Access control in its broader context can be seen divided into “physical” access control, which typically means access control to buildings and premises and “logical” or “digital” access control which means remote access to services via computer networks. As these functions have traditionally been divided between different departments in an organization, this division can be seen as practical. However, as the importance of “digital” identities increase, a convergence between “physical” and “digital” identities is expected over time.
Over the years, there has been a shift towards contact-less identification systems in favor of traditional magnetic stripe cards. Apart from the convenience factor of not having to physically swipe or insert a card in a slot, contact-less readers can be made sealed and are therefore less susceptible to mechanical degradation and vandalism. Furthermore, the newer generations of contact-less readers include features of challenge-response mechanisms to prevent counterfeiting and eavesdropping, thereby enhancing the overall access security.
Access control systems can either be made as “on line” or “off line”, where the on-line system stays in network contact with a centralized system. Individual identities can then instantly be granted and revoked via the host system. Generally, it can be said that these systems have an intelligent back-end system whereas the cards themselves only keep the identity. Off-line systems on the other hand are as the name suggests not directly connected to the host system. The rules for access is then rather stored in the access card rather than the back-end. The off-line system therefore typically requires re-configuration of the access card to change individual card's access rights.
A benefit of the off-line approach is that access terminals can work independently of a host system and no wiring is necessary, thereby greatly simplifying installation with associated benefits of cost savings. On the other hand, all changes to access credentials for individual users require re-configuration of that user's particular card, which in hand typically requires the user having to go to a centralized location to have his or her card re-configured. Therefore, in certain settings a hybrid system of on-line and off-line is formed to allow individual access cards to be re-configured at certain points when the access credentials have been changed. By integration of physical- and digital access credentials, the access control token can then be automatically updated with the most recent rules every time the user uses the token to log on to the computer network.
In some settings, the administrative overhead of maintaining off-line systems make them less practical to implement and the obstacle for the users can be significant.
It is known to combine a USB key with and a RFID reader. In for example WO2007023473 is described a USB key having an integrated RFID reader in order to be able to use the general capability of the USB key to be connected to any computer or smart-phone having a USB port for on-line identification of a user. Data can be transferred between the RFID reader, an RFID tag and the computer. A user can identify himself with the RFID tag via the RFID reader on the USB key and thereby gain automatic access to a pre-configured site on the computer.
US20080192933 describes a dual interface portable device for use in on-line transactions in conjunction with a remote server over a network. The device comprises a first means for secure communication in the form of a USB key connectable to a USB port of a computer and a second means for communication in the form of a card reader for reading a bank card. When used the bank card is presented to the portable device card reader. The number of the bank card is encrypted in the portable device and transferred to the server and the transaction is eventually confirmed by the server.
JP2009187502 describes a system for ticket reservation and issuing comprising an RFID chip built-in USB compact device. The device is pre-programmed to reach a target web site when inserted into a computer. When a ticket is reserved and purchased, information is written into the RFID chip of the USB key. The ticked can then be used off-line at a RFID reader identifying the ticket.
WO 2005050384 describes a multi-interface USB modular token which can be plugged into a PC and connected to internet. A portion of the modular token can be removed and used off-line via a wireless interface in the real world.
US2006279413 describes a dual-interface device allowing a host system to issue instructions to a RFID module via a Secure Digital Input/Output (SDIO) interface of the device to scan nearby RFID tags and convey the stored content of the scanned RFID tag back to the host device. The host device may also instruct the RFID module, via the SDIO interface to write specific data to the memory of the RFID tag.
US 20050182971 describes a security device for computer systems. The device stores information relating to user authentication, for performing computations and cryptographic operations for generating a one-time pass code either on-line or off-line. The generated one-time pass code is displayed on a screen on the device for a pre-determined period of time.
A problem with the prior art concerns management and distribution of cryptographic keys, where access control tokens generally cannot be securely updated “in the field” after initial cryptographic information has been initialized in a secure facility. In the access control environment, a user is typically required to go to a centralized facility to have the access control token updated with specialized equipment, using specialized software with online connection to a database, all performed in a secure environment.