Turning Mobile Devices Into University Dorm Keys

Smartphones and tablets are capable of many things, from accessing Web applications and checking email to opening files and running apps. For some Arizona State University students participating in a recent pilot program, their smartphones also doubled as their dorm keys.

While some IT departments view the growing number of personal devices within an organization as a security risk, others are taking advantage of the ubiquitousness of these same devices to deploy mobile-based authentication and credential management measures.

Considering that users are likely to have their phones within reach at all times, it makes sense to use these devices to implement security within the enterprise, Dave Mahdi, senior product marketing manager of Entrust, a provider of mobile-based authentication, told eWEEK.

For more than a month, 27 students and five staff members at Arizona State University used smartphones that had been specially customized with a Near Field Communication (NFC) chip to enter select residence halls and residents' rooms, according to Jeremy Hyatt, director of corporate communications at HID Global, the company that ran the pilot program.

To open door locks, participants waved their phones in front of a door reader just like they would with their existing Sun Cards, physical badges normally used by ASU students and staff to access campus facilities. Select participants who had door readers for their individual rooms would enter an additional PIN code to verify their identity before being allowed access.

"We don't see physical access cards going away, but we do see mobile-based access slowly becoming big over the year," Hyatt told eWEEK.

In initial feedback, about 80 percent of the participants reported that using a smartphone to unlock a door was just as convenient as using their campus ID card, HID Global said. Nearly 90 percent said they would like to use their smartphone to open all doors on campus. Nearly all participants also expressed an interest in using the phone for other purposes, such as accessing the student recreation center and paying for food at the dining hall.

"This project with HID Global has proven that a ubiquitous device can converge secure identity credentials and physical access control," said Laura Ploughe, ASU’s director of business applications and fiscal control at the school’s University Business Services.

About 86 percent of respondents said other students had approached them with questions about getting a similar phone for themselves and made comments about the "coolness" of the technology, Hyatt said. ASU at this time does not plan to extend the pilot program to the rest of the campus, Hyatt said. HID Global is planning similar projects with other universities and within government and enterprises in 2012.

The "first physical access trial of its kind" on a university campus, as Hyatt called it, was a "mutual idea" that came out of a brainstorming session between Ploughe and HID Global, which provides the technology behind the Sun Cards already used on campus. In a conversation about "futuristic technology," Ploughe wanted to know how the technology could be adapted for the campus.

“When I first saw this technology used in other applications, I recognized the benefits it could bring to a university campus,” Plough said.

NFC technology is already being used for mobile-payment initiatives such as Google Wallet, but there are security applications that can benefit from hardware-based authentication, said Steven Sprague, CEO of Wave Systems. Just as the Trusted Computing Module chip inside PCs provides a way to identify computers as a "known device," the chip in mobile devices would allow enterprises to recognize the devices on the network, Sprague said. This would be a step up from the current scenario where IT departments have no idea what is in their network.

 The "beautiful" thing about mobile devices is the fact that users are attached to them, according to Entrust's Mahdi. "When is the last time you looked at your wallet? When is the last time you checked your phone?" he asked, noting that people are likely to check their device every few minutes.

People on their way to work, upon realizing they'd left their building badge or keychain fobs behind, generally just keep going to work, according to Mahdi. In contrast, if people realize they'd left their phone behind, they are more likely to go back home and get it, he said.

Many participants in the ASU pilot said that, while they often leave their room without their keys and Sun Card campus IDs, they never forgot their phones.

The mobile phone is "arguably the most personal and indispensable of all mobile devices" and is carried by "virtually all demographic groups," Derek Brink, vice president and research fellow for IT security and governance, risk management and compliance at the Aberdeen Group,  wrote in a recent research note.

The line between corporate-owned and personal devices is blurring, according to a recent survey by Information Systems Audit and Control Association. Two-thirds of employees between the ages of 18 and 34 in the survey said they have a personal device that they also use for work, ISACA found.

"Enterprises are proactively re-evaluating their strategies for authenticating end users with methods that are stronger than username and password," said Brink, who noted there was a "strong interest" in phone-based approaches.

A typical employee uses multiple identities and credentials throughout a typical day, including a badge that controls physical access to the building, logging into the computer and network as well as accessing enterprise applications such as Salesforce.com and email, according to Mahdi. Using mobile devices as a credential can eliminate the enterprise's reliance on usernames and passwords, Mahdi said. IT departments can grant an employee access to an application based on the fact that it recognizes the mobile device as belonging to that user.

Symantec-owned Verisign has an authentication service that sends one-time passwords to the user's mobile device that can be used to log into corporate applications. Validation and ID Protection (VIP) Authentication Service allows enterprises to "profile the device and determine that you are you," said Brendon Wilson, senior product marketing manager for user authentication at Symantec.

VIP Authentication combines something the user knows, such as the username and password, with something the user has, such as a card, token or mobile phone, according to Wilson. The service also looks at past history, such as what time the user usually logs in or the configuration of the device, to ensure that this is a legitimate login attempt.

Several smaller "niche" players with limited security capabilities use the cloud-based service within their environment, according to Wilson. Several Web services also offer users the option of registering their devices directly with them in order to log into their online account. VIP Access for Mobile is currently available for a range of companies, including PayPal, Merrill Lynch, GEICO and eBay, according to Symantec.

Instead of one-time passwords, authentication company PhoneFactor uses the mobile device to prompt the user to confirm a transaction begun on the PC. The prompt can take the form of an actual phone call, text messages or a native app for iOS devices, said Sarah Fender, vice president of marketing and product development.

An Android app is in the works and expected soon.

When the user starts the login process to an application or an online banking transaction on the PC, a notification is sent to the mobile app describing the attempted activity. The user must tap on the "authenticate" button on the app before the process on the PC can proceed. PhoneFactor offers the same capability using a phone call or text message. Administrators can also add another layer of security by requiring users to enter a PIN to unlock the app before they can hit the "authenticate" button, according to Fender.

One-time passwords are often problematic because the computer can be compromised, giving the attacker a window of opportunity to steal credentials, Fender said. PhoneFactor keeps both the prompt and authorization out-of-band and away from the potentially infected computer, she said.

Instead of investing in smart cards and hardware-based tokens, it is far cheaper for enterprises to take advantage of the devices employees are already using, Mahdi said.

Enterprises can "ride the wave" to consumerization and take advantage of the devices to implement security, said Mahdi, adding, "they can actually alleviate some of the problems that exist today."