Most citizens in large centers interact with access control systems on a daily basis. Airports, buildings, meetings rooms, residences, staff areas, etc have systems to control access to different areas.
Despite the fact that current access control systems solve most problems in this field, centralized solutions have intrinsic issues related to data protection, security, privacy, scalability and offline capability.
Most of these systems rely on an architecture where a central software module stores all the data related to individuals and their permissions. Such centralised silos are already known for some disadvantages:
- GDPR: data protection regulations are present in several countries and penalities for having user's data being breached are expensive.
- Hackers: Potential point of attack for hackers or anyone with bad intentions, including the staff, considering the amount of personal data stored in a single point.
- Low offline capability: access control systems based in centralized solution aren't able to deal with cases where operation happens without access to a central module.
- Low interoperability: access rules can only be checked through the system in its proprietary implementation.
- Low privacy: user PII data can be seen by access control staff.
In a decentralized solution, the access control system plays the role of a credential issuer and verfifier which won't store any personal data from users. It'll simply:
- Issue credentials containing user identification data, without storing any data internally. Such data needs to be enough to identify the user when present in the location. It can contain biometrics, user pictures, identification documents references, etc.
- Issue credentials defining the access permissions the individual has.
- Verify the credential when the user is in person in the location. This verification process can also be implemented by other parties, like partners which want to accept the same credentials.
In this solution users hold their credentials, the only place where their personal data seats. Optionaly, the data can be encrypted, or even hashed, bringing more security and privacy.
In order to implement such decentralized access control system, we could use 2 verifiable credential schemas:
In Person Identification: a credential containing data which can be used to guarantee that its holder is who they claim to be when presenting it to an IOT device or access control staff. Such data could be
Physical Access Permission: should link to the person who have the access, the area she has access, the time slot she has access and any other rules related to the access.