When it comes to issuance, contactless rocks prox
07 September, 2006
category: Contactless, Corporate, Education, Library
13.56 MHz contactless cards improve flexibility and security for access control
By Chris Corum, Executive Editor
Contactless technology facilitates multiple applications and services from a single card, but Erik Larsen, Product Manager of Identity Solutions for Lenel Systems International, stresses that another advantage is equally crucial for card issuers. “Contactless lets you take control of – and secure – the data on your cards,” he says, “something proximity technology just doesn’t do.”
“We give customers the ability to encode the cards themselves and capture the data they want to use,” explains Mr. Larsen. “You can populate it all into (Lenel’s) onGuard system and then let the issuer encode what they want onto their cards. You no longer need to be told by the application or technology what will be on the credential.”
Other leaders in the contactless arena concur. According to June Colagreco, VP Marketing Communications for HID Global, “our iCLASS contactless offerings have enabled us to provide much greater control and flexibility to our issuers. By using the iCLASS field card programmer, our customers have the flexibility to instantaneously issue personalized credentials on the spot”.
“(Our customers can) even encode the iClass secure area of a card,” adds Mr. Larsen. “You can get completely blank iClass cards without even the application page layout configured … Our application will configure the proper page area and personalize the card.
How does traditional proximity issuance differ?
In most cases, proximity cards arrive at the client site with a unique identification number pre-encoded on the card. Typically, this same number is also printed on the card as well. When an issuer (e.g. company, university, security integrator) prepares a new badge for a cardholder, that card is printed through an ID card printing system or simply handed to the cardholder if it is not to be personalized with data, photograph, etc.
Next the ID number that was encoded in the proximity card at the factory must be enrolled into the issuing organization’s ID card system, security system, and perhaps other systems. Specifically, the card’s assigned number must be linked to the database record of the cardholder to whom it was issued. If this process is skipped or done incorrectly, these systems won’t know how to manage the individual’s approved privileges and access rights. The system’s integrity would be compromised.
These additional steps are necessitated because the card number is preset in the majority of proximity card issuances (note: in certain instances, prox cards can be programmed by the integrator or issuer at the time of issuance, though this is the exception rather than the rule).
Contactless streamlines the issuance process
Unlike typical proximity cards, however, contactless cards often arrive at the issuer’s location without the pre-encoded ID number. Each card is blank, awaiting input from the card issuing system to assign numbers and data to different fields or files on the chip. Most modern issuance systems have the ability to encode an array of common contactless chips “inline” during the card imaging process. Internationally standardized contactless varieties (e.g. ISO 14443 and ISO 15693) and named products (e.g. Philip’s Mifare, HID’s iCLASS, Sony’s FeliCa, Legic’s Advant) can often be encoded while the card is being printed.
This saves a crucial step in the issuance process, eliminating the need to ‘register’ the proximity card’s number into the issuing organization’s systems. With contactless technology, the issuing organization’s systems actually assign the number to the individual and encode it on the card directly.
Still, many contactless issuers prefer to order their cards pre-programmed. “The majority of (our) customers still order secure contactless cards pre-programmed with their access control application information,” says John Menzel, CEO of contactless reader manufacturer XceedID. “This is mainly due to the fact that they have always done it this way. We sell mostly white ISO cards with secure sector programming and the end customer ends up printing at time of issuance.”
HID offers a contactless version of its popular Corporate 1000 proximity program. “The iCLASS Elite Program provides security professionals the ability to standardize on a ‘single credential’ solution that can be used for all applications and locations worldwide,” says Ms. Colagreco. The issuer receives a proprietary 35-bit format that includes a Company ID Code unique to each end user. “For added security, HID tracks card numbers to insure that no duplications occur,” she adds.
Updating data on the card creates flexibility and saves money
This fundamental difference between proximity and contactless technology has additional repercussions on system operation beyond initial issuance. During the lifecycle of a cardholder within an organization, there may be cause to change an ID number in an existing card or port the number from one card to another. With proximity cards neither of these options can be accomplished but contactless makes both easy and secure.
“Since (most contactless) cards can be written to multiple times you can ‘re-program’ a smart card if you have a programmer with the appropriate keys to overwrite a particular sector,” says Mr. Menzel. This is a major advantage over prox technology, he stresses, citing that prox is “typically a one time write with no security.”
Imagine the employee or student that returns to the badging location with a damaged card. He wants a new card and the security of the card’s data can be assumed intact, as the card is present at the time of request. In such a situation, the issuer could simply take possession of the existing card and re-issue a new card with the same identification numbers and other data, making sure to destroy the prior card. There would be no need to update records in other systems, as the data remained the same.
Alternatively, an identification number on an existing card might need to be changed if a system change occurred or fraudulent activity was suspected. With contactless technology, the existing card could simply be updated with the new number and the same badge preserved.
Taking this one step further, a customer could even update the keys for both cards and readers so that the entire system uses a new set of keys to communicate. “HID has enabled a rolling key feature in their (new) reader that can be controlled by OnGuard,” explains Mr. Larsen, “(When) the card is presented to the reader, it is automatically updated with the new key that is stored in the reader.” Just another example, he point out, of the power of contactless smartcards over proximity.
Ms. Colagreco adds that this key update management capability is a major customer security advantage. “Security systems traditionally relied on the possession of the card with its unique ID number to deter unauthorized access. With contactless, we are exponentially more secure thanks to credential keys and the ability to update them as needed for a higher level of security, not to mention complete key and data encryption.”
Conclusions
In prior articles we have examined other benefits of contactless over proximity technology:
- How price is comparable between the proximity and contactless cards and readers,
- How a wide array of applications and services can be supported with contactless technology, and
- How transition to contactless can be virtually seamless thanks to a new breed of multi-technology readers that support both proximity and contactless technologies.
This examination of the benefits in the issuance process should provide more food for thought as you consider when the time is right for your organization to migrate to contactless, the new standard in identification technology.