Biometrics streamline, enhance increasingly ubiquitous digital locks

Secure access management for cars, homes and offices is increasingly adopting more complex, connected digital locking technology to control who goes in and out.

Access technology isn’t new; key cards for hotels have been around for years, but smartphone apps are starting to replace key fobs for cars, and locks on doors are increasingly integrated with security surveillance systems.

As today’s locks go digital, they require a mix of hardware, software, connectivity and even biometrics to work together in concert.

Digital car lock adoption is revving up

Today’s automobiles are an obvious vehicle for digital lock technology as cars have become increasingly digitized in many other ways.

Digital locks for vehicles are a key focus of the Car Connectivity Consortium (CCC), a global standards body with more than 300 members across automotive OEMs, smart device manufacturers, Tier 1 suppliers, and other technology companies. Global standards and specifications have revolved around three key areas: security, interoperability, and user experience.

CCC technical director Glenn Stone told Fierce Electronics the ecosystem is growing through proprietary manufacturer’s deals. A high end car today can be unlocked by a smartphone through proximity alone, and there are smartphone apps that allow people to share access to their vehicle with friends and family if they have the same app.

Stone said there’s a move beyond proprietary solutions toward more interoperability. “One thingthat a standard does is it tends to create a platform where multiple industries can use it, and generally that will bring down barriers to entry.” He said lowering these barriers typically increases adoption.

A decade ago, availability of features like Google Play / Android Auto and Apple CarPlay weren’t sticking points for buyers, Stone said, but now they are expected, and digital locks are headed down the same road.

These expectations aren’t limited to how people unlock their car doors, either, which is why the consortium liaises with other standards organization to avoid reinventing the wheel, Stone said, as well as making sure it uses technologies such as Ultra-Wide Band (UWB), Near Field Communication (NFC), and Bluetooth in a consistent manner that avoids band interference.

For now, Stone said the CCC is focused on efforts to create an interoperable, secure system that supports a compelling user experience for cars owners who are used to adopting ecosystems from companies like Apple or Google, yet don’t want to be locked in. “Consumers buy different cars, and they do buy different phones, and they have friends with different phones and different cars,” he said.

Many factors influence lock design

When deploying digital locks, there are trade offs driven by form factors, end user experiences and finding a balance between security and convenience. Jake Leichtling, director of product management, access control at Verkada told Fierce Electronics that selecting a digital lock solution is less about hierarchy and more about having a taxonomy. “You have this whole tree of locks,” he said. “It's all about what problem you're trying to solve.”

hand holding card against a lock

The evolution of car locks illustrates the many aspects of a potential digital solution, Leichtling said. Early approaches using smartphones involve Bluetooth Low Energy (BLE) – the phone is a peripheral while the car is acting like a server receiving packets, and the car determines the signal is strong enough and hence the driver with their key is close enough, he said. “They can do a full encrypted handshake.”

But BLE isn’t foolproof – a replay attack by a sophisticated attacker with a Bluetooth antenna can make the car think it’s right next to the smartphone even when it’s miles away. Leichtling said UWB is becoming the preferred technology for digital vehicle locks because it allows for precise positioning and ranging between the objects, he said.

Leichtling said Apple and Google need to do more work on their operating systems to expose more UWB capabilities to allow for better use in access control and digital locks. “There are operating system-level limitations on Ultra Wide Band.”

At the other end of the spectrum, there are corporate offices, schools, and industrial facilities that all benefit from digital locks, but they must be able to work in the event of a power or internet disruption, Leichtling said. “We see a lot of adoption of battery powered wireless locks in schools because it's a cost effective way to access your classroom doors, which is a really an important safety feature in a school.”

Digital locks are the key to smart access management

Leichtling said locks that are part of a broader enterprise access management system are typically connected to a networking closet with an access control unit (ACU), which is the “brain” that allows the lock interfaces to communicate with whatever key is being used, whether it’s a card, key fob, smartphone, or biometric input, such as a palm, face, or fingerprint scan.

Multi-factor authentication (MFA) will use more than one to offer more robust security and better identify the user, Leichtling said, but there are trade offs that must be made in terms of robustness versus power and security versus convenience.

The lock itself can be mechanically complex and heavy depending on the use case, he added, and the overall system also becomes more complex when it is hooked up to an integrated alarm system that can even summon police if necessary.

There are also many ways for users to provide the credentials, including low frequency key fobs and cards, which are the most used but also the most insecure, Leichtling said, while encrypted, NFC cards communicate with the reader at a higher frequency.

There are different options for readers, too, which has a huge impact on the architecture of the system overall, he said. Not all are internet connected, which means decisions are made locally as to who can have access. “The key cards can be used to reprogram the locks in certain ways,” Leichtling said. “It can be cheaper, and the batteries can last longer.”

The disadvantage is that you can’t control your “fleet” of locks, he said. A Wi-Fi connected lock, however, is fairly battery intensive, so these locks are not constantly connected to the Wi-Fi network and usually include a hub for every 20 doors or so, Leichtling said. “They check in usually once every 24 hours and can receive new access control configurations.”

This approach adds cost, but also supports management software, an essential part of the architecture which determines how easily and quickly any firmware updates are applied.

Biometrics are the key that can’t be lost or stolen

Leichtling said combining a smartphone with biometrics improves both security and convenience, although there can be privacy concerns when collecting biometric data. When done properly, it’s a compelling combination, he said, and Verkada collaborates with biometric reader providers.

One way to solve the privacy issue is by using a biometric card that stores the information locally, Fredrik Martinsson, senior director of business development and channels at Fingerprints, told Fierce Electronics. Whether it is for payment or gaining access, the user needs to place their thumb on a reader on the card while sliding or tapping the card. “No biometrics is even required to be uploaded to any access management system.”

The best thing about biometrics is unlike a key, card, key fob, or smartphone, they can’t be lost. (Although stealing someone’s fingerprints to mount a heist does happen in the movies).

Because your biometrics can’t be lost, Martinsson said, they are the most convenient way of accessing a digital lock – with a key fob, it’s not the person who’s been given access, it’s the key fob, which be transferred or stolen – biometrics can prove the correct person is being allow inside.

Biometrics may not be the primary access method, however. Instead, it can be part of a part of an MFA solution – a smartphone acts as a key fob, but only if it is activated by a thumb scan, for example. “The phone is very universal,” Martinsson said.

Today’s smartphones not only use thumb prints but also facial recognition, which could be integrated into the access point itself. Martinsson said. Fingerprints provide iris biometrics, which is a very secure modality. One of the drawbacks of facial recognition is that it’s possible to have a sibling or other relative who might be confirmed by an algorithm as being you when it’s not, he said. “Your iris is extremely unique for you as a person.”

There are also voice and behavioral biometrics – people can be recognized by their gait, for example.

Fingerprints has a biometrics card solution that can be used for locks and payment processing. Martinsson said this form of enhanced authentication allows for granular control of who has access to specific areas inside a building.

“More and more locks today are getting digitalized,” Martinsson said. Digital locks are becoming ubiquitous in smart homes and workplaces and even on padlocks and luggage, he said. Homes and buildings typically use some sort of physical key fob and, increasingly, biometrics. “It's more convenient, it's faster and it's more secure.”