Physical Access
This document provides information on how to use Crayonic Wallets with different types of physical access systems for use cases such as building door entrance and exit, employee time tracking, lunch credit systems, etc.
Below is the list of supported physical access technologies, ranked from the least secure and least expensive to the most secure and most convenient for users.
RFID Support
RFID 125kHz technology serves as the older connection method for PA systems. This RFID is usually incorporated into the photo identification card, which is then placed into the Crayonic Badge. If the external ID card doesn’t have an RFID antenna, the Crayonic Badge can have one built-in.
This technology is limited to just one access factor, which is ownership of the card. Although it can be easily replicated and imitated, it is quite affordable, costing less than 2 Euros per ID. Additionally, door card readers are also very cheap. RFID can only be supported by the Crayonic Badge because the Crayonic KeyVault is too small to include an RFID antenna.
NFC Support
For NFC (13.56MHz) interface, the easiest but least secure to operate is one relying on the NFC tag UID (Unique Identifier).
The type of UID depends on the NFC tag type:
-
MIFARE Classic / DESFire – Uses a 4-byte, 7-byte, or 10-byte UID (depending on the version).
-
ISO 14443-A/B – Uses a Unique Identifier (UID) or Card Serial Number (CSN) (typically 4, 7, or 10 bytes).
-
ISO 15693 (Vicinity Cards) – Uses a 64-bit UID.
-
FeliCa (Sony NFC cards) – Uses a 64-bit or 128-bit IDm (Manufacturing ID).
Crayonic Wallets: NFC UID Configuration and Authentication Mechanisms
Crayonic Wallets utilize unique identifiers (UIDs) for facilitating secure and streamlined access control. The UIDs in Crayonic devices are variable in length, comprising either 4, 7, or 10 bytes. These identifiers are generated randomly by the Near Field Communication (NFC) interface embedded within the device. The actual length and value of the UID in each case are contingent upon the NFC protocols employed, as outlined in the following table.
Table 1: NFC UID Length and Generation
| UID Length | UID Characteristics |
| 4 bytes | Standard short UID used in basic interactions |
| 7 bytes | Medium-length UID for enhanced security |
| 10 bytes | Extended UID for eliminating ID collisions |
Crayonic devices are distinct in that they house two separate, independently-generated NFC UIDs. The distinction in these UIDs facilitates a dual-level security approach: one UID is presented when the device remains locked or has not been authenticated, while the alternative UID emerges once the user completes proper authentication within the Crayonic Wallet environment. This bifurcated approach allows for the configuration of either a single-factor authentication mechanism or a more robust multi-factor authentication, capitalizing on existing infrastructure that primarily recognizes NFC UIDs for access control.
Both the Crayonic Badge and the Crayonic KeyVault are compatible with NFC UID-based physical access setups. By leveraging these capabilities, organizations can augment their security frameworks and seamlessly integrate multi-tiered authentication systems, enhancing the safety and flexibility of their physical access controls.
For a comprehensive understanding of implementing these NFC UID technologies within your existing systems, further exploration of authentication protocols and device-specific configurations is recommended.
Crayonic Wallet UIDs may be set up according to the table below for different UID sizes:
| Byte number | 4-byte UID | 7-byte UID | 10-byte UID |
| Internal0 | UID0 | UID0 | UID0 |
| Internal1 | UID1 | UID1 | UID1 |
| Internal2 | UID2 | UID2 | UID2 |
| Internal3 | UID3 | BCC0 = CT ^ UID0 ^ UID1 ^ UID2 | UID3 |
| Internal4 | BCC0 = UID0 ^ UID1 ^ UID2 ^ UID3 | UID3 | UID4 |
| Internal5 | 0xFF | UID4 | UID5 |
| Internal6 | 0xFF | UID5 | UID6 |
| Internal7 | 0xFF | UID6 | UID7 |
| Internal8 | 0xFF | BCC1 = UID3 ^ UID4 ^ UID5 ^ UID6 | UID8 |
| Internal9 | NFC Lib version | NFC Lib version | UID9 |
UID0 contains the manufacturer ID for Nordic Semiconductor and equals 0x5F.
All modern door readers today support NFC technology for UID-based access and typically do not require any proprietary readers such as MIFARE, HID, FeliCa, etc.
The ability to clone UIDs, similar to RFID IDs, makes using UID-based NFC access generally insecure. However, many organizations still use it because it is low-cost and simple to set up. Additionally, the cards and tokens needed for this system are inexpensive, often costing less than 3 Euros each, and they do not require complicated access protocols.
Proprietary NFC-based PA technologies often use higher-level security by employing shared secrets, like a master key, to encrypt ID information. These systems also utilize dynamic key rotation to prevent cloning of the keys and to block replay attacks.
The most advanced systems use a combination of challenge-response techniques and digital signatures for PKI-type access. Because the process of creating a strong signature and verifying it can take more time, these PA systems might have a delay between when the card touches the reader and when the door unlocks.
Crayonic Wallets may be able to emulate some of the more secure NFC technologies. However, currently to integrate most proprietary protocols of choice, the hardware requires modification, and these options can be offered only for large orders above 10,000 units.
Bluetooth Support
Crayonic wallets offer innovative ways to provide access control compared to traditional smart cards, ID cards, fobs, and tokens by using Bluetooth Low Energy (BLE) technology. BLE-based physical access (PA) systems offer several benefits over traditional systems like NFC and RFID. One major advantage is that they allow users to gain access without having to physically tap a reader. The system works by the reader actively sensing the distance to the badge holder, enabling the reader to detect when the badge holder is approaching.
This feature becomes even more effective in combination with continuous authentication. Users can authenticate themselves into the wallet using personal identification numbers (PINs) or fingerprint scans. A body detection mechanism ensures the wallet remains unlocked, allowing it to securely complete access challenges provided by door readers as the user nears the door. This method is not only convenient but also efficient, offering swift access with high security and zero waiting time without the need to touch the reader or the badge.
In the ideal BLE PA system setup, the reader would be able to utilize cryptographic keys issued by logical access infrastructures, such as X.509 certificates or FIDO2 passkeys. This cryptographic approach ensures that access remains secure and tailored to each user's unique identity credentials and controlled by existing IAM solutions like Microsoft Entra ID or MS Active Directory, etc.
Crayonic can suggest existing market solutions that support compatible BLE readers as this next-generation technology is slowly entering the mainstream market.
BLE-based physical access is supported by Crayonic Badge, Crayonic KeyVault, and even by the upcoming Crayonic Soft Badge (mobile phone application).