NFC's concealed capabilities

Cardless payment systems are set to be the next flashpoint in the smartphone wars. Rumours are swirling that the iPhone 5 will be offering near-field communication (NFC) payments systems – even if the Australian consumers aren't ready for it. We may just be getting used to the idea of waving, rather than swiping a card to pay for goods, but soon we won't even need the card, just an NFC enabled phone.

But you would be wrong to assume that NFC only opens the door to new payment methods. Paying with your phone only scratches the surface of what the system is truly capable of.

The changing face of "identity" and identity management

We often think about identity in terms of the card that carries it. Clearly, though, "identity" can now take the shape of a mobile phone, a USB stick or some other medium. These and other virtualised credentials expand the concept of identity beyond traditional I.D. cards to include many different credential form factors.

This new way of thinking is driving fundamental changes in how we deliver and manage secure identity. Today's new form factors for credentials improve user convenience and flexibility. But they also raise questions about how to ensure that all identities can be trusted. For instance, if a user's identity resides on a mobile phone, how can one be sure that the device is trusted and secure? Or if a user loses a USB stick that houses his/her identity, how does one disable that device without affecting the user's identity/credential residing on another device?

Factors involved in virtualised credentials' authentication and management

Managing virtualised credentials can be a complex process. In one typical example, a server would first send a person's virtualised credential over a wireless carrier's connection to the person's mobile phone. To "present" the person's virtualised credentials at a facility entry point, the phone is held close to an IP-based access controller connected to another server. Throughout the process, there must be a way to ensure that the credential is valid. Both endpoints, plus all of the systems in between, must be able to trust each other. There needs to be a transparently-managed chain of trust going from one end to the other.

The basis for modern transactional systems has been the ability to trust the identification of a person, computer, web site, check, or a credit card. Unfortunately, the effort required to authenticate them has grown exponentially. There is, however, an aspect of secure identity systems that simplifies the problem: like mobile networks, secure identity systems are closed systems. To use them, you generally must complete a background check and sign a legal document to construct the basic blocks describing your identity. It's this strong authentication and binding that endows a secure identity system's basic blocks with inherent trust.

To even have a current and valid set of identity blocks usually means that one has passed this bar and is a member in good standing of the closed system. It also means that the blocks and the systems supporting them can be simpler and constructed so that they use industry standards. This is the approach taken with TIP [Trusted Identity Platform], which enables the validation of all endpoints, or nodes (such as credentials, printers, readers and NFC phones) in the network so that transactions between the nodes can be trusted.

Benefits of the Trusted Identity Platform

TIP is a framework for creating, delivering and managing secure identities in a virtualized credential environment. At the heart of the TIP framework is the Secure Vault, which serves known nodes within a published security policy. TIP delivers three critical capabilities: plug- and-play secure channels between hardware and software; best-in-class key management and secure provisioning processes; and seamless integration with information technology infrastructures.

Data security, privacy and reliability are ensured in the TIP environment using symmetric-key cryptography, so that all nodes can execute trustworthy transactions. Once a "handshake" is accomplished between the Secure Vault and a node device, then the device is deemed to be "trusted" in the network. Trusted devices no longer must communicate with the Vault and may operate independently. In this way, the transaction between nodes, such as a credential and a reader, is trusted and the resulting transaction, such as opening a door or logging onto a computer, can also be deemed trusted.

NFC-based access systems and other virtualised credentials will enable a new era of more convenient and secure transactions. Delivering on this promise will require a simple but protected, fully scalable and standards-based identity delivery system. These systems will need to support a wide variety of identity nodes - ranging from readers and cards to NFC-equipped mobile phones - that each can be registered as a "trusted node" so that it can be securely provisioned anywhere in the world.

Jordan Cullis is the director of sales at HID Global. He will be presenting a session titled “Unlocking the world of digital keys and portable identity credentials on mobile phones” at the Security 2012 Exhibition on Friday, July 27. For more information click here.