printer friendly version

Access and identity in 2024

The end of 2023 saw SMART Security Solutions hosting a round table discussion with various players in the access and identity market. The focus of the round table was to find out what the participants experienced in the market over the last year, as well as their expectations for 2024.

While 2023 was a good year for most, it was also a tough year with no shortage of challenges. Looking ahead, 2024 looks to be much the same, with some people expecting significant changes in the market going forward. An interesting occurrence was that, while we had a list of questions we thought would be pertinent to the discussion, the participants took the discussion in other directions as they started to discuss issues among themselves. It became obvious that there was more happening in boardrooms in South Africa than merely technology.

Our participants were:

• Wouter Du Toit, Business Development Manager – Africa, IDEMIA.

• Tarryn Fortune, Inland Business Development Manager, Gallagher Security.

• Walter Rautenbach, MD of neaMetrics (Suprema distributor in Africa).

• Ilze Blignaut, Regional Sales Manager, HID Global.

• Kirby Rae Russell, Regional Sales Manager, Enkulu Technologies (Gauteng region).

• Martin Meltz, Manager: Sales Channel, Ideco Biometrics.

Starting, we asked everyone to briefly summarise their experiences of 2023 in the access and identity market. While all the participants operate in South Africa, many (if not all) are also involved further up into Africa and include this broader perspective in their summaries.

IDEMIA’s Du Toit says that while 2023 was a challenging year, it was a good year, and things seem to eventually be getting “back to normal” following the economic disruptions of the pandemic. He says that the driver behind IDEMIA’s efforts and the new products it will release in future is security. While this may come across as an obvious statement, he explains that it is more than just access and identity. Security permeates everything the company is doing, securing their systems and solutions from the many threats electronic systems face today – software, hardware, communications, etc.

Additionally, facial biometrics is a focus area and has become a standard in many companies, many of which are staying with the touchless approach to access. Gallagher’s Fortune agrees that it had been a demanding year, but notes that business improved as the year went on, with more business coming in after a slow start. The business is not only with existing customers and projects, but also with new opportunities as the market picks up. Once again, facial biometrics is a key area for the company. Still, Fortune notes that one of the biggest challenges is educating the market and helping people understand the potential benefits of facial technologies and the risks of cheaper products that look good but carry significant risks.

The market is also demanding more from vendors and integrators. Sales are more focused on the solutions they deliver and the return on investment (ROI) than the technology. Providing value is vital, no matter what products or technology is on the table. Rautenbach says neaMetrics is also experiencing a turnaround as more projects get off the ground, and that the company takes a different approach to its distribution business in that it customises the technology for customers and also makes sure the products it supplies work in the African context. Facial recognition is, again, a growing area for the company, but he sees interest in mobile credentials expanding as well as a more significant focus on privacy issues than ever before.

HID’s Blignaut believes 2023 was the busiest year she has experienced in her four years at HID, with more “getting out into the market” than before. Following the component shortages as part of the supply chain challenges in the past few years, which HID could deal with through its scale of operations as part of ASSA ABLOY, stock levels are back to normal now, and the focus is on delivering orders on time, which has been challenging as HID posted excellent growth in 2023.

She also says there is a focus on education, letting the market know about different credentials and options for the access and identity industry, as well as the issue of security – which credentials are secure and which are best for various scenarios. The education drive will continue in 2024 with the added component of explaining why cheaper is not always better.

Enkulu’s Russell agrees that 2023 was a good year, and the company posted solid growth over the year while also noting the challenges of juggling time between the various aspects of the industry, which is constantly evolving. Once again, the education of partners is key for her, helping people understand the changes in the market and what solutions are appropriate for their projects and customers. Building trust in the market is also critical to doing business and creating long-term relationships.

Meltz from Ideco Biometrics also ranks 2023 as a good, but challenging year, as it assists partners in making decisions in the identity space. Once again, educating the market is critical for Ideco, not only in terms of helping integrators and installers deliver quality work for their customers, but also in terms of understanding what they are installing and the technology’s full capabilities. Security in its broader context is also part of the company’s focus as even a simple access control reader becomes part of the wider IoT infrastructure companies are implementing – even if they do not see it as such.

Interestingly, Meltz notes that many micro-trends have been popping up in his customer base in the recovery from the COVID-19 period. Companies are not looking at technology for technology’s sake, but are more closely examining what they have to get more out of their existing solutions and to be more critical in deciding what they may additionally require. While facial recognition is also a key element of Ideco’s work, Meltz says many people are working on innovative identity solutions, and more are including mobile credentials in their plans.

The need for education

As seen above, educating partners and end users is a crucial principle for access and identity companies today. These firms want to provide facts that allow customers to discern why the cheap brand that looks like it does the same as a premium brand (opening a door is opening a door, after all), is not the same. When the customer needs to know that only authorised people can open the door and someone holding up a colour printout of a picture or an image on their phone cannot, things get a little more complicated.

The essential aspects for the buyer to consider are the reliability and capabilities of the technology (including False Acceptance Rates and False Rejection Rates), what integration capabilities exist, and, above all, the system’s security. The term security is a catch-all that includes the software, firmware, privacy protection, connectivity, physical installation, and more.

Meltz says that buying something ‘good enough’ is a poor investment as one needs to buy for the future, making sure the systems you have can adapt to whatever may be required in the future. The sudden need for touchless access control when COVID -19 hit was a prime example of needing solutions to meet an unforeseen need – although a pandemic is not something one can plan for.

Fortune agrees, noting that one must, for example, explain how the algorithms work in tier-1 products and how they can be integrated and expanded beyond simply opening the door. This is key to delivering value and helping users and channel partners understand the return on investment they can obtain beyond merely opening a door.

According to Du Toit, this is where educating channel partners is all the more important, as the manufacturers do not have enough feet on the ground to assist every end user in their decisions. IDEMIA is focused on providing accurate information and training to its partners to ensure they can sell viable and value-adding solutions to their customers, assisting them in knowing what they need and what they get, and that the products have a future roadmap that caters to any new requirements or market changes.

According to Russel, it is about “asking the right questions”, helping clients understand their requirements correctly and then looking at what products they need. When it comes to quality and longevity, it is also about comparing products on the same level with the same capabilities, instead of just looking at the price tag. She notes that high-end products may cost more, but the user is also buying the assurance of long lifespans, and that warranties will be honoured (and that the company will be around in a year or two) as well as an investment in efficient support services.

The challenge in educating the user channel and community is that sales cycles are longer as clients want to be sure that they get value for the long term if they pay for higher-end products, adds Rautenbach. He says most tier-1 companies bring out new products every year, so after a long and drawn-out sales cycle, there are often newer technologies that would suit the client’s needs better, but they have just been through a procurement cycle for the previous range of products.

While the low-cost products are always a stumbling block, he says the move to Software as a Service (SaaS) is a positive move for reliable technology. SaaS providers are not paid for the hardware in one big payment, but rather sell their services for a monthly fee where they recover their investments over time. Using poor-quality products significantly increases these companies’ support costs due to frequent callouts, leading them to opt for better products they can rely on for longer.

A natural consequence of buying tier-1 products is that customers, whether users or channel partners, expect better service and more support from their manufacturers. Blignaut says this is where making it easy for people to obtain recognised certifications, whether in sales or technology, is key. Having a range of recognised courses online allows people anywhere to obtain a certification. It assures them and their employers that they know what they are doing in their field. Companies that cut their margins to the bone have to make up for the loss in some way, and this is often experienced in poor support and technicians who are not trained and certified correctly.

The rapid development of software, something HID is focused on, also allows users to use their access and identity products for more than door opening and closing. Not only does this expand the scope of the technology, but also what integrators can offer to the client to increase their revenue.

All the companies on the round table have online training and encourage their installers and integrators to ensure their staff are certified and remain certified whenever new hardware or software is released. While doing business through the channel is the norm, most appreciate being able to deal with customers directly (with partners) and assist them in asking the right questions. This permits them to focus on a specific project, for example, and assist in determining the optimal solution out of all the available options.

The importance of services

Another point a few of the participants made is that of supplying services. There are many benefits in selling services, such as the obvious need to obtain some form of recurring revenue – since selling quality products means it takes a long time before the client needs to buy new products. In addition, it also allows the manufacturers to provide some form of quality control when installations are done and will enable them to expedite solutions to unforeseen challenges quickly.

Services also allow these companies to retain the end user as customers (without bypassing the channel) because they will be available with the relevant skills should the installer or integrator not be around in a few years, or when the required skills, both technical, design and project management, are lacking.

This customer-centric approach is not always about revenue; however, when a problem arises, the user often sees the brand name and associates the issue with the brand, not the installer. If the manufacturer can’t jump in and resolve the situation, the brand is damaged. An integrator can always switch brands, but the manufacturer is not that lucky. Services are more important in the era of digitisation, especially as digital credentials such as mobile credentials are adopted. While an overused buzzword, digitisation takes access credentials (mobile and visual) beyond the door to a host of other functions, whether logging into a computer or making payments at vending machines and so on.

This opens the door for identity solutions beyond access control, but also requires a more serious focus on the security of the whole process, from start to finish. Just as the IT world tries to secure all parts of its infrastructure, from the endpoint laptop to the servers and databases, identity-enabled functionality requires security to ensure that there are no weak links in the process, from the reader to the server or cloud systems – and every point in between.

Rautenbach adds that we often automatically associate the term ’services’ with the cloud. While the cloud makes many services possible and efficient, it does not always have to be a cloud-based solution. Cloud is available, but many companies in South Africa are still somewhat nervous about keeping their data on ‘someone else’s computer’.

Returning to return on investment

The services required in digitising companies go beyond physical security and require the ability to design and integrate a variety of products and technologies (there is a big difference, says Blignaut, between integrating and interfacing). This provides integrators and manufacturers with additional value streams but also demands a broader skillset than simply using their own products.

Fortune adds that, while Gallagher or any other vendor, wants to differentiate themselves and get customers to use their products, integration beyond security is where they can add value and demonstrate a greater return on investment. So, while one wants to have the access and/or perimeter managed from a single interface, the ability to pull in other systems – HVAC or power consumption, for example – and manage them from the same interface is vital.

This leads to an ideal situation where, once a person gains access to the premises, the lights and air-conditioning in their work area will be activated to ensure they are not consuming power when nobody is there. The same automated routines can be used to power office systems (a printer, for example) when people are there using them, deactivating them when they are not required. These additional integration services offer more to the integrator and vendor and save the customer money while improving the ROI of what used to be just an access control system.

While this sounds good (and profitable), Meltz notes that the adoption of solutions like this is slow; very few companies are looking beyond the siloes of functionality, possibly because job descriptions are still siloed, and physical security, IT and facilities management staff have to tiptoe around each other so as not to be seen as intruding. Innovative business processes that incorporate these features are rare.

Du Toit agrees, noting that only a few organisations are thinking in this manner, adding that one of the reasons is the lack of knowledge of what can be done and the skills to make it happen. This is where consultants should educate their clients, but most of them have an engineering background and need to be better versed in the possibilities of a digitised world. The migration is, therefore, slow. This raises the question of who will assist companies in leveraging the many benefits of digitisation.

There is some movement, however. Rautenbach says IT departments are getting more involved in access control (and physical security in general), and they have a better understanding of the potential of digitisation and have “started asking questions” around integrated solutions – with an eye on improved ROI. Until now, their interest has not evolved into a drive to make it happen as other parts of their organisations are focused on different areas.

A move to mobile?

There are endless promotions and articles around mobile credentials wherever one goes; enough to make you think having access credentials on your phone is the standard globally. Of course, this is not the case, and mobile credentials, while growing, are not threatening the existence of cards or biometrics – not yet, anyway.

Mobile credentials have obvious benefits, from having all your access credentials on your smartphone and being able to provision or de-provision access in real-time – which is great for visitor management and allowing contractors access to a site between certain hours for a specific number of days, etc. And, probably, the most significant benefit is that people rarely forget their phone at home, and most of us don’t leave home without being sure our phones have the required battery power for the day. (It’s worth noting that in countries where Google or Apple Wallets are available, credentials stored in the wallets will still open the door, etc., even if the battery is dead. Users must, however, note that Apple Wallet, for example, might not be available globally, and there may be an extra charge to activate the credential in the wallet.)

Du Toit warns that many customers expect mobile credential usage to reduce costs and are often disappointed when that doesn’t happen. When it comes to costs, while the initial purchase costs may be higher, Blignaut notes that when comparing the ROI over time, the initial, higher cost and annual fees can pay for itself in three to five years.

Another benefit of using mobiles is privacy. Many privacy laws are being enforced or, at the very least, being developed at the moment, making keeping personal information on people a hassle. The advances in smartphone technology now allow the device to hold an individual’s biometrics and other personal data (encrypted), which the mobile credentials can check for before authorising access (or any additional authorisation required, whether in the canteen or logging into a computer, or even replacing the old medical aid card, and more). The problem is the security of each device and its ability to run the current credential applications – economic reasons are seeing more people holding onto their smartphones for longer, and just because there is a new version isn’t always enough to warrant spending more money.

All the vendors at the round table have mobile offerings to support their biometrics, card or PIN access methodologies. Still, one area for improvement in the current mobile credential market is standards. Rautenbach explains that no international standards govern mobile credential use, so each vendor implements their own proprietary solutions. While this may be good as far as security is concerned, it does mean that, for most manufacturers, lock-in is a reality, and you cannot mix and match mobile credentials with ease. Mixing and matching modalities, however, is simpler than ever and quite common.

While Meltz believes the use of mobile will grow, he does not see a complete move to this technology, saying, “I cannot see 5000 miners using their phones to go down a mineshaft.” Then there is also the question of user reluctance; many wonder what else their company can see on their phones if they install a corporate access control app on their device. Given the contempt large enterprises have displayed for user privacy (despite ‘privacy washing’), this is a valid question that must be answered.

Not so slow, after all

Blignaut says that HID is not seeing a slow uptake of mobile credentials, having passed the two million active credentials mark, and it is still climbing. The company has enormous targets for getting more active credentials out in the market, noting that these will not only be for access control. She quotes Omdia, which predicts over 45% growth for mobile credentials compared to a paltry 4,5% for cards; so, it seems the company’s expectations are well based. Mobile access is not for everyone and every situation, and this is where educating the user base is, once again, vital.

The new generation of young people is far more likely to accept mobile credentials than any others as they are mobile-first and want convenience, sustainability and everything on their phones. It is also up to the company and each user to determine how much they want on their phone and what information they want to share while protecting their privacy.

Cybersecurity, last but not least

Any and every electronic device, no matter what industry it is used in, needs to have some form of cybersecurity built in today. It needs to be updatable to newer firmware versions and to fix coding errors and vulnerabilities. As painful as it may be, that is simply a reality we live in and must become as common as locking your car doors.

The participants are well aware of their cyber responsibilities, with Fortune noting that cybersecurity is central to everything Gallagher does. She says all Gallagher devices are encrypted, from the reader to the controller and the server. The company’s Command Centre management platform has a security module that scans all Gallagher devices attached to it to ensure they are secure, have the latest updates installed, etc., showing where any vulnerabilities may lie.

The catch here is when users mix and match cheaper products that do not focus on cybersecurity with those that do – no matter how secure 99% of your infrastructure is, one vulnerable device can result in a breach. This is not only in terms of cybersecurity but also privacy, as once inside a system, all the information a company has could be exposed. Securing data is especially critical when storing data in the cloud. This goes back to education, says Meltz. The old problem of default passwords is still an issue despite all the publicity around the danger of these practices. These security processes, which should be standard in every company, are often ignored for convenience. As Russel says, “Common sense is not always so common,” hence the need to educate clients even if cybersecurity is not your speciality.

However, Rautenbach notes that the biggest threat is potentially from the inside, which means access and identity security fail when someone with the proper credentials gives criminals a helping hand. Here, we go back to education and helping users understand all the potential risks and do what is necessary to mitigate them.

Du Toit notes that IDEMIA ships with security enabled by default, but that does not help clients if the rest of the infrastructure is poorly secured. The industry is no longer technology or product focused. Today, the solution implemented, how it is integrated into the digital enterprise (whether large or small), and what additional benefits or services it can offer garners more interest than ever before. SMART Security Solutions would like to thank all the participants in the round table for their time and input.

Martin Meltz, Wouter Du Toit, Walter Rautenbach, Kirby Rae Russell, Ilze Blignaut, Tarryn Fortune.

Share this article:

Further reading: