printer friendly version

Migrating to mobile

The ability to use mobile phones as access control credentials has been with us for a long time, but its adoption has been limited. During the pandemic years many companies opted for touchless biometrics to avoid people touching potentially contaminated surfaces, while others opted for or stayed with the more ‘old-fashioned’ card-based access control.

Despite the advances in technology, COVID notwithstanding, the majority of companies still use traditional cards and fobs for access control. The 2022 State of Physical Access Control Report by HID Global and IFSEC showed that 32% of the respondents said they were actively using mobile, while 30% are using biometrics (63% in the Asia-Pacific region). That means over 60%, on average, are still using cards and fobs, and cards used range from 125 kHz low-frequency prox cards and magnetic stripe cards (used by most), through to the newest card technologies.

This means there is a great opportunity to upgrade card credentials to mobile credentials for those not opting for biometrics. However, there is often some confusion when thinking about upgrading or migrating.

Even those who think mobile access is a good idea, have to consider the costs of migrating readers, controllers and management software. In larger companies, the costs of replacing all readers and controllers is a massive exercise that, understandably, few in this economy are willing to do. And then there is the potential for user resistance to having company software on their personal devices.

The concept of mobile technology being used in identity authentication and verification is, however, growing in many areas, and will become the norm faster than most realise. The adoption of mobile credentials in business, while not likely to become the only means of access control, but will be a factor all companies need to consider.

Ideally, moving to mobile access credentials should not be a rip-and-replace exercise. It should be a carefully planned, staged migration making use of old and new technologies simultaneously until the level of mobile credential adoption is where the business requires.

“Mobile credentials are indeed very popular, especially where biometrics are not used, or where normal security is not enough and multi-modal authentication is required,” says Walter Rautenbach, MD of neaMetrics, local Suprema distributor. “To a great extent, the obvious benefit of mobile credentials is that of removing the card/fob and thereby the risk of users giving their card to someone else to use, as most of us are not comfortable living without our mobile or giving it to someone else.

Migration not a mission

Fortunately, the migration process is not a mission. The client’s basic access control infrastructure rarely has to undergo a complete change, says John Lakin, MD of Advanced ID Solutions. “The existing controllers and software packages are completely capable of being able to utilise the power of mobile technologies. The ability to be able to specify outputted numbers in order to mirror existing profiles makes this task an easy one.

“Mobile readers output data in the same way conventional readers do using Wiegand, OSDP, SSCP and the like, so it leaves the only requirement as a reader upgrade. If the client is using an obsolete 125 kHz technology, then dual-technology readers are typically available, If they use a 13,56 MHz credential, then the likelihood is the new reader installed will simply read that existing token in the same way the old reader did. The only time new firmware or controllers are required is if the client is looking to upgrade from unsecure data transmission paths to secure ones.”

“Suprema realised the challenge even before the launch of its mobile credentials,” adds Rautenbach. “Suprema’s MOCA, the company focusing purely on Suprema’s mobile credentials, offers the Airfob Patch which is an energy harvesting device. Migration headaches are removed as it doesn’t require power, it is elegantly applied to a standard MIFARE device, and it seamlessly enables communication between Suprema’s mobile access cards (credentials) and a MIFARE device without BLE mobile credential support (see www.supremainc.com/en/hardware/rf-mobile-readers-airfob-patch.asp, or via www.securitysa.com/*suprema2).

The Airfob patch can be applied to any MIFARE access control device, Suprema’s competition or not, to enable mobile credentials. Suprema’s mobile credentials are managed in a dedicated portal, allowing management of credentials independent of the access control platform, making it ideal for any platform. “With this said, this portal is tightly integrated with Suprema’s&nbps;BioStar 2 access platform (for Suprema clients) and is API driven,” he says, “allowing for extremely secure and direct integration into any platform requiring credentials to be managed elsewhere. Installers and SIs can set up their own portal and end users each receive their own portal for seamless management, selling and purchase of mobile credentials.”

Rautenbach warns, “It must be mentioned that not all manufacturers like Suprema’s Airfob Patch approach as it voids the need for replacing access control readers. Please speak to your SI or Installer if you want to consider the support of Suprema’s mobile credentials on your non-Suprema access platform.”

Supporting the old along with the new

As noted above, a migration to new technologies will naturally include a period, perhaps, and extended period of some users accessing facilities via older card technology. As far as Suprema is concerned, talk about mobile credentials can include either NFC (basically RFID or MIFARE frequencies) or Bluetooth Low Energy (BLE). The latter is most popular due to certain mobile manufacturers territorially locking down the use of NFC, or perhaps just because of the reliability of BLE and the distance at which it operates, and the convenience that distance offers by not having to remove your device from your bag or pocket. All new Suprema devices now support mobile credentials.

“When using Suprema’s Airfob Patch, the mobile card is converted into a MIFARE frequency and therefore older 125 kHz EM devices are not supported due to security,” he says. “Although, a lot of Suprema’s new generation devices are multi-card devices, supporting EM, MIFARE and mobile credentials, thereby making migration to secure technologies easier.”

Lakin explains that Advanced ID, which offers physical and virtual credentials (from STid, for example), along with hardware and software solutions, supports all 125 kHz card technologies, and all non-proprietary 13,56 MHz cards are supported as standard. “Varying security levels in 13,56 MHz may require some additional client information in order to guarantee interoperability,” he adds, “but as long as communication is clear, this is not usually an issue.”

Not a ‘rip-and-replace’

It’s clear that migrating to mobile credentials is therefore not as big an effort as it could be, as current readers do not always have to be replaced – depending on which partner and technology one chooses.

According to Lakin, migration is only a requirement at reader level. “The client may choose to upgrade other portions of the system at the same time, but the only requirement is readers. All readers will support both 13,56 MHz cards and mobile credentials alongside each other, and this would be fairly typical. Even the largest of mobile credential installations can expect to have a small number of conventional cards in circulation for a myriad reasons.”

There is no need to upgrade access readers or controllers when upgrading to Suprema’s mobile credentials, notes Rautenbach. If the access device does not support mobile credentials, then the use of Airfob Patch eliminates this requirement. From the software perspective, he says users can simply request an account, get access to their dedicated credential portal and purchase credits from their supplier, and they are then on their way.

He adds, “All new-generation Suprema readers support mobile credentials and cards, and the new trend with most new devices is to support both EM and MIFARE. Mobile credentials are also supported on more specialised devices using HID iCLASS SE/SR/Seos.”

The capabilities and support companies can receive in migrating to mobile credentials is significant, however the question businesses will always end up asking is whether it is financially beneficial to make the move. It’s not simply a question of the initial cost, but the long-term total cost of ownership (TCO).

Long-term cost benefits?

TCO is a contentious subject, says Lakin. There are a number of different sales models for mobile credentials in the market and the approach to ownership is different for each company. It would be fair to say that if the client undertakes a mixed purchasing and annual licensing model, their TCO may well be higher than the PVC model they were previously used to. If the client invests in a product which has an outright purchase of credentials model with no annual licence, and the ability to completely recycle mobile credentials as and when required, then the TCO would be considerably less than the PVC model they were previously used to.

In the medium and long term, perhaps even the short, Suprema’s mobile credentials offer lower TCO, states Rautenbach. “The reason for this lower TCO is due to no software overhead costs and the radical reduction in lost card replacements, and the overheads associated with this. Systems must either natively support mobile credentials or carry a small overhead to implement the Airfob Patch solution, where not supported.”

Privacy and security

The privacy question from users was mentioned above, but both Rautenbach and Lakin note that security is just as important. While users need to be assured that their private information on their mobiles stays private, both parties need to be sure that the credentials supplied are secured from copying or sharing, and can be revoked over the air if needed.

From Lakin’s perspective, he says “users have not expressed any major concerns with regards to the product installation on their devices, however, some corporates have needed to do due diligence with regards to the data stored and security surrounding this storage. The reality is that none of the personal data is stored anywhere outside the individual’s control. The allocated number is referenced in an encrypted state, but that is simply used for card management and for no other reason.”

Some users like to be difficult, with the best outcome for them being not using the system at all, adds Rautenbach. “There is normally more behind such resistance than privacy or security concerns. To address such ‘concerns’, Suprema readers offer an array of authentication methods and those users that do not want to use mobile credentials can easily continue with cards/fobs, PIN or biometrics, or combinations thereof, should their companies agree to allow this.”

The biometric question

The growth of biometrics for access control over the past few years has been significant, and few companies would want to waste that investment, no matter the benefits of mobile access credentials. Once again, adopting mobile access is not an all-or-nothing approach, and Lakin notes that many biometric companies have included mobile credentials in their roadmaps – as we can see with Suprema and companies like IDEMIA and SAFR.

However, mobiles themselves may carry the answer as to how to combine the two technologies. Lakin says there is another context that suggests each individual is carrying a biometric device in their hand to gain access to their device itself. Do you need a wall-mounted biometric device in addition to this? Your biometric on your phone, plus the mobile credential, offers a convenient and private (for the user) multi-factor authentication solution. “This unconventional thought process is born out of the massive growth of interest in mobile technology.”

“Moreover,” Rautenbach adds, “the value that template-on-card (or phone) has, in the arena of mobile credentials, is a good development in today’s data protection age where some of us prefer to rather carry our biometrics with us than storing it on a server. However, this presents both benefits and downfalls and is a whole topic on its own. Suprema has been very active in developing a secure mobile template-on-card offering with more news to follow soon.”

What’s on offer?

We end the article with a brief look at what both of the companies offers to the access and identity market, specifically in terms of mobile access, but as no technology stands alone any more, also in terms of their complete market offering.

“As early adopters and advocates for the growth of the mobile credential to replace PVC, we have a complete portfolio of products to meet any requirement the client might have,” explains Lakin. “Mobile credentials and how they work in a real world environment is not necessarily a straightforward process, and not since the access control industry migrated from magstripe to proximity has there been the need for a mind shift.

“In addition to the products we offer, through our partnerships and directly, we also offer a complete service from the point of consideration, solution evaluation, to installation/implementation support, and then the ongoing support post implementation.”

Rautenbach says: “I have touched on most of it above, but in summary: Suprema’s mobile credentials are supported on all new-generation Suprema access terminals and have been supported on most for over five years. Suprema or non-Suprema systems that don’t support mobile credentials can easily upgrade their standard MIFARE readers to mobile credential readers with the MOCA Airfob Patch. Getting your own credential issuing portal will cost you nothing, and mobile credentials can be purchased at a price comparative to that of secure cards, and can be done as and when required.

“All the above, together with the support of normal cards, allows easy and cost-effective migration to mobile credentials for both Suprema access users and our competitors. For Suprema this is just another way in which we can be leaders in secure, frictionless, and convenient access control.”

Share this article:

Further reading: