Mobile access is more secure than card systems

Access & Identity Management Handbook 2020 Access Control & Identity Management

The smartphone credential, by definition, is already a multi-factor solution.

The ability to use mobile phones as access credentials is one of the biggest trends in a market that historically has been slow in adopting new technology. As a matter of fact, research analyst Gartner has predicted that, by 2020, one in five organisations will be using smartphones instead of traditional physical access cards to access offices and other premises.

David Anthony Mahdi, research director at Gartner, avows that “replacing traditional physical access cards with smartphones enables widely sought-after cost reductions and user experience benefits. We recommend that security and risk managers work closely with physical security teams to carefully evaluate the user experience and total cost of ownership benefits of using access credentials on smartphones to replace existing physical cards.”

Yet, this new information comes directly on the back of a major task of the last several years, a focus by users to assure that their card-based access control systems are secure. Indeed, in the United States, the Federal Trade Commission (FTC) has decided to hold the business community responsible for failing to implement good cybersecurity practices and is now filing lawsuits against those that don’t. Other international governmental/law enforcement agencies are doing likewise. Safety and security have become prime issues.

So, as companies are learning how to protect card-based systems, such as their access control solutions, along come mobile access credentials and their companion readers which use smartphones instead of cards as the vehicle for carrying identification information. Many companies perceive that they are safer with a card and won’t consider that mobile access can be a far more secure option, even though mobile has various more features to be leveraged.


They also argue that market-specific security specifications can show that phone-based credentials are not a good fit for government, high-security and institutional customers. However, is it the credentials or how they are deployed?

The big major problem

It’s easy to detail how and why mobile access is safer. But, before we do, we need to understand that like many recently introduced innovations, the problem isn’t with the new technology; it’s how the industry tries to retrofit the old system into the new. For instance, Mahdi says, one potential hindrance to wider adoption is the limitations of certain smartphones, as different brands and models feature different capabilities. This means upgrades may be needed to ensure all staff authorised to access a certain area are able to do so.

True, but even that isn’t the prime obstacle we face with the security of mobile credentials. Some access companies are trying to kluge their present offerings into new mobile solutions. For instance, is the mobile radio module a snap-on arrangement to the back of the card reader? Is the module weatherised and secured against tamper? If not, then from the get-go, the system is not safe.

Bottom line: the mobile system needs to have been designed to be a mobile system, not just a hastily-produced option to the old card reader solution. Yes, it should work in conjunction with the card-based system. But, it should not be an offset of it.

Smartphone credentials are inherently more secure

As far as security goes, the smartphone credential, by definition, is already a multi-factor solution. Access control authenticates you by the following three things:

Recognises something you have (RFID card or tag).

Recognises something you know (PIN).

Recognises something you are (biometrics).

Your smartphone has all three authentication parameters. This soft credential, by definition, is already a multi-factor solution. Simply assure that your mobile credentials remain protected behind a smartphone’s security parameters, such as biometrics and PINs. Once a biometric, PIN or password is entered to access the phone, the user automatically has set up two-factor access control verification – what you know and what you have or what you have and a second form of what you have.

To emphasise, one cannot have access to the credential without having access to the phone. If the phone doesn’t work, the credential doesn’t work. The credential operates just like any other app on the phone. The phone must be ‘on and unlocked.’ These two factors – availability and built-in multi-factor security verification – are why organisations want to use smartphones in their upcoming electronic access control implementations.

Plus, once a mobile credential is installed on a smartphone, it cannot be re-installed on another smartphone. You can think of a soft credential as being securely linked to a specific smartphone. Similar to a card, if a smartphone is lost, damaged or stolen, the process should be the same as with a traditional physical access credential. It should be immediately deactivated in the access control management software – with a new credential issued as a replacement.

Leading smartphone readers additionally use the symmetric Advanced Encryption Standard (AES) encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers resist skimming, eavesdropping and replay attacks.

When the new mobile system leverages the Security Industry Association’s (SIA) Open Supervised Device Protocol (OSDP), it also will interface easily with control panels or other security management systems, fostering secure bidirectional interoperability among security devices.

Likewise, new soft systems do not require the disclosure of any sensitive end-user personal data. All that should be needed to activate newer mobile systems is simply the phone number of the smartphone.

A special word of caution here. Many legacy systems require the use of back-end portal accounts. In addition to being rich caches of sensitive end-user data, a target of hackers, these portals can include hidden fees. What are these annual fees? Are they fixed through the life of the system? And who’s responsible for paying? It is best to simply avoid these types of systems.

Those days of jerry rigging are over. To start, all one needs to do anymore is to place their order, just like they presently do for physical credentials. Mobile credentials can be quickly and conveniently emailed in the exact quantity and format ordered. Alternatively, in cases where compliance with data regulations has a role, credentials can be shared confidently via enterprise file sharing. Once received, the credential detail, typically format, facility code and IDs from their order summary sheet, will be entered into the access control system software just like before. Finally, issue registration key certificates representing the individual mobile credentials to the staff and employees. It’s just that simple and error-free. To emphasise, there are no subscription or licence fees required.

Installation is just as easy and safe. First, users go to either the Apple App Store or Google Play Store and download the wallet app. Enrol the device – keep in mind, no portal account or on-board information is needed. To add the credential, simply scan the QR code or enter the 16-digit registration key found on the registration key certificate. Mobile credential download is assured via multiple layers of ciphers. Further, these credentials are not easily discoverable while stored in the file system of the mobile phone, as each is individually encrypted.


Scott Lindley, general manager, Farpointe Data.

New generation smartphone-based implementations reduce installation costs

This hasn’t always been true. Some mobile systems force the user to register themselves and their integrators for every application. Door access – register. Parking access – register again. Data access – register again, with each registration requiring the disclosure of sensitive personal information.

Newer solutions provide an easier way to distribute credentials with features that allow the user to register their handset only once, and need no other portal accounts, activation features or hidden fees. Users don’t need to fill out several different forms.

Finally, access control specialists can order and install mobile access control in the way they have always wanted, in the quantities they precisely need. They can advocate for availability, compatibility and security, forgetting about authentication portals, subscription structures, licensing fees and the other hindrances that create confusion, and install mobile systems that are now safer than card-based.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Unlock data insights and integration
Gallagher Access Control & Identity Management Products & Solutions
Gallagher Security announced the release of its security site management software, Command Centre v9.20, which enables integration with Microsoft Entra ID, a cloud-based identity and access management system that provides seamless synchronisation of cardholders across systems.

Read more...
Gallagher Security opens Cape Town office
Gallagher News & Events Access Control & Identity Management
Acknowledging a significant period of growth for the company in South Africa, opening a second office will enable Gallagher to increase its presence across the region with staff based in Johannesburg and Cape Town.

Read more...
Securing access against unwanted visitors
Intelliguard Access Control & Identity Management Residential Estate (Industry) Products & Solutions
In today's residential estates and complexes, one of the biggest concerns is preventing unauthorised access, while ensuring a smooth and convenient experience for residents and approved visitors.

Read more...
Smart access for a safer community
neaMetrics Suprema Access Control & Identity Management Residential Estate (Industry) Products & Solutions
Suprema's BioEntry W3 integrates AI-powered facial authentication into a sleek design that prioritises security, privacy and user experience, and even allows users to store their facial templates on their mobiles instead of external devices.

Read more...
Effortless and secure visitor management
Secutel Technologies Access Control & Identity Management Residential Estate (Industry)
Secutel Ventures has introduced SecuVisit, an access control solution designed to simplify visitor management while enhancing security. With two innovative components onboard, SecuVisit ensures seamless visitor check-ins anytime, anywhere.

Read more...
Glovent’s SOS Suite triple protects estate residents
News & Events Access Control & Identity Management Residential Estate (Industry)
One hundred and fifty-three years since the world’s first panic button was introduced in New York City, Glovent offers estate residents three different ways of summoning emergency assistance at the touch of a button.

Read more...
Security professionals gather at Integrate 360
Gallagher Access Control & Identity Management News & Events
Gallagher Security’s Integrate 360 brought together some of the best minds in security, innovation, and technology for two days full of insights, demonstrations, and future-focused discussions.

Read more...
Suprema showcases enterprise security at Integrate 360
Suprema News & Events Access Control & Identity Management
Since 2006, neaMetrics, Suprema’s distributor in Africa, has worked closely with Gallagher, building a robust partnership resulting in seamless integration between Suprema’s advanced biometric readers and Gallagher’s security management platform.

Read more...
New ASSA ABLOY facility opens in South Africa
ASSA ABLOY South Africa iDSystems Impro Technologies Access Control & Identity Management News & Events
ASSA ABLOY announced the opening of its new facility in Durban, South Africa. This new site unites IDS and Impro operations, bringing both manufacturing plants under one roof to create a hub for innovative access solutions.

Read more...
iProov achieves FIDO Remote Identity Verification certification
News & Events Access Control & Identity Management
iProov, iiDENTIFii’s technology partner in Africa, is the first to achieve the new, global certification in face biometric identity verification from the FIDO Alliance, an open industry association whose mission is to reduce the world’s reliance on passwords.

Read more...