Apple rolled out its newest iPhone last month to great fanfare. For me, the most intriguing part of Apple’s announcement was the rollout of its new electronics payment solution, dubbed Apple Pay.
Yes, Apple’s new watch is shiny and intriguing, and it was nice to get the rock band U2’s new album for free, but I felt that those segments of the programme were mildly aggravating distractions; I wanted to hear a lot more about the security controls for the contactless point-of-sale transactions system.
The first thing that appealed to me about the Apple Pay solution was the way I could apply it inside an enterprise to solve a vexing access control problem. Several years ago, I needed to find a way to keep people out of my data centres. We’d had incidents involving tool and parts theft, unauthorised server modifications and so on, we needed to restrict access to sensitive areas to the bare minimum of trusted employees – and we needed a log of who went in and out, when, so that we could correlate incidents to suspects. Recalling physical keys didn’t do enough to solve our problem, so (being the IT department) we tried leveraging technology.
We investigated installing computerised door locks that authenticated employees with their smart ID card. The combination of an RFID chip and stored PKI certificate should have significantly deterred misconduct, since each attempt to unlock the data centre doors would result in an incontrovertible log entry. Our experiments worked… somewhat.
We discovered that users were dutiful about swiping their way in to the data centre, but they wouldn’t bother swiping out when they were done. It was faster and easier for them to tap the emergency egress bar and saunter out. So, we might have a record showing that 12 different techs entering the complex on a day where something suspicious occurred… but the logging system showed that none of them ever left.
This is where I think the Apple Pay technology might come to our rescue, assuming we can apply the science of behavioural economics to slowly change employee behaviour. It shouldn’t be difficult to build a smart lock assembly that incorporates an NFC sensor from a point-of-sale terminal. When an authorised user approaches a restricted-access door, he or she authenticates their entry with a £1 transaction (like putting a coin into a pay toilet stall, but authenticated with user biometrics as well as petty cash); when the user leaves the restricted area, they authenticate the lock again from the other side, and the door lock assembly returns their deposit so that they’re not actually out of any money. If they hit the panic bar to leave, they’re out by a quid.
It’s a very small amount of economic pressure, but that pressure builds up over time. Every person has a different pain threshold; that point where a drain of cash from their pay packet transitions from being immaterial to annoying. The act of holding back deposits slowly conditions users to authenticate the restricted access door again on their way out because they want to get their money back. By conditioning users to interact with every door both ways, every time, we can gradually (but significantly!) increases the accuracy of entry and egress logging.
I realise that using paid access to a workspace might be considered crass, but the key to the initiative is to compel employees to change their behaviour in order to consistently comply with important security protocols. Voluntary compliance actually costs the employee nothing. You could even incentivise compliance with double refunds every 100th consecutive validated exit.
