Token Behaviours

Access Token

 

The Internet of Things or IoT has stirred the imaginations of vastly diverse groups from the C-level executives at the worlds largest corporations to the engineers designing applications to the component manufacturers trying to cram the ‘perfect’ feature/price balance into their latest silicon creation and similarly at the consumer end of town, the most prolific source of most of the ‘Big Data’ outside the M2M world.

It generates vast quantities of data, has the potential to create large volumes of recurring revenues and to provide the material for mining valuable glimmers of knowledge from the immense information resource gathered. But what impact can we expect from all this on the access control and security markets?

Most of us are aware of the uptake of BYOD and the ever growing presence of NFC in cellular devices changing the credential practices of many organisations in the enterprise sector, bluetooth entry systems having been around for quite a few years now as well in the lower security residential markets, these in some ways have taken away some of the lack of choices of credentialing for many users, adding in biometrics – Fingerprints, hand geometry, iris recognition, vein pattern recognition, facial recognition to a lesser degree and others, they have all opened up options for those with a need to control access to resources using machine verifiable means, however, what about going beyond this?

Many of us have the RFID and biometric profile verified passports, but have you thought of what further path this might take?

The following article explores some concepts and applications of technology that may disturb some of the more paranoid amongst us, those with foil hats in the drawer, you may want to dig them out and strap yourself in!

Size matters

Many people mistakenly associate the IoT exclusively with Machine to Machine events and communications, but this is not reality, any device you can imagine that can generate, consume, or analyse data can and likely is already a part of the IoT world, and not all of them are always on as you might assume, many of these devices only need transitory connection to the greater hive of devices to contribute.

Your smart phone is one of the most common items carried by pretty much anyone involved in business and many consumers as well, with in excess of 2 Billion smartphone users estimated to be active by 2016 and with uptake accelerating year on year it is one of the growth sectors contributing to the IoT ecosystem; but it doesn’t stop there, with wearables becoming increasingly common and everything from your car to your light fixtures coming online with some embedded intelligence, no matter how seemingly inconsequential, the numbers of devices becomes truly staggering. A common figure projected is 50 Billion devices online by 2020, not counting industry and city wide applications its easy to see this reality and more, and the bigger it gets, the more useful it becomes.

Secrets and Lies

Most credentials are based upon something that is not readily replicable. In most cases this is a secret of sorts, be it a data sequence in a physical token, a code or password you enter or a physical trait on your person, these are all things that are considered difficult for an outsider to replicate because they have limited knowledge of the secret be it your code digits or the edges onyour fingerprint. It is postured that the next move for credentials utilised to control access to resources and facilities will likely follow in line with the ‘something you have’ principle, rather than the path of biometric analysis and ‘something you are’ or the ‘something you know’ knowledge based secret, but human nature is fickle and the obvious path of implant based credentials  or skin applied barcodes whilst popular in many film scenarios set in the future has the vast majority of the population cringing at the thought of it, short of forcibly implanting the populace with an RFID device there is very little chance this will eventuate into the populace encompassing practice envisioned in hollywood.

 

The old faithful access card is well entrenched, and provides a means of linking a human recognisable identifying marker [Photo] with a machine readable and verifiable secure token. Usually the wide publication of easily broken or broad copying of these credentials is what sounds the death knell of a credential technology, at least at the deployment level.

Yet, even the most secure card protocols are still vulnerable to human nature when used as the only verification method.

As an additional factor in broad, generic use of card based identity systems there has always been a certain stigma in certain groups about being issued a credential, in years past there was outcry over the issuing of centrally managed and issued, unified identification cards for citizens, fear not, that is not where the path lay! You don’t need a card for this to occur, the ‘establishment’ does not need to DNA sample you and everyone on your bus to identify each of us.

Access Graph

Tomorrows next big gadget…You!

Many people are now aware and understand the value of data gathered from users of many of these devices, the ‘Freemium’ gaming industry being well and truly on top of monetising interactions and certain addictive human traits, but what are the others?

Whilst card readers are by far the largest used devices for granting access and certainly one of the ones we are most aware of direct, conscious interaction with, surveillance devices are pervasive in todays world, be it a surveillance camera, a dash cam, traffic cameras or camera phones, you will be recorded on average over 70 times a day, often many more if your employment takes you anywhere considered to have a higher risk profile.

One of the sources of data that is often missed in the IoT analysis is these video surveillance devices, yes, these devices themselves are a part of the IoT universe at the device level concept, many of us are well aware of this aspect, but the data generated by them is often mostly missed from being incorporated into the big picture. The implementation of Intelligent Video Analytics [IVA], facial recognition engines, gait analysis, audio analysis and more has created a ‘virtual layer’ of devices that don’t in themselves exist but parasitically reside on top of others, using whatever physical resources may be available to gather data about what is going on in the physical world around them, very much akin to the apps you provide those game developers valuable data through, only embedded deeper and visible to a relative few instead of the tens of millions of people knowingly using them.

Whether most are aware of it or not, at various times in your daily life you will likely be captured, analysed and data extracted about just what quantifies ‘You’, this dataset may be limited in many regards today, but in a very short time the rich source of data that is your daily life will be able to be compiled into an ever growing array of patterns, a digital fingerprint of sorts that will be capable of allocating a percentage probability of your identity based upon different subsets of data that has been gathered about you; the what of you, the how of you, the when and even the who with regard to how you interact with others, the time it takes you to perform certain tasks, the route you take between rooms or destinations, the approximate times of day you interact with your environment in certain ways, they all leverage the IoT to gather a vast amount of data, this data is most often used to improve your life or make it easier, increase energy efficiencies, reduce costs of achieving certain tasks, but in a large enough sample they can be used to predict many behaviours and define the differences between individuals. You may ask, how could it know you are you…’Robert Smith’ at your particular home address?

It doesn’t have to, it simply needs to know you are database entry “kz5pw934”, the same person it identified at 37 previous interactions earlier today, or this week or however long the fingerprint was identified to be able to use it to expand and enhance the dataset.

Familiarity in chaos

You can compare this to the very human trait of getting to know a persons behaviour and habits close to us, we get to know and anticipate what people will have a high likelihood of doing next, we may even be able to recognise someone by these behaviours if they were to look completely different, but this is done by a cluster of computing engines and interlinking communications paths instead of a human mind getting familiar with the person.

This level of technology cooperation may not only provide us with greater flexibility and more secure security credentials, it will very likely enable a significantly safer world, where terrorists will not only need to procure a new credential, they will need to change everything about themselves in order to hide.

Jonathan Johnson has nearly 20 years experience in security and related technologies. Starting at the technical level he has experience in hands-on and consulting roles across the spectrum up to board level. He is currently  Regional Sales Manager in the Oceania Region for Senstar Corporation and APAC Cyber Security Products Lead.