The Growing Popularity of Smart Phones as Access Control Credentials
February 2018 by Scott Lindley, General Manager, Farpointe Data
Smartphones fulfill many needs, including telephone, camera, navigation, music, video, clock, news, calculator, email, Internet, gaming, contacts, and more. Security professionals creating access control systems need to be aware that 95+ percent of all adults 18-44 years own smart phones. Plus, 69 percent of the entire population already uses smart phones. That’s babies through seniors. And, the average smart phone user touches their device 2,617 times a day ((Dscout Research)!
Thus, practically anyone using an access control system already carries a smart phone. Another way to look at it is that every smart phone user, or almost everybody, could now easily download an access control credential.
Mobile credentials are smart phone-based versions of traditional RFID cards and tags. Mobile credentials make it possible for smartphones, such as the Apple iPhone® and the range of Google Android® devices, to be used as an electronic access control credential.
No longer will people need various physical credentials to move throughout a facility. Instead, a person’s iPhone or Android smart phone, which they carry with them wherever they go, will have the credentials they need to enter into any authorized access system. In fact, such a system can reach beyond the facility into their homes, their automobiles or at the gym.
“Mobile has already disrupted so much in both our personal lives and the enterprise, but we are still tapping an old school badge on a door access reader,” David Anthony Mahdi, research director at Gartner Research says. “It’s a dichotomy. On one side we are doing all these amazing things with our phones but then we are still using 20-plus year old technology to get into our buildings.”
Referred to as mobile or soft, smart phone based access control credentials are another version of traditional RFID cards and tags, joining proximity and smart card credentials to support a user as she moves about a secured facility. Gartner suggests that by 2020, 20 percent of organizations will use mobile credentials for physical access in place of traditional ID cards. Soft credentials provide several advantages over hard credentials. They are more convenient, less expensive and more secure. This is true for both end users and installers.
They are more convenient because the user already has his credentials and already carries it with him wherever he goes. Credentials can be delivered to the end user in either paper or electronic form, such as via email or text. The dealer has nothing to inventory and nothing to ship. Likewise, the user sponsor has nothing to store, nothing to lose and faces no physical replacement hassles. Cost are lowered as nobody must undertake "1sy-2sy" replacement orders.
Original soft access control systems are already being used by innovators, approximately five percent of users, according to Gartner. There were the typical drawbacks with a new technology. Before they switched to soft credentials, the next wave of users have requested smart phone solutions that eliminate many of the frustrations that they discovered with their original smart phone apps and hardware, the main one being complicated implementation practices. The newer solutions provide an easier way to distribute credentials with features that allow the user to register only once and need no other portal accounts or activation features. By removing these additional information disclosures, vendors eliminated privacy concerns that have been slowing down acceptance of mobile access systems.
One additional concern held back some buyers. What if the baby boomers at our facility don’t have a smart phone? Problem solved. Just be sure that your soft credential reader can also use a smart card.
Technical Stuff Quickly Explained
Just like hard credentials, soft credentials can support the 26-bit Wiegand format along with custom Wiegand, ABA Track II magnetic stripe and serial data formats. They can be ordered with specific facility codes and ID numbers. They are delivered in the exact number sequence ordered with no gaps and no under- or over-runs.
Two technologies are used - Bluetooth and NFC (Near Field Communication). Bluetooth readers are less expensive because almost every smart phone already has Bluetooth. Not even 50 percent of all smart phones yet have NFC.
Bluetooth’s other big advantage is read range, up to 30 feet. Plus, installers can provide adjustable read ranges and differ them for various applications. For instance, they could be six inches at the computer access control reader but 24 inches at the front door. When entering the facility gate, a still longer read range, perhaps six feet, can be provided so users don’t have to open their car window to reach the reader. NFC readers only operate with a read range of a few inches, that of a proximity card, eliminating any possibilities of simply leaving the smart phone in the pocket or purse and still get reads.
Many companies still perceive that they are safer with a card, Gartner’s Mahdi notes, but if done correctly, the mobile can be a far more secure option with many more features to be leveraged. Handsets deliver biometric capture and comparison as well as an array of communication capabilities from cellular and Wi-Fi to Bluetooth LE and NFC, he adds
Bottom line - both Bluetooth and NFC credentials are safer than hard credentials. Read range difference yields a very practical result from a security aspect. A Bluetooth reader can be installed on the secure side of the door while NFC must be mounted on the unsecured side.
As far as security goes, the soft credential, by definition, is already a multi-factor solution. Mobile credentials remain protected behind a smart phone’s security parameters, such as biometrics and PINs. Once a biometric, PIN or password is entered to access the phone, the user automatically has set up 2-factor access control verification - what you know and what you have or what you have and a second form of what you have.
To emphasize, one cannot have access to the credential without having access to the phone. If the phone doesn’t work, the credential doesn’t work. The credential works just like any other app on the phone. The phone must be “on.”
Leading readers additionally use AES encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers resist skimming, eavesdropping and replay attacks. With the U.S. Federal Trade Commission (FTC), among others, now holding the business community responsible for implementing good cybersecurity practices, such security has become an increasingly important consideration.
If the new system leverages the Security Industry Association’s (SIA) Open Supervised Device Protocol (OSDP), it also will interface easily with control panels or other security management systems, fostering interoperability among security devices.
Likewise, check if the new soft system requires the disclosure of any sensitive end-user personal data. All that should be needed to activate newer systems is the phone number of the smart phone.
Lastly, once a mobile credential is installed on a smartphone, it cannot be re-installed on another smart phone. Think of a soft credential as being securely linked to a smart phone. If a smart phone is lost, damaged or stolen, the process should be the same as with a traditional physical access credential. It should be immediately deactivated in the access control management software - with a new credential issued as a replacement.
Installing Soft Credentials Is So Much Easier
Smart phone credentials are sold in the same manner as traditional 125-kHz proximity or 13.56-MHz smart cards - from the existing OEM to the dealer to the end users. For the dealer, smart phone credentials will be more convenient, less expensive and more secure. They can be delivered in person or electronically. They are quicker to bill with nothing to inventory or to be stolen. Also, in most cases, soft credentials can be integrated into an existing access control system. Distribution can also be via independent access control software.
There are two types of software. First is the Wallet Application, a free software that is downloadable from the Apple App Store or the Google Play Store. Its purpose is to hold the access control credentials. Typically, the Mobile Wallet App will store as many credentials as you will want, all at one time.
The Mobile Access Credentials are the individual credentials needed to gain access. Each credential can be programmed to work with a specific access control system. This means that, yes, a single smart phone, holding multiple access credentials, can be used to gain access on multiple access systems. No longer will users be required to carry individual multiple hard credentials. The employee just carries her smart phone which has them all within it.
Smart phone credentials deploy so much faster than hard credentials. To install a mobile credential, a user needs to first have the Wallet App installed on a supported smart phone. Next, you launch the App and select the “Add” button, indicating that you would like to load a new credential. A Registration Key Certificate is provided for each credential ordered. Now, enter the unique 16-character Key from the Certificate and tap “Submit.” Once successfully registered, the new mobile credential will appear in the Wallet App ready for use. From that point on, the user simply holds their smart phone up to reader when they approach it.
Why Multiple Credentials Are Emphasized with Smart Phone Access Control
The simple reason is that this is the future. Already, we’ve discussed access control at the front door, the parking gate and for the data system. But, at lunch, soft credential would also be available at the cafeteria or the vending machines. Students could check out books while machinists select the tools they need. They become a photo ID at the club. All are separate applications with their own access control systems.
Thus, a Mobile Wallet App will normally store many credentials on a smart phone at one time. The actual quantity is dynamic and is related to the memory specifications and internal storage space available on each individual smart phone.
And, more opportunities are on the way. How about using your smart phone as an intelligent key for your car? Want to know where your child is driving, how fast or if he added gas or oil? How about using it to access your gym, automatically synch to a piece of equipment or analyze the effectiveness of your workout? Forget all those other tags and cards. Your smart phone will become the passport to all aspects of your life from work to home to avocations. At a fraction of the investment you have in hard credentials, secure soft, digital credentials are all you need.
The Hard Fact about Soft Credentials
Soft, mobile, smart phone based access control credentials are inevitable. Every security professional needs to get on board.