By Tam Hulusi
Innovation often comes at the intersection of multiple existing technologies, and gesture technology is a good example in the access control industry. With the advent of smart mobile devices that feature accelerometers, wireless connections, and powerful processing capabilities, it is now possible to control a variety of RFID devices including card readers and electronic locks with a user-defined wave of the hand or other motion gesture. Just as mouse technology revolutionized the computer interface, gesture technology is expected to change how users interact with access control systems.
Gesture technology offers the opportunity to enhance user experience while increasing security and providing genuine user privacy. It will add a new authentication factor to the existing access control rule set that goes beyond something the cardholder “has” (the card) to include a gesture based version of something the cardholder “knows” (like a password or PIN). Gesture based access control can also increase speed, and minimize the possibility of a rogue device surreptitiously stealing the user’s credential in a “bump and clone” attack.
How Gesture Technology Works
The industry is already seeing the impact of gesture technology in gaming. Further developments are underway in the interactive TV market, where users are able to virtually swipe through on-screen TV and game console menus by gesturing in the air from their seats. Other developing applications for gesture technology include robots that help care for the elderly, and digital signage that can see who the customer is and display content relevant to them. The access control industry is poised to experience a similar transformation.
Working with smartphones in a mobile access control environment, gesture technology will leverage a smartphone’s built-in accelerometer feature to control RFID devices through two- and three-dimensional hand or wrist movements. Because the accelerometer in a phone senses movement and gravity, it can tell which way the screen is being held. This allows for a novel way of adding another authentication factor to the existing authentication scheme.
Gestures could be used to unlock apps, to lock and unlock doors as an alternative to mechanical keys, and to secretly signal the system and security personnel when entry is occurring under duress. Gesture recognition can also be combined with other authentication factors, such as those from finger-, hand-, iris- and facial-based biometric systems, to make multi-factor authentication on a single, integrated device a reality.
It will also be possible, and perhaps desirable, to make gesture the only (single) authentication factor, although this likely would only be for access to areas within a facility that have lower security requirements. In these and other access control applications, gestures would be an additive capability for ID verification.
To use gesture technology, users simply define or choose from a predetermined series of hand motion sequences or gestures that can be used to control operation of an RFID based device or a smartphone. Gestures will work in a two- or three-dimensional fashion. For instance, a user could present his or her card to a reader, rotate the card 90° to the right, and then return it to the original position in order for the card to be read and for access to be granted. Adding gesture capabilities to a wireless connection gives users a great deal of control over how they interact with the access control system. The image below demonstrates several scenarios.
Rolling Out Mobile Access Control and Gesture Technology
Mobile access control will be rolled out in stages. In the first deployment phase, also known as card emulation mode, smartphones will receive digital keys that users can present to door readers in the same way they present ID badges today. In situations requiring extra security, it will be an easy process to push an application to the phone that requires the user to, for instance, perform a pre-defined gesture swipe on the phone.
Mobile access control and the ability to use gesture technology to control RFID devices requires rethinking how to manage physical access credentials, and to make them portable to smartphones. The first requirement is wireless connectivity technology, and the access control platform should support any communication channel, so that it can be used with the broadest range of devices including Android-based phones and iPhones, without the need for additional handset sleeves or gadgets.
Additionally, mobile access control requires an open and adaptable secure identity platform that can turn mobile devices into reliable credentials. This platform must use a new data model that can represent many forms of identity information on any device that has been enabled to work within a secure boundary and central identity management ecosystem, with a secure communications channel for transferring identity information between validated phones, their secure elements (SEs), and other secure media and devices. The authentication credential is stored on the mobile device’s SE, and a cloud based identity provisioning model eliminates the risk of credential copying while making it easier to issue temporary credentials, cancel lost or stolen credentials, and monitor and modify security parameters when required.
Further into the future, the phone’s on-board computing power and built-in network connectivity will be used to perform most tasks that today are jointly executed by card readers and servers or panels in traditional access control systems. This includes verifying identity with rules such as whether the access request is within a permitted time and, using the phone’s GPS capability, whether the person is actually standing at the door. Information is checked against cloud data, and the phone sends a message over a cryptographically secure communication channel to open the door.
With this model, mobile devices (rather than an access control system) become the access decision makers, and doors (rather than cards) become the ID badges. This paradigm reversal—sometimes called duality—will change how access control solutions are offered. Organizations will no longer need intelligent readers connected to back end servers through physical cabling—just standalone electronic locks that can recognize a mobile device’s encrypted “open” command and operate under a set of access rules. This would dramatically reduce access control deployment costs, and facility managers could begin securing interior doors, filing cabinets, storage units, and other areas where it has been prohibitively expensive to install a traditional wired infrastructure.
The virtualization of contactless smart cards, and their residency on smartphones, allows a whole host of innovative thinking, along with the ability to combine many access control applications and capabilities into a single solution.
As the industry moves to a mobile access control model that turns smartphones into trusted credentials, these devices also offer an ideal platform for gesture technology. Used alone or in tandem with other authentication factors, gestures will be easy to use, and offer the potential to significantly improve privacy and security.
Hulusi is senior vice president of Strategic Innovation and Intellectual Property for HID Global, a provider of products, services, and solutions related to the creation, management, and use of secure identities.