FAQ & Resources

by Secure Technology Alliance

What is a contactless smart bracelet?
A contactless smart bracelet includes an embedded secure microcontroller or equivalent intelligence, internal memory and a small antenna and communicates with a reader through a contactless radio frequency (RF) interface. Contactless smart bracelet technology is used in applications that need to protect personal information and/or deliver fast, secure transactions, such as transit fare payments, government and corporate identification documents such as electronic passports and visas, and financial payment transactions.

Contactless smart bracelets have the ability to securely manage, store and provide access to data on the bracelet, perform on-bracelet functions (e.g., encryption and mutual authentication) and interact intelligently with a contactless smart reader. Contactless smart bracelet technology and applications conform to international standards (ISO/IEC 14443 and ISO/IEC 7816). Contactless smart bracelet technology is available in a variety of forms – in plastic cards, watches, key fobs, documents and other handheld devices (e.g., built into mobile phones).

How do contactless smart bracelets work?
Contactless smart bracelet systems are closely related to contact smart card systems. Like contact smart card systems, information is stored on a chip embedded within the contactless smart bracelet. However, unlike the contact smart card, the power supplied to the bracelet as well as the data exchanged between the bracelet and the reader are achieved without the use of contacts, using electromagnetic fields to both power the bracelet as well as to exchange data with the reader.

The contactless smart bracelet contains an antenna embedded within the porcelain resin body of the bracelet . When the bracelet is brought into the electromagnetic field of the reader, the chip in the bracelet is powered on. Once the chip is powered on, a wireless communication protocol is initiated and established between the bracelet and the reader for data transfer. The bracelet is completely power less. 

The following four functions describe at a high level the sequence of events that happen when a contactless smart bracelet is brought near a reader:

1. Energy transfer to the bracelet for powering the integrated circuit (chip)
2. Clock signal transfer
3. Data transfer to the contactless smart bracelet
4. Data transfer from the contactless smart bracelet

Hence, once the bracelet is brought within range of an electromagnetic field of the required frequency, the bracelet will be powered up, ready to communicate with the reader. Since the contactless smart bracelets described in this FAQ are based on the ISO/IEC 14443 standard, this frequency is 13.56 MHz and a reader that complies with the standard would have an activation field (range) of about approximately 4 centimeters. In other words, the bracelet needs to be within 4 centimeters of a reader for it to be effectively powered; however, the effective range for communications for the bracelet to be read will depend on a number of factors like the power of the reader, the antenna of the reader and the antenna of the bracelet.

What is contactless payment?
Contactless payment is a change to the way debit or credit payment is handled when making a purchase. Contactless payment transactions require little to no physical connection between the bracelet or an NFC-enabled mobile device and the checkout device. Instead of “swiping” or “inserting” a card, the contactless bracelet, fob or NFC-enabled mobile device is tapped on or held within an inch of a machine that reads the bracelet, with the payment information is sent to the merchant wirelessly.

 How does smart bracelet technology help to protect privacy?
Smart bracelet technology offers a number of features that can be used to provide or enhance privacy protection in systems. The following is a brief description of some of these features and how they can be used to protect privacy.

• Authentication. Smart bracelet technology provides mechanisms for authenticating others who want to gain access to the bracelet or device. These mechanisms can be used to authenticate users, devices, or applications wishing to use the data on the bracelet’s or device’s chip. These features can be utilized by a system to protect privacy by, for example, ensuring that a banking application has been authenticated as having the appropriate access rights before accessing financial data or functions on a bracelet.
• Secure data storage. Smart bracelet technology provides a means of securely storing data on the bracelet or device. This data can only be accessed through the smart bracelet operating system by those with proper access rights. This feature can be utilized by a system to enhance privacy by, for example, storing personal user data on the bracelet or device rather than in a central database. In this example, the user has better knowledge and control of when and by whom their personal data is being granted access.
• Encryption. Smart bracelet technology can provide a robust set of encryption capabilities including key generation, secure key storage, hashing, and digital signing. These capabilities can be used by a system to protect privacy in a number of ways. For example, system based on smart bracelet technology can produce a digital signature for the content in an email, providing a means to validate the email authenticity. This protects the email message from subsequently being tampered with and provides the email recipient with an assurance of where it originated. The fact that the signing key originated from a smart bracelet or device adds credibility to the origin and intent of the signer.
• Strong device security. Smart bracelet technology is extremely difficult to duplicate or forge and has built-in tamper-resistance. Smart bracelet chips include a variety of hardware and software capabilities that detect and react to tampering attempts and help counter possible attacks. For example, the chips are manufactured with features such as extra metal layers, sensors to detect thermal and UV light attacks, and additional software and hardware circuitry to thwart differential power analysis.
• Secure communications. Smart bracelet technology can provide a means of secure communications between the bracelet/device and readers. Similar in concept to security protocols used in many networks, this feature allows smart bracelets and devices to send and receive data in a secure and private manner. This capability can be used by a system to enhance privacy by ensuring that data sent is not intercepted or tapped into.
• Biometrics. Smart bracelet technology can provide mechanisms to securely store biometric templates and perform biometric matching functions. These features can be used to improve privacy in systems that utilize biometrics. For example, storing fingerprint templates on a smart bracelet or device rather than in a central database can be an effective way of increasing privacy in a single sign-on system that uses fingerprint biometrics as the single sign-on credential.
• Personal device. A smart bracelet is, of course, a personal and portable device associated with a particular bracelet-holder. The smart bracelet resin is often personalized, providing an even stronger binding to the bracelet holder. These features, while somewhat obvious, can be leveraged by systems to improve privacy. For example, a healthcare application might elect to store drug prescription information on the bracelet instead of in paper form to improve the accuracy and privacy of a patient’s prescriptions.  Smart bracelet technology is also built into other portable personal devices, such as mobile phones and USB devices.
• Certifications. Many of today’s smart bracelets and devices have been certified that they comply with industry and government security standards. They obtain these certifications only after completing rigorous testing and evaluation criteria by independent certification facilities. These certifications help systems protect privacy by ensuring that the security and privacy features and functions of the smart bracelet hardware and software operate as specified and intended.

 Why are smart bracelets better than other ID token technologies? 
A Smart bracelet works exactly like a smart card. Smart cards are widely acknowledged as one of the most secure and reliable forms of an electronic identification (ID) token. A smart bracelet includes an embedded integrated circuit chip that can be either a microcontroller chip with internal memory or a secured memory chip alone. The bracelet communicates with a reader either with a remote contactless electromagnetic field that energizes the chip and transfers data between the bracelet and the reader. With an embedded microcontroller, smart bracelets have the unique ability to store large amounts of data, carry out their own on-bracelet functions (e.g., data storage and management, encryption, decryption, and digital signature calculations) and interact intelligently with a smart reader.

A smart bracelet ID can combine several ID technologies, including the embedded chip, visual security markings, and biometrics. By combining these various technologies into a smart bracelet ID token, the resulting ID can support both future and legacy physical and logical access applications. They can also support other applications that have traditionally required separate ID processes and tokens.

Biometrics are used in many new identity management systems to improve the accuracy of identifying individuals. How can smart bracelets be used to help assure privacy in a biometrics-based system?

Smart bracelets provide a highly effective mechanism to protect the privacy of an individual that has a requirement to use a biometric identity system.

• The biometric information can be stored on the smart bracelet rather than in an online database, allowing the biometric owner the opportunity to manage the physical possession of the bracelet holding the individual’s biometric information.
• The biometric data can be secured with state-of-the-art encryption techniques while providing full three-factor authentication capability at the bracelet/reader level:

​

1. Something you have – the bracelet with all of its security capabilities
2. Something you know – a password or personal identification number (PIN)
3. Something you are – the biometric

​

• In a smart bracelet-based application, the individual’s biometric can be captured by a reader and passed to the smart bracelet for matching, rather than passing the stored biometric information to the reader for matching. The individual’s biometric information would never leave the bracelet, preventing virtually any possibility of compromise.

In a non-smart-bracelet-based application, the password or PIN and biometric would be stored in an online database outside the control of the individual and the biometric information would be captured and passed to an application for matching.

Why smart bracelets are better than smartphones?

• ​They are wearable so that means users wear it instead of carry them, this allow the devices to be more secure being closer to the owner. 
• They allow a fully touchless transaction not having to use hands and fingers to grab the device and present to the readers or cashless points. 
• They are function focus, payment and access so that users don't have to be distracted by other function making the experience much more intuitive and fast 
• they are more secure because they separate the security element from other features contained in the phone preventing a general security breach ( for example if a phone has been hacked also access and payment might be compromised ) 
• They are less expensive in comparison to phones
• They don't need to be charged or synced, because everything happen at the factory/administration  level

​
What is an RFID tag?
Radio frequency identification (RFID) tags are used in a wide range of applications such as: identifying animals, tracking goods through the supply chain, tracking assets such as gas bottles and beer kegs, and controlling access into buildings (mostly access control from the '80 using unencrypted technologies). RFID tags include a chip that typically stores a static number (an ID) and an antenna that enables the chip to transmit the stored number to a reader. Some RFID tags contain read/write memory to store dynamic data. When the tag comes within range of the appropriate RF reader, the tag is powered by the reader’s RF field and transmits its ID to the reader.

RFID tags are simple, low-cost and commonly disposable, although this is not always the case such as reusable laundry tags. There is little to no security on the RFID tag or during communication with the reader. Any reader using the appropriate RF frequency (low frequency: 125/134 KHz; high frequency: 13.56 MHz; and ultra-high frequency: 900MHz) and protocol can get the RFID tag to communicate its contents. (Note that this is not true of car keys which contain a secure RFID tag.) Passive RFID tags (i.e., those not containing a battery) can be read from distances of several inches (centimeters) to many yards (meters), depending on the frequency and strength of the RF field used with the particular tag. RFID tags have common characteristics, including:

• Low cost designs and high volume manufacturing to minimize investment required in implementation.
• Minimal security in many applications, with tags able to be read by any compatible reader. Some applications like car keys do have security features, most notably provisions to authenticate the RFID tag before enabling the ignition to start the car.
• Minimal data storage comparable to bar code, usually a fixed format written once when the tag is manufactured, although read/write tags do exist.
• Read range optimized to increase speed and utility.

Is contactless smart bracelet technology the same as RFID technology?
No. There is significant confusion in discussions of RF-enabled applications, with contactless smart  bracelet technology often incorrectly categorized as ‘RFID.’ There is a wide range of RF technologies used for a variety of applications – each with different operational parameters, frequencies, read ranges and capabilities to support security and privacy features. For example, the RFID technologies that are used to add value in manufacturing, shipping and object-related tracking operate over long ranges (e.g., 25 feet), were designed for that purpose alone and have minimal built-in support for security and privacy. Contactless smart bracelets, on the other hand, use RF technology, but, by design, operate at a short range (less than 4 inches) and can support the equivalent security capabilities of a contact smart card chip.

What security capabilities does contactless smart card technology support?
Devices using contactless smart technology use RF technology, but, by design, operate at a short range (less than 4 inches) and can support the equivalent security capabilities of a contact smart card chip (see below). Contactless smart devices and readers conform to international standards, ISO/IEC 14443 and ISO/IEC 7816, and can implement a variety of industry-standard cryptographic protocols (e.g., AES, 3DES, RSA, ECC).

The contactless smart chip includes a smart secure microcontroller and internal memory and has unique attributes RFID tags lack – i.e., the ability to securely manage, store and provide access to data on the bracelet, perform complex functions (for example, encryption and mutual authentication) and interact intelligently via RF with a contactless reader. Applications using contactless smart devices support many security features that ensure the integrity, confidentiality and privacy of information stored or transmitted, including the following:

• Mutual authentication. For applications requiring secure bracelet access, the contactless smart bracelet device can verify that the reader is authentic and can prove its own authenticity to the reader before starting a secure transaction.
• Strong information security. For applications requiring complete data protection, information stored on bracelets or documents using contactless smart technology can be encrypted and communication between the contactless smart bracelet device and the reader can be encrypted to prevent eavesdropping. Hashes and/or digital signatures can be used to ensure data integrity and to authenticate the bracelet and the credentials it contains. Cryptographically strong random number generators can be used to enable dynamic cryptographic keys, preventing replay attacks.
• Strong contactless device security. Like contact smart cards, contactless smart bracelet technology is extremely difficult to duplicate or forge and has built-in tamper-resistance. Smart bracelet chips include a variety of hardware and software capabilities that detect and react to tampering attempts and help counter possible attacks. For example, the chips are manufactured with features such as extra metal layers, sensors to detect thermal and UV light attacks, and additional software and hardware circuitry to thwart differential power analysis.
• Authenticated and authorized information access. The contactless smart device’s ability to process information and react to its environment allows it to uniquely provide authenticated information access and protect the privacy of personal information. The contactless smart device can verify the authority of the information requestor and then allow access only to the information required. Access to stored information can also be further protected by a personal identification number (PIN) or biometric to protect privacy and counter unauthorized access.
• Support for biometric authentication. For human identification systems that require the highest degree of security and privacy, smart bracelet technology can be implemented in combination with biometric technology. Biometrics are measurable physical characteristics or personal behavioral traits that can be used to recognize the identity or verify the claimed identity of an individual. Smart bracelets and biometrics are a natural fit to provide two- or multi-factor authentication. A smart bracelet is the logical secure storage medium for biometric information. During the enrollment process, the biometric template can be stored on the smart bracelet chip for later verification. Only the authorized user with a biometric matching the stored enrollment template receives access and privileges.
• Strong support for information privacy. The use of smart technology strengthens the ability of a system to protect individual privacy. Unlike other technologies, smart devices can implement a personal firewall for an individual, releasing only the information required and only when it is required. The ability to support authenticated and authorized information access and the strong contactless device and data security make contactless smart bracelets excellent guardians of personal information and individual privacy.

It is important to note that information privacy and security must be designed into an application at the system level by the organization issuing the contactless chipset technology. It is critical that issuing organizations have the appropriate policies in place to support the security and privacy requirements of the application being deployed and then implement the appropriate technology that delivers those features. The ability of contactless smart bracelet technology to support a wide array of security features provides organizations with the flexibility to implement the level of security that is commensurate with the risk expected in the application.

History of access Control Credentials

by HID Global 

---

Physical access control has been a key component of many organizations’ security strategies for several decades. Like any technology, access control has evolved over the years, and solutions now offer more security and convenience than ever before.
From swipe technologies, like the now antiquated magnetic stripe, to contactless technologies and mobile access credentials, businesses now have several choices when it comes to access control.
Despite the enhanced security and convenience offered by newer options, many organizations are still using outdated and vulnerable access control technology. For these organizations, the time has come to take action and prioritize plans for a much-needed upgrade.
To better illustrate the importance of upgrading to the latest access control technology, we take a step back in time to explore the evolution of cards and credentials technologies between the 1980s and the present-day. We examine the technologies available today and the bright future of access control, as well as clarify why using out of date access control technology can leave your organization at risk.

Using Legacy Card Technology with Newer Access Control Readers 
After making an investment in modern readers, some organizations may look to cut costs by purchasing cheaper cards and credentials. This is a mistake. The reader is only as secure as the weakest credential it has been enabled to support. Ensuring the security of the entire ecosystem, including cards, is not something that should be driven by cost. One common example is when an organization purchases less expensive cards from a third-party reseller. Such cards and credentials are marketed with the promise that they will work with state-of-the-art readers. However, these cheaper credentials often use technology that is easier to hack or duplicate, therefore compromising the security level of the entire system. While the temptation to save money is strong for many companies, skimping on security to save money can often result in a more expensive proposition in the long run. The cost of a security breach, an increased possibility due to the vulnerabilities that less sophisticated cards introduce, can be much higher than the cost of buying more sophisticated credentials. To better illustrate the importance of upgrading to the latest access control technology, let’s explore the evolution of cards and credentials technologies.
​

1980s
Initial swipe technologies were a major administrative improvement over manual locks and keys regarding management, traceability and forensics. Knowing who had access rights to certain areas and being able to efficiently control those rights removed the need to re-key as employees left or changed roles.
Contact technology requires a manual swipe to transfer the unencrypted credential’s information to a reader. When the user needed access to a particular area, they would physically swipe a card — much like a credit or debit card in a retail store. Because this kind of credential is unencrypted, swipe technologies are less secure than today’s offerings, but they provided adequate security for the time, partly because to read or clone data, hackers were required to physically obtain the card.

1990s
​In time, the limitations of swipe technologies began to be felt. The need for physical contact between readers and credentials could be cumbersome and inefficient for users, while broken cards and physical wear on readers became costly and time-consuming for administrators.
Thus, the emergence of contactless technologies was a game-changer in the access control industry. The predominant technology during this phase is known as “Prox”, also known as “low frequency proximity”. It featured low frequency, 125 kHZ technology whereby the data on the card is detected when presented a few inches from the reader. Prox also provided the additional option of leveraging fobs and tags as form factors, meaning users were no longer required to use a card. Although Prox benefited the access control industry by ushering the proliferation of electronic physical access control thanks to lower maintenance costs, increased user convenience, and new options for form factors, the technology had limitations to start. The credential is unencrypted, static, and canbe read in the clear, making the cards easy to clone or forge. Prox cards also cannot be encoded with multiple IDs or other data attributes.

Late 1990s-2010s
At the turn of the century, contactless smart cards emerged that offered more sophisticated technology than Prox. These smart cards, including brands such as MIFARE® and iCLASS®, utilized high-frequency technology (13.56 MHz) and featured new credentials. They also addressed the two main limitations of Prox cards.
First, mutual authentication, both the credential and reader contain a set of cryptographic keys (consider these keys like a password). When the credential is first presented to the reader, the two use a complex mathematic process to compare keys. If the keys match, the credential shares the binary data with the reader, and the reader accepts it as genuine. However, if the keys do not match, the credential will keep the binary data private, and the transaction will be terminated.
Second, these cards could store more information than just an ID number, such as a cashless vending debit value or a biometric template. The result was a substantial increase in both security and multi-application functionality. Despite these benefits, most first-generation smart cards have vulnerabilities in the mutual authentication algorithms that have been exposed by researchers in published documents. Such vulnerabilities make it possible for a hacker to forge/clone/spoof a credential as if the mutual authentication was not present.

2010s-2020
As the security landscape continued to evolve, so did access control credentials. Second-generation contactless smart cards (e.g: Seos® and MIFARE DESFire EV3) were introduced to meet the needs of dynamic businesses. Second-generation contactless smart cards differ from their predecessors in two key areas: security and applications.

Gone are the proprietary protocols that were more vulnerable in first-generation smart cards. Among the many downsides of proprietary protocols are that they are developed by one company and thus subject to blind spots that accompany a single point of view. Such blind spots inevitably lead to greater vulnerability, as issues cannot be fixed until the vendor is alerted to the issue, marshals resource to develop a patch or new version of the software that addresses the bug, before subsequently releasing.
Second-generation credentials also offer enhanced privacy protection and feature open, widely adopted standards developed and approved by a broad research and academic community (e.g., ISO and NIST). These open standards are consistently updated and adjusted, enabling them to be leveraged across multiple technologies.

Second-generation smart cards are architected to enable virtually unlimited applications with enhanced data and privacy protection. Today’s organizations are seeking the ability to manage user identities independent of the underlying hardware form factor (and micro-processor chip). These organizations want to create
and manage ‘secure identities’, not just on cards but also on mobile phones, tablets, wearables and other credential form factors, connecting through NFC, Bluetooth and other communication protocols.
This has allowed for additional use cases for smart cards and logical access — controls intended to identify, authenticate and authorize access to networks and information — and enabled convergence between physical and logical access. Secure printing and cashless vending are additional examples of easier and more flexible applications that second-generation smart cards can facilitate.

During this time, mobile devices transformed user expectations in every aspect of life, including access control. These trends would quickly impact how organizations address security and improve the user experience when managing access control, including the shift from storing credentials on a physical card to a mobile device.

The Next Generation of Credentials
Much of the next generation of credentials is already here. Mobile devices are well entrenched in nearly all aspects of everyday life. Allowing building occupants to use their smartphone, tablet or wearable to enter controlled areas to supplement or replace cards will likely be well accepted by all involved parties.
The benefits to both business and employee are clear. First, there is the convenience factor for employees
in having to carry fewer items. Also, because very few people go anywhere without their mobile device,
lost or forgotten cards will be less of an issue. Mobile credentials also allow contactless entry to doors and authentication from a distance, meaning users are not required, for example, to roll down their car window in cold weather to open a parking gate. Secondly, mobile credentials make the administration of access control easier. Digital processes make it simple to streamline operations with integration to access control or visitor systems. Organizations can provide remote workers and visitors with credentials over-the-air and replace physical credential management with a digital experience. In the event of a security issue, a user’s credential can also be deprovisioned quickly and efficiently. Beyond saving time and resources, the result is a more sustainable process with reduced waste and fewer physical touchpoints.

image by INPULSE inc.

Conclusion
Cards and credential technologies have come a long way since they were first introduced over 40 years ago. Today’s contactless smart cards follow industry protocols, making them much more secure than prior generations. As access control technology finds a role in more than just physical access, mobile devices have been found to be a synergistic fit, as they offer not only more security and convenience in a cost-effective form factor, but also increased functionality in the form of applications. Only a modern ecosystem will be able to keep pace with the transformative trends today’s organizations are facing. Fortunately, upgrading your physical access control system is not as difficult as you may think, as it often only requires installing new readers and issuing new credentials.