We often confuse the concept of identity with the card that carries it, but in reality, “identity” can take many shapes, whether as a mobile phone, a USB stick, or some other medium. The move toward virtualized credentials is fuelling a shift in the industry, where the concept of “identity” is being expanded beyond traditional I.D. cards to include many different form factors for credential.
This new way of thinking marks a tipping point in the access-control industry, and is driving fundamental changes in how we deliver and manage secure identity. For instance, today’s mobile phones can do so much more than just making and receiving calls. They can now also be used to open doors, make cashless payments and access secure data. This is possible using near field communications (NFC) short-range wireless technology to receive and present virtualized credentials that we previously stored on contactless smart cards. NFC phones are one example of a new form factor for carrying a credential that can enable many types of contactless access-control applications and secure-payment or data-access transactions.
Today’s new form factors for credentials, which includes a USB stick, fob, and other devices in addition to mobile phones, improve user convenience and flexibility, while at the same time raising the question of how to ensure that all identities can be trusted. Three forms of authentication are typically used today: who you are (which is determined through visual, biometrics and/or role-based authentication); what you have (whether a badge, card or key, etc.); and what you know (i.e., a PIN number for opening a door, or username or password for computer access). There also is an emerging, fourth dimension: “where you are,” which can be validated through GPS technology in an NFC-enabled mobile-phone used to house a credential.
The concept of virtualized credentials raises many other questions. For instance, if a user’s identity resides on a mobile phone, how can one be sure that the device is trusted and secure? Or if a user loses a USB stick that houses his/her identity, how does one end-of-life that device while not affecting the user’s identity/credential residing on another device?
Consider the complexity of one likely use case. First, a server sends an individual’s virtualized credentials over a wireless carrier’s connection to his or her mobile phone. This person’s virtualized credentials are then “presented” at a facility entry point by holding the phone close to an IP-based access controller that is connected to another server. How can we know that the credential is valid? Both endpoints, plus all of the systems in between, must be able to trust each other. There needs to be a transparently managed chain of trust going all the way down the line.
HID Global’s Trusted Identity Platform (TIP) addresses these issues. TIP is a framework for creating, delivering and managing secure identities in a virtualized credential environment. At the heart of the TIP framework is the Secure Vault, which serves known nodes within a published security policy.
Data security, privacy and reliability are ensured in the TIP environment using symmetric-key cryptography, so that all nodes can execute trustworthy transactions. Once a “handshake” is accomplished between the Secure Vault and a node device, then the device is deemed to be “trusted” in the network. Trusted devices no longer must communicate with the Vault, and may operate independently. In this way, the transaction between nodes, such as a credential and a reader, is trusted and the resulting transaction, such as opening a door or logging onto a computer, can also be deemed trusted.
Virtualized credentials are poised to enable a new era of more convenient and secure access and transactions. Moving into this new world will require a simple but protected, fully scalable and standards-based identity system that can provision virtualized credentials anywhere in the world, to identity nodes ranging from traditional readers and cards to NFC-equipped mobile phones.