Smartphones can be used for access control, offering better security than traditional access cards, but users sometimes get in the way.
Given the broad use of smartphones around the world and the numerous technologies packed into these devices, it was only a matter of time before the access control industry developed technology that would use smartphones for granting access.
One of the drivers for using mobile access credentials is that, unlike cards or tags, users pay special attention to their mobile devices and rarely forget them at home or carelessly lose them. This would reduce the number of lost or forgotten cards companies would have to deal with first thing on Monday morning, but in cases where someone’s mobile is lost, stolen or somehow incapacitated, it is also easy to revoke the credential without wondering if another party has or is using it for nefarious purposes. And the issuing and revoking of credentials is simple when being done ‘over the air’.
Not all mobile access technology works on the same principle as issuing cards however. On the one hand, users have an app on their phone and a virtual card is assigned to them by an administrator, or multiple virtual cards, which are controlled by the company or companies and can be revoked in an instant. These operate like a traditional RFID or similar cards in that when the user holds their phone to the reader, it recognises the card and grants access. Bluetooth and NFC (near-field communications) are generally used to transmit information, with NFC requiring the device to be almost as near to the reader as a traditional card (up to 4 cm), while Bluetooth provides the option for more distance – theoretically up to 100 metres.
The other mobile credentials are also app-based, but don’t issue virtual cards per se. Many electronic locks, for example, allow an administrator or owner to assign access rights to various people via a mobile device, again using Bluetooth or NFC to open doors or log in. From a corporate perspective, some companies also offer cloud-based administration services to manage various identities while others have the administration done on the mobile app or both.
Mobile access credentials also deal with the perceived threat to biometric access in terms of your fingerprint or face being a single credential that can’t change over the user’s lifetime. Mobile credentials can be granted and revoked with ease.
To find out more about the uptake and use of mobile access technologies in the region, Hi-Tech Security Solutions asked a number of industry experts to join us for a round-table to discuss the pros and cons as well as the potential of mobile access. Our attendees were:
• Wouter du Toit from SALTO Systems SA.
• Claude Langley from HID Global.
• Hannes Nortje and Paul Chari from dormakaba SA.
• Walter Rautenbach from neaMetrics, distributor of Suprema.
• Lee Smyth from Gallagher.
Resistance is futile
Apart from losing a device, another issue many raise about mobile credentials is what happens when the user’s battery has died. Unlike a traditional card where only the reader needs power, with mobile access both the phone and the reader need power for the transaction to take place. While this can be an issue, most people take care to ensure their batteries are charged which makes the battery concern a fairly minor one.
Additionally, battery technology has been improved to the degree that arguments like this are becoming weaker. SALTO has seen batteries improving to the extent that a battery that provided enough power for 40 000 openings one year ago now handles 150 000.
More problems are experienced when users are against having a company app on their devices with arguments about privacy and tracking being raised; and in cloud scenarios there is a fear that hackers will ‘get’ your personal information. While these seem to be valid arguments, the same users don’t hesitate to download the latest games and provide them with full access to all their personal data.
The round-table attendees also mentioned that user resistance to mobile access technologies may be the data cost they would have to pay for when using these systems. Again, this is simply an excuse. There may be data costs, but these are minimal as the access control system makes use of Bluetooth or NFC communications, not your cellular network.
In certain instances, companies do use the Internet at intervals to validate the credentials on users’ phones to ensure they are still being used and valid. This is simply a security procedure that forces the deactivation of unused credentials and does not require gigabytes of data.
For many people, mobile access, despite its attractions, is still more of a niche solution than mainstream. Some say this is a cost issue, a user privacy issue or simply a trust issue as we have all grown accustomed to more traditional solutions, much the same as the initial jitters when fingerprint biometrics initially hit the commercial market. However, there are areas where mobile access offers benefits that can’t be ignored and local vendors are seeing good growth.
Gallagher’s Smyth says he has seen good uptake of the company’s mobile access offerings, primarily in the corporate environment, but there is also a growing market in the residential estate segment. Most of the uptake has been for access control, but there is increasing interest in using mobile technology in visitor management as well. The company offers a range of Bluetooth readers as well as its traditional MIFARE readers which can work with NFC.
Nortje adds that dormakaba’s BlueSky product has been adopted broadly in the hospitality industry. In markets such as Airbnb rentals, people find it much more convenient to handle their key management via mobile. Guests are authorised to come and go for the duration of their stay, after which their access is terminated without anyone having to manually hand over keys. The system also reports on the usage statistics for one or more locations.
dormakaba is also finding success in the residential market where users can install and set up the system themselves and provide access to family and employees via the free app. The company also has a cloud solution, exivo, which will make management and control even simpler for the hospitality industry; the solution is operating globally and will be available in South Africa in 2020.
From the HID perspective, Langley says education and government are large markets for the company. However, there is an opportunity to capitalise on the massive adoption of wearable technology, especially among young people. He expects this adoption to grow and more companies will link their mobile credentials to these wearables in the near future.
For SALTO, hospitality is also a key market as these companies have long relied on physical keys and more recently on card-based access. Today, even with hotels and small accommodation providers, there is a trend to not having a front desk at all. With mobile solutions there is no need for a check-in process and visitors can arrive whenever they like and have immediate access to their rooms.
SALTO’s cloud-based system is around six years old and makes it simple, especially for smaller operations, to manage multiple sites from a central dashboard or even from an administrator’s mobile device. It also provides larger concerns with the option to integrate SALTO technology into their own mobile apps to ensure the organisation’s branding is displayed to visitors.
Proving the case
When it comes to getting corporate buyers to adopt this technology, however, Du Toit says the process is not all that simple. Much like the challenge of proving that wireless access control technologies were as secure and reliable as traditional wired solutions, buyers want to be assured that the technology works, is secure and will provide the type of service and reliability older access systems are known for (some companies have access control installations that have been in use for 20 years).
The key, he says, is options. An enterprise security solution today is not a neat case of having the same technology used throughout the organisation. A hybrid approach is required to ensure that the business is able to meet its own access and security requirements, using the best solution in the appropriate situation. Understanding these requirements depends on each company’s own risk analysis.
He provides an example of a global company that rents office space. The smart solution for this business was to equip its customers with mobile access credentials. In this way, if a customer has the right to use a boardroom in any of the 3000 offices around the world, booking the room and gaining access to it is all done via the mobile app. This simplifies the process while still keeping accurate records of who was where and when.
All the attendees also note the differences between the generations when it comes to using mobiles for access control (and almost any other services). The traditional ability to buy a number of cards, issue them personally and see there are 100 physically sitting in the filing cabinet makes a difference to some, quips Rautenbach, while the younger generation are generally completely comfortable with having their entire lives managed and controlled by their smartphones.
Catering to these differences in understanding will assist in the further adoption of mobile credentials and the development of working hybrid solutions.
Integration and interoperability
Suprema has had mobile options for some time, but the company has expanded its mobile credential technology and management capabilities lately to allow its clients to integrate its technologies into their own solutions, as seen with the recent release of its software development kit (SDK). In addition, the company is moving its credential issuing functionality to a portal system to make it simpler for customers to manage their credentials without having to open a specific Suprema application each time. Suprema is taking mobile credentials so seriously it has created a new subsidiary, Moca Inc., purely focused on the mobile credential market (https://mc.suprema.io/).
Rautenbach says that compatibility and the ability to integrate with other vendors is a key feature for Suprema’s mobile drive.
If one looks back in time, many traditional card readers were locked to certain technologies such as Proximity (Prox), MIFARE, MIFARE DESFire cards and so forth. Rautenbach notes that Suprema has supported mobile technologies for several years. With a drive for flexibility, most new readers support multi-card reading capability, including NFC and Bluetooth, which are essential to the mobile market.
And just as Suprema is looking towards better integration and compatibility with other companies, Smyth notes that the mobile technology referred to for access control is also being expanded to other areas to boost convenience. For example, there is no reason why the same mobile device can’t automatically call an elevator when someone enters a building or that the system can’t be used for buying lunch in the canteen.
Suprema, Gallagher and HID are already looking at integrating visitor management functionality into their mobile apps, while Chari says the combination with other mobile technologies, such as location, can assist in workforce management integration. For example, sales visits to clients can be monitored by location and time, with reports showing who was where, when and for how long. When using contractors, the actual time spent on site can be recorded to gain insights into the time spent working on a problem or installation.
Taking it further into other areas of security, wireless connectivity also allows people to control their alarm and perimeter systems, even as far as managing and monitoring their surveillance from their mobiles. This may not be the ideal solution to replace a control room, but for managers called upon to make a decision when an alarm is triggered, these tools can prove very useful. (In these scenarios one would make use of a 3G or 4G cellular network or Wi-Fi rather than Bluetooth or NFC.)
Short range communications
Excluding the Wi-Fi and cellular networks, the mobile credentials referred to make use of Bluetooth and NFC when it comes to controlling access. We have referred to Bluetooth in general in this article, but it should be noted that Bluetooth Low Energy (BLE) is the standard used among the companies represented. BLE offers reduced power consumption to traditional Bluetooth, as well as lower costs, and allows longer distances between device and reader than NFC. Depending on the environment and the configuration of the devices, BLE can theoretically be used at distances of up to 100 metres, although real-world use is generally much less.
This distance allows access control points to register the device long before the user is at the door or gate and automatically open for them. This would be a good solution for corporate parking garages or homeowners in a residential estate. Naturally, this is not the most secure form of access control, which is where additional functionality, such as forcing the user to unlock the phone or scan a biometric before entry is permitted makes a difference.
NFC is also available on most mobile devices (even with Apple being a laggard in this area). NFC is closer to a traditional contactless card approach to access with a range of up to 4 cm.
Nortje says that while there is often a resistance to using something like Bluetooth on one’s personal phone for corporate access, the technology is used almost everywhere today, from enabling hands-free driving to controlling smart home devices. Any complaints in this regard are over-exaggerations. Additionally, BLE is extremely light on battery consumption.
The security question
One of the security benefits of mobile access is the simplicity of adding a second authentication factor where necessary. Smyth says Gallagher allows administrators to request the user to enter a PIN or scan their fingerprint when requesting access, making sure that the person who actually has access to a location or to data is the one using the device.
Chari supports this comment, noting that the mobile credential is still security by ‘something you have’. By adding a biometric, whether fingerprint or face recognition, depending on what your phone supports, the system is also authenticating that the right person is requesting access and he/she is actually there. The improvements in biometric security on mobile devices makes this a convenient and reliable process for multifactor authentication. (It should be noted that the biometric referred to above is stored on the phone, the one used to unlock your screen and apps, it is not the biometric that would be presented to a fingerprint reader or face scanner.)
In his experience, Langley says multifactor or multi-modal access control is one of the biggest growth areas for security due to the enhanced security it provides. And while mobile credentials can and do form part of this, high-security environments and transactions will almost always require additional verification and authentication factors.
As with all areas of the security market, convenience is demanded by everybody, but security and convenience are not yet compatible. And this is why biometrics remains a leader in access and identity, according to Chari, and why more secure areas demand more than scanning your mobile device over a reader.
Depending on the situation, some apps can work while the phone is locked, while others are set to require the phone is unlocked before the credential is read, and still others require users to open the app and press a button or enter a PIN. It all depends on the security levels set by the company.
Supporting him, Nortje says that it all depends on your environment and what it is you want to secure and how secure it must be. He emphasises that encryption is a key element of mobile access technologies’ security (as well as beyond the mobile space into all access and identity functionality). dormakaba makes sure all the communications between readers and devices are encrypted while being transmitted – a critical aspect of wireless communications – to ensure the safety of users and the organisations using its technology.
Langley warns that the security of mobile access credentials is not simply a matter of securing the communications or requiring the user to scan a biometric. As with all security functions, the whole infrastructure must be secure. In this scenario he means the communications plus the two devices (the mobile and the reader), and we could continue that thread into the network and server infrastructure as well as any cloud services used by the customer. One vulnerability puts all your security at risk.
The quest for standards
Rautenbach highlights another issue when it comes to access authentication, and that is standards. Currently there are a lack of global standards that will ensure that, for example, a mobile credential from one provider will work on the access readers of another. Simple serial number exchange is achieved to overcome this, but loses most of the benefits that mobile credentials can provide over cards. The nature of the industry has seen vendors opting for their own proprietary algorithms and encryption, which is good in terms of security, but bad in terms of interoperability. The same applies to credentials and their associated functionality on mobile devices.
There are standards that organisations can use to ensure their mobile identity system is usable across sites and projects, according to Chari, but it requires standardising on a single vendor or doing a lot of integration work to make it happen.
The need for standards is also about increased security. Langley gives the example of a person who uses certain technology to enter and exit their residential estate, but then needs to use something else when they get to work because the two locations have installed solutions from different vendors. These vendors may use the same basic technology, such as mobile credentials, but they have proprietary functionality added which means the person needs to have two separate identification methods on the same phone.
So while the idea for standards is good and would add a level of convenience without hampering security, Langley says the challenge lies in getting the vendors to work together.
As a biometric evangelist of many years, Rautenbach looks forward to being able to carry all our identification credentials on a mobile device, from an ID card to a driver’s licence and passport. The technology is already there to accomplish this, but the standards, the will and the assurance of the security of the data are still issues that need to be sorted out.
Du Toit agrees, noting that the technology and infrastructure for this is already there in countries like South Africa, it’s just the drive to make it happen that is missing.
For more information contact:
|Tel:||+27 11 543 5800|
|Articles:||More information and articles about Technews Publishing|
|Tel:||+971 4 516 4000|
|Fax:||+971 4 516 4000|
|Articles:||More information and articles about HID Global|
|Tel:||+27 11 510 1500|
|Articles:||More information and articles about dormakaba South Africa|
|Tel:||+27 87 701 5858|
|Articles:||More information and articles about Salto Systems Africa|
|Tel:||+27 11 784 3952|
|Fax:||086 552 0819|
|Articles:||More information and articles about Suprema|
|Tel:||+27 11 971 4200|
|Fax:||+27 11 974 2853|
|Articles:||More information and articles about Gallagher|
© Technews Publishing (Pty) Ltd | All Rights Reserved