Seamless Authentication
Replacing hardware tokens with smartphones for frictionless access control
Right now, authentication at access control systems is usually done using NFC or RFID powered tokens. Employee badges, smartcards, keys — all proprietary devices that users need to carry around, are likely to lose and require user interaction.
Luckily, we are approaching an epoch in which most people own smartphones that provide all necessary requirements to do the same thing as a token — and more.
20% of Firms will shift to smartphones for access control by 2020 (Gartner)
Quite a few companies realised that and built solutions that let smartphone apps emulate the functionality of these tokens. However, we’ve yet to find a solution that is secure, works reliably and is truly seamless. Usually they have either weak security or provide a bad user experience.
Why Seamless Authentication?
Take a few seconds and think about how you would like to authenticate at an access control device, if you had to. Probably you don’t want to authenticate at all — or at least not consciously. That is exactly what we wanted to achieve.
More Convenience
User’s shouldn’t even think about authenticating, it should naturally happen in the background, without disturbing their workflow. User experience is the key to an efficient access control system.
No proprietary devices: Users don’t need to have extra hardware that they could lose or forget at home. They will carry their phone anyway.
No user interaction: Authentication can work without opening an app or even pulling the phone out of a pocket. No more hassles when carrying stuff.
Works offline: Think about authenticating in an elevator or the parking garage, where no network connection is available. This also reduces latency.
Visitor access: Guests don’t need to get special badges anymore. They can get temporary access to just the places they need using their personal device.
Enhanced Security
Using smartphones is significantly more secure. In the worst-case scenario, the smartphone is just as secure as a physical access token. Even if no additional authentication factors are not utilized on the device, it’s still the ownership factor that is used for authentication — just like a token.
Multi-factor authentication: In addition to the ownership factor, you can also request a knowledge factor (e.g. a pin) or a biometric factor (e.g. a fingerprint) when authenticating for increased security. This of course plays well with the trust level approach that we introduced in our behaviour-based authentication:
Theft and fraud: Users care about their phone much more than about an access token. They will report a stolen phone earlier and are less likely to lend it to co-workers. Also, usage of additional authentication factors can prevent thieves from authenticating, even if they are in possession of the device.
Lower Cost
In long term applications, using smartphones for access control is much more economical.
No additional hardware: The acquisition costs of physical access tokens, as well as their management and maintenance can be significantly reduced. Phones need to be purchased and provisioned anyway.
Universal readers: The reader next to a high security door can be the same as a reader next to the lunch area. Additional security checks can be done on the smartphone (e.g. pin or biometric prompts) if required.
Highly scalable: Authenticating more users doesn’t require more hardware. The readers don’t need to change and physical access tokens are not required.
Integration in existing apps
Our seamless authentication solution can be implemented in existing apps, simply by integrating the SDK for Android or iOS. That means that users don’t necessarily need to install a dedicated app just for access control.
We provide an open-source reference app that integrates our SDK on GitHub.
What are technical challenges?
neXenio is a deep-tech company focusing on secure and digital collaboration. We wouldn’t have tapped into this field if it was a solved problem. The seamless authentication is actually hiding a lot of interesting challenges that require clever software engineering to be solved.
Data transfer
We opted against using NFC because it requires the phone to be placed in very close proximity to the reader. That would mean user interaction, which we strive to avoid.
Instead we use Bluetooth Low Energy, which allows data transfer at a larger distance. Unfortunately, Bluetooth can be quite unreliable, insecure and comes with a lot of restrictions — which is why we created SBLEC. That’s an abbreviation of Secure Bluetooth Low Energy Communication, a protocol library that tackles these challenges. You can read more about it here.
Eliminating attack vectors
We believe in Security by Design, which is why we think about possible attack vectors before designing our software architecture and protocols.
During our research and evaluation phase, we found quite a few vulnerabilities in existing access control solutions. Simple replay attacks can render a whole system insecure. Although identifying common possible attack vectors is not too hard, actually preventing them can get challenging. Especially when there are strict requirements on authentication delay and offline availability. Luckily, we have experts and strong partners with a cyber security research context on hand.
Background Tasks
To be truly seamless, the whole authentication flow needs to happen in the background. We don’t want users to unlock their device and search for an app while waiting in front of a door.
Both Android and iOS come with quite a few restrictions for background services, to avoid apps having a bad impact on battery life. Infact, Apple just introduced Background Tasks in iOS 13, a version that isn’t even available yet.
We found solutions for both platforms that allow background execution, while being easy on the battery. We’ll cover these and detailed battery benchmarks in an upcoming post.
Try it out!
If you want to experience how convenient authentication can be or want to learn more about how it works, feel free to get in touch at nexenio.com!
