Covid-19 has driven a surge in the number of people using digital wallets on their mobile phones to make contactless payments. Now manufacturers are starting to look at further applications of the technology that underpins these payments, and an initiative launched by Android-maker Google could usher in a new era in which smartphones replace keys to offices and factories by supporting digital keys.

Android digital keys
Keys could soon be a thing of the past as mobile phones begin to be used to access buildings and vehicles. (Photo by iChzigo/Shutterstock)

The Android SE Alliance is a partnership between various vendors to develop applications for embedded secure elements (SEs), the tamper-proof hardware components included in a phone that allow it to be used as a key or to make payments. Other emerging use cases include ePassports and driving licences, and the technology could be deployed in vaccine passports which are likely to be required for international travel as the world emerges from the pandemic.

The SE “offers the best path” for introducing these new use cases in Android, said Google engineers Sudhi Herle and Jason Wong in a blog post, adding “we already have several Android OEMs adopting Android Ready SE for their devices. We look forward to working with our OEM partners to bring these next-generation features for our users.”

What is a secure element? Android playing catch-up

An embedded secure element is a microchip used to store critical information separately from a device’s main processor. “It ensures secure storage of data, granting access to information only to authorised applications and people, and executes cryptographic operations such as authentication and encryption,” explains Stéphane Quetglas, mobile connectivity expert at security company Thales. “It is certified according to industry standards to achieve the highest security assurance levels.”

Deploying an SE makes it harder for hackers to access or use private information, as it is virtually impossible to bypass security mechanisms and tamper with its operation, and it uses its own dedicated and independent processing power and memory rather than any shared resources. The chip is then paired with near-field communication (NFC) or ultra-wideband (UWB) tech to enable the digital exchange of information, the most common current use case being mobile wallet payment systems such as Google Pay or Apple Pay.

Apple, which controls the manufacture of its devices, installs an SE as standard on all new iPhones, but as Android phones are made by myriad manufacturers, adoption of the technology in its eco-system has been more haphazard. Though SEs are typically found in most flagship Android handsets, Counterpoint Research’s IoT security team says in 2019 only a third of mobile phones sold globally had an SE. “Simply put, adding an SE adds costs since it’s an additional chip and comes along with additional development needs,” says Charles Dachs, VP and general manager for secure embedded transactions at NXP Semiconductors, which is part of the new Android alliance. But, he says, “we’re at a point where benefits outweigh that effort”.

Indeed, the widespread popularity of mobile-phone enabled payments, exacerbated by the Covid-19 pandemic, is likely to increase manufacturer interest in SEs. According to research from LearnBonds.com, the value of payments made via mobile wallets around the world is expected to reach $1.3trn this year, and increase to $2.1trn over the next two years.

An ecosystem-wide initiative for Android reduces the barriers to integrating SEs, says Quetglas. “The Android Ready SE initiative makes it possible to rely on a pre-packaged and validated solution that includes an SE, a set of security applets and native support by Android,” he says. “This dramatically reduces the required investment to equip devices with an SE. Device makers will be able to increase the security of their products with little effort, which will benefit their customers.”

Beyond payments: digital keys for businesses

SEs could allow businesses to replace traditional keys or access cards with connected devices. NXP is investigating a solution that uses ultra-wideband (UWB) radio to accurately pinpoint the device location in real-time. “This is something that can be hard to fake, so it can be used to restrict access to an area or used to add protections based on where an asset sits, where a piece of data resides, or the origination point of a communication,” Dachs explains.

A UWB-enabled door lock, installed in an office, lab, or on a warehouse entryway “can detect your approach and automatically unlock when you’re near enough to open the door,” he says. “There’s no need to insert a physical key, enter a pin, tap a card, or take your phone out of your pocket,” he adds. “The lock can tell if you’re approaching from the inside or the outside of a building, and respond accordingly, and it can automatically relock as you move away from the door.” UWB also allows users to safely share access credentials, so credentials can be temporarily granted and revoked as required.

These SE-powered security systems could allow hands-free access, as well as real-time management of credentials and access privileges, says Marco Preuss, director in the global research and analysis team at cyber defence company Kaspersky. But he urges caution. “You have to count in the human factor, which adds a number of risks that are difficult to predict,” he says. “Many vulnerabilities start with single points of failure, as we are talking about battery-powered electronic devices that can malfunction.”

Preuss adds while SEs themselves are highly secure, hackers could take advantage of vulnerabilities in software implementation or wireless transmission. “As SE chips become more commonplace, many security aspects will be honed and bolstered, which will give us clear data and evidence on further risks,” he says.

Cars could drive the adoption of digital keys

While work is still needed to deliver digital keys for businesses, they have already arrived in vehicles. Last month BMW announced an update to its iDrive tech system which allows drivers to use their iPhone to unlock and start their car. The launch of the Android SE Alliance could see similar functions arrive on Android phones too, and Thales’ Quetglas says this could have big implications for businesses. “Such virtual car keys enable the full digitalisation of the customer journey for vehicle fleets, car-sharing​, or rental cars,” he says. “The SE brings both trust and convenience with high levels of security and the ability to use contactless communication protocols to interact with the car such as NFC, Bluetooth or UWB.”

Elsewhere, digital health is likely to be another strong use case as SE chips become more common. “The pandemic has highlighted how our phones could be used for more than just contactless payment and starting the car,” says Vincent Korstanje, CEO at Kigen, another partner in the SE Alliance. “They may become our vaccination passports with a root of trust that protects digital medical data as we carry it in our pockets in digital form, or another form of ID. It’s not just about paying for your groceries on your phone.”