While banks have been busy performing experiments with blockchain tech, London product consultancy firm Zerado has already built a prototype for an access control system using blockchain, NFC and Internet of Things (IoT).
Built to handle both identity and payments, the basic idea is to use blockchain technology to store information about who is authorized to use a physical device (such as a door lock) and to authoritatively determine and authenticate the identity of the person trying to use that device.
Once authenticated, the person will be able to use the services controlled by the physical device, either by prepaying or by paying on the spot, based on availability.
In a way, Zerado’s prototype is similar to that proposed by Slock.it before the infamous DAO incident, though it uses a private blockchain implementation, rather than the public ethereum blockchain.
Tomasz Mloduchowski, the CTO of Zerado, believes that using this design allows the company to leapfrog over incremental technology improvements and use a system that will likely become ubiquitous in the future.
In addition, he believes that the use of a blockchain makes the development of the system much easier to deploy to real-world systems, while also giving full control to the users to decide what level of data sharing is required for the application.
Also notable is that instead of using private key signature as an authentication mechanism, Zerado leverages existing contactless payments systems found in most debit cards in Europe for both payment and identity-authentication.
He told CoinDesk:
"Access control has a set of unique requirements that neatly match the capabilities of blockchain. From the needs of security, through the use of EMV cards, to the auditability."
One immediate use case is for the idea would be in the hotel check-in process, where a guest could pay for a room over the Web, and use a debit card at the hotel for access.
The information from the debit card is read by an IoT device which controls the door lock and is connected to all other such devices in the hotel. Once authenticated, its state is propagated to all the other locks, which would now know not to grant access a second access to this identity.
The company sees a similar use in coworking spaces, which need a constant monitoring of who is allowed to access which rooms and for what durations.
Any EMV-enabled credit or debit card that is able to electronically share data (such as the name on the card) can be used for authentication. Different issuing banks provide different types of card data to the card-reading devices, and the authentication is then performed using multiple pieces of data pulled from the card.
Zerado’s working prototype uses a private blockchain to store information about identity and authorization, along with the payment state.
It is capable of using a debit card both as an identity for user authentication and as a payment mechanism.
Of the notable features of the prototype, however, is that it uses the UK’s contactless payment cards, which are ubiquitously issued by banks and financial institutions.
Behind the scenes, these cards use near-field communications (NFC) technology to communicate between the card and the device. (Point-of-sale terminals in Europe, for example, already pull data from a debit card for payment reasons.)
However, in addition to the payment information, they also contain information about identity issued by the bank, such as the name of the person.
Using this type of information, the IoT-enabled locks are able to perform authentication on the user trying to access a resource. This also enhances security, because the same mechanism can be used instead of separate hotel key cards that are seldom without vulnerabilities as the technology stands currently.
Zerado has also built offline resilience into the system as a whole, which could realistically operate even in the event of a loss of connectivity.
A valid offline transaction is created, which is then manually relayed to all the nodes in the system. In the example of a hotel room, when the state of the blockchain changes, a "master key" (which contains the latest transaction information) can be used by the staff to manually update the blockchain stored by the individual nodes.
This is possible because the nodes each contain a full copy of the blockchain.
But while the current prototype uses a private blockchain for access control and payments, Zerado believes it has applications in many different sectors. Although, they will likely all require different design decisions and trade-offs.
To this end, the company has already created application-specific products that use a blockchain in the backend. For example, a working capital finance proof-of-concept was created that stores transaction history across multiple parties in a supply chain.
There is also a blockchain product called Disberse that the firm hopes to utilize in bringing more transparency in the humanitarian aid sector.
Zerado is building prototypes of various use-cases, which it says bring real solutions to industries. That it happens to use a blockchain in the backend is immaterial to the users of the system, but provides them with many benefits: from security and auditability, to privacy and ease of deployment.
Imogen Bunyard, COO of Zerado, told CoinDesk:
"We see a great deal of value for blockchain in every sector – whether to implement now, or to future-proof against increased security risk and more sophisticated standards."
Featured hotel card key image via Shutterstock. Prototype image via Sid Kalla for CoinDesk