the card the clear. There’s no security behind that.” and need to use the CSN if they during the manufacturing process. have multiple buildings with different The smart card’s serial number is typically technologies. If you are shopping for an access control used to identify a type of chip. That serial system and want to use smart cards, be number was not intended to be used for “I would say use that to help you migrate careful you know and understand the physical access control and securing one’s to a secure platform,” Widlitz suggests. difference between these two numbers. identity within a security system. “But that should never be the intended use of a smart card, to use the serial Eric Widlitz observes that “even today, Still, many uninformed buyers end up number as an identifier.” people buy a smart card and don’t really using the CSN to secure their buildings. Your Path to Migration Like most physical security initiatives, “But that’s going to require you to a phased approach is suggested for change your entire reader population. upgrading your credential technology. If you’re not just talking about one To make a migration easier you can site and it’s a global organization use what are called multi-technology, with sites all over the place, it might or multi-tech, . These are be very difficult to do that. A multi- cards that can include 125 kHz prox, technology card might be easier to the 13.56 MHz smart chip, and even help with that type of transition. the magnetic stripe. Or there may be a combination of both—multi-technology cards and The mag stripe is used for your existing multi-technology readers. And the dining and financial applications, prox readers are smart enough that you for existing access card readers, and can set them to read one or the other the smart chip for new and future technology in the card depending on readers you’ll install as you migrate what that facility is and the direction away from the prox readers over time. you want to go there.”

The readers themselves—or locks with A wise approach as you plan a integrated readers—are also available migration is to figure out which in a multi-technology flavor to population on your campus needs accommodate whichever credential what technology. This way you don’t you are using. purchase the most expensive, multi- technology cards for everyone on “Put a multi-technology reader on the campus. Those can be reserved for wall so anybody new that comes to only the students, staff and faculty the facility gets a new smart card. Or that require that card technology for if you’re slowly going to phase out the the buildings they use. older technologies that reader will be able to read the old card and the new card,” says Widlitz.

“That’s where you start. Plan the use cases. And then make sure you have a platform that supports those in the short term. And you know the rest of the use cases will come over the next few years.”

How Far Is the Future? Where is credential technology card, but I always have my phone. New mobile technologies—like going next? Will it always stay on And so that’s where the focus has SEOS from HID Global—are being the card? been most recently.” designed to run on any . You can get them on smart Daniel Bailin, the director of But the credential is not stopping cards, phones, and wearables. Even strategic business development and with mobile. With people getting as the industry is innovation at HID Global, works on used to the idea of using their moving to the EMV chip, this type of figuring out where the industry is phones to unlock doors, Bailin and technology can be placed on there heading next. And according to him, his team look further in the future. as well. the first place everyone is looking to is the . “Now what about wearable “The idea is to give the people technology such as health and that manage the security in the “We’re all used to carrying cards fitness devices?” says Bailin, organization—the IT people and to open doors and gain access to referring to items like FitBits and the security people—a choice of other things such as logging into Apple Watch or Android Wear type platforms they want to support. our computers,” says Bailin. “It’s a devices. “The idea being that if I can And ultimately to enable the users natural thing to say now I want to use my phone to open the door, why to choose the device they want to use my phone because I always have can’t I use my wearable device?” carry,” says Bailin. my phone with me. Often I have my “Don’t think you’re in the university environment, and three years, five years from now, you’re going to tell your students ‘you can’t use phones.’ They’re going to expect to do this more and more.”

Planning Your Roadmap

When starting the conversation Something Bailin often sees is people support these common platforms— about future credentials with tend to try to solve the problem that’s phones, wearable devices, in the next, security and IT departments, Bailin immediately in front of them. For fill in the blank: one year, two years, wouldn’t recommend starting with example, a campus might conduct three years.” the credential. an audit and find a weakness because they use a legacy technology. They The future possibilities of credential “I’d say you would start with finding know they need to address that. But technology are exciting, but just like the solution for the use cases we’re if they limit the scope to simply solve the current options can be difficult trying to harden. We have a use case that immediate problem, they can to navigate. to open a door into a classroom. We miss an opportunity to address future have a use case of getting into a dorm. issues. Like when are they going to “And now it’s just up to the IT There’s a perimeter secure area, and start to support mobile devices? departments and the security then there’s the actual dorms. So departments to figure out which of let’s now start talking about those “Don’t think you’re in the university those use cases are the ones that we use cases.” environment, and three years, five care about,” advises Bailin. “That’s years from now, you’re going to tell where you start. Plan the use cases. A trend Bailin and his team are seeing your students you can’t use phones. And then make sure you have a is the convergence of the budgeting I mean, they’re going to expect to do platform that supports those in the process between the physical access this more and more,” says Bailin. short term. And the rest of the use side, the security side, and the IT side. cases you know will come over the And as those come together then As you evaluate the various platforms, next few years.” they obviously need to plan and think about investing in a platform budget together. that has a roadmap to support everything that you might need. All parties should set out a plan that in the next few years they should be well “And even if you don’t think you need on their way towards migrating to a it today,” says Bailin, “it would be naive more modern and secure solution. to think you’re not going to have to

ASSA ABLOY Americas 110 Sargent Drive New Haven, CT 06511

Copyright © 2017 ASSA ABLOY Sales and Marketing Group Inc.; all rights reserved. Reproduction in whole or in part without the express written permission of ASSA ABLOY Sales and Marketing Group Inc. is prohibited.