Credential Convergence Takes Hold in Key Industries
Health, finance lead charge to unite PACs and LACS
17 August, 2015
category: Contactless, Corporate, Digital ID, Financial, Government, Health, NFC, Smart Cards
Changes in convergence
The traditional definition of convergence as one credential for access to physical and logical resources still holds true but it’s also been somewhat modified.
“A converged access credential is still the poster child but there are other use cases coming to the fore,” says Julian Lovelock, vice president of marketing at HID Global Identity Assurance. “When people talk about convergence now they don’t just mean a single credential but also a single identity that’s managed within an organization for both purposes.”
It begins when a company hires a new employee and the individual has their identity vetted, Lovelock says. “Convergence includes everything, even these initial processes that get you to the point of issuing a credential,” he says.
When people talk about convergence now they don’t mean a single credential, but rather a single identity that’s managed for both purposes
Health care organizations in particular have been opting to take this approach when rolling out new identity systems, Lovelock explains. The Health Insurance Portability and Accountability Act aims to ensure that patient data is secure and protected, but new regulations around e-prescribing mandate that physicians use another factor of authentication when prescribing controlled substances. “E-prescribing is strict in the binding of a credential with an identity proofing process,” he explains.
Since physicians don’t want to have to carry an additional token or device the ID badge is frequently being used to meet the e-prescribing mandate, Lovelock says. Then once in place, health care organizations are expanding the use of the badge. Physicians can tap in and out of systems as they move from room to room seeing different patients.
A converged identity badge was typically synonymous with public key infrastructure. While PKI offers the highest levels of security the complexity and cost of such a system was daunting to some, explains Lovelock. Some of the more recent health care deployments that have gone with a converged identity have passed on PKI in favor of less expensive and easier to deploy options, he says.
Converging on the mobile?
With a lot of hype around the use of mobile devices for identity and the availability of near field communication and Bluetooth low energy, it seems likely that handsets will surpass smart cards as the converged token of choice.
“We’ll see the inclusion of the mobile devices as one of the form factors you can use,” says Paul Brady, senior director of sales engineering at Identiv. “You can put derived credentials on the phone for secure messaging or you can add credentials physically to the device with a sticker inside it.”
Enabling handsets for physical access is possible, whether they have NFC or not, as Bluetooth low energy has emerged as an option for opening doors. And using the same handset for logical access has been possible for some time, says Lovelock. “It’s well established in the IT world where phones generate one-time passcodes,” he adds.
Using NFC for logical access isn’t something that’s become widespread yet. But as a new generation of tablets and laptops come equipped with NFC, the ability to reach the technology from other devices is a possibility. It will also lower the cost of the credentials as readers will be embedded and cards won’t have to be issued, Lovelock says. “Your basic infrastructure is capable of reading a contactless credential without spending anymore money,” he explains.
Still, the cards may be tough to beat as a form factor, Brady says. “I don’t think we’ll see the cards go away any time soon,” he explains. “It’s such a common form factor and it has shaken out as the technology that’s accepted by everyone.”
Smart cards have also proven to work over a number of years. “The technology is very well vetted,” Brady says. “There are lots of standards around it and you’re starting to see the card trickle down from earlier programs like the Defense Department’s Common Access Card, EMV payment cards and others.”
Beyond the handset
While the mobile device seems the likely usurper to smart cards, companies are already looking beyond that to wearable devices.
“In certain environments you would have a wearable get you in the door, check you in to a time and attendance system and enable you to pick up print jobs,” Lovelock says. “A wearable can be a good second form of authentication so it’s not limited to a card.”
A few years ago smart cards were the only possibility for converged credentials. Now, the mobile device has emerged as another viable possibility with wearable technologies on the horizon. While convergence has been slow to take flight, the idea isn’t dead. In fact, with more and different form factors now available to contain these identities, it’s an idea that might finally be ready for take off.
