RFID Tokens

We also see another technology that’s used extensively now. And we’ll look at RFID again in this section, but also when we move into the section on the different identity and access management technologies. RFID uses radio frequency for identification. It allows for the tagging of physical devices. So an RFID tag can transmit and receive electromagnetic fields, radio fields. It provides a unique identifier that allows for the interaction and registration with other systems. It’s worth bearing in mind, though, that the RFID token, as a physical token, is limited, in that it is presenting a unique reference identity. On its own, this isn’t enough.

We need this to correlate when it’s presented to the RFID reader to some kind of system that manages the authentication process that understands whether or not that unique identifier is allowed or denied access to a particular resource. For example, with an RFID door reader, whether or not the door should open for that identity. The first patent associated with RFID was granted to Charles Walton in 1983, so this is not a new technology. It is relatively well-established. One of the benefits, though, of RFID tags is that they can be produced very cheaply now. And we have two types of RFID tags. We have the passive tags or an active tag, which has a battery.

So an active tag has an on board battery, which periodically can transmit its ID. And the battery-assisted passive tag has a small battery on board, which is activated during the authentication process. So two types of battery-powered device, two types of active tag. A passive tag is cheaper. And most of the tags we see in use day-to-day are passive tags. These are smaller, more lightweight, and cheaper, because there’s no battery. Instead, the device is powered through the radio energy that’s transmitted by the reader. So to operate a passive tag, it must be illuminated with a power level roughly 1,000 times stronger than for just the normal signal transmission, so it does require the reader to provide that energy.

So this can help shorten the effective distance for passive tags. They need to be closer to the reader. Tags can be read-only or read-write. If they’re read-only, they’ve got a factory-assigned number, the ID that’s used, and is registered within any application or database system that we’re using. Where the read-write, we have some flexibility. The read-write tags actually create for us a potential security issue. You can buy an RFID writer and also reader from online for relatively small amounts of money, and you can also buy blank tags. So what we can potentially look at is as a security scenario here, somebody reading an RFID tag, and then being able to clone that tag to re-issue it.

So the RFID tag itself isn’t hugely secure in isolation. Typically, we want to use the RFID tag as part of a broader set of controls. So for a high security door entry system, maybe we have a pin code and an RFID tag reader. The RFID tag reader can help ensure the identity has the correct access permissions, but also, that is supplemented as part of the authentication process with something you know. It becomes a multi-factor operation. An RFID tag has three elements. It has an integrated circuit, a chip. And this stores and processes information, and helps to modulate and demodulate the radio frequency. It takes that analog signal and creates a digital message from it and vice versa.

And it has a means of collecting power from the reader signal. And we also have the antenna that helps with the receiving and the transmitting of the signal. So the tech information is stored in non-volatile memory. And the RFID tag can be, as we’ve said, readable or read-write.

So these, as we’ve said, can be combined with other authentication factors to improve security. Some of the concerns we see around RFID is because of the very low cost of RFID as a technology, that you see supermarkets and libraries using RFID tags, that individuals can be tracked. And I’ve seen a great example from a large RFID vendor where they show a geographical overlay of their office, and they have tagged their staff. And you can see their staff moving around live on a map. So this can create some level of concern over tracking, especially where we have RFID tags that can be used for multiple purposes, that can be registered for multiple purposes.

Things like integrated transit cards that can track your movement across the transit system, your shopping habits. So where you are, what you’re doing. So these are the types of concerns we see arising around the use of RFID. You also see RFID used now for keys in residential properties and hotels very, very commonly. So a very popular technology. The low cost, again, means that they are used extensively. A few examples now of people implementing RFID through implants in their body. So actually implanting an RFID token into their body that can be registered with different systems. So a very, very versatile technology. It can be very helpful as a supplementary control. But just be cautious about using it in isolation.