Implementing Mobile Credentials
Access control offers a great number of benefits to most security solutions, as well as delivering value for HR management and time and attendance roles. The technology not only controls access and egress to sensitive areas, but helps manage visitors and contractors, aides in time and attendance management and can be used to track assets and enforce workplace policies necessary for compliance. The systems rely on authorised persons making use of credentials to implement granted permissions, but are mobile devices becoming the credential of choice?
Access control is, at its core, a technology designed to enable access and egress for authorised individuals. It does offer a host of other benefits such as logging of access transactions, management of privileges, reporting site occupancy and status, etc.. However, a vital condition of security and correct operation is the ability to define who is authorised and who is not. Once an authorised identity is created, relevant access permissions can be granted to it.
The identification of authorised persons is carried out by creating trusted identities. These are typically established through the use of a credential. Credentials come in many forms: a PIN code, access card, tag or biometric element. Increasingly, credentials can be stored and carried on a mobile smart device.
By activating a secure app on the mobile device, the credential information which sets access privileges is transmitted, across the air, as a digital credential. If the necessary conditions are met, access is granted.
The selection of specific credentials has historically been made based upon the assessed risks facing a site, along with the threats against a specific location within that site.
For example, PIN code-based locks are rarely used for entry and exit points or for high risk areas. However, they do represent a cost-effective option for low risk areas such as ensuring cleaning materials in caretaker areas are stored in compliance with health and safety regulations.
At the other end of the scale, high end systems using smart card technologies and biometric sensing can offer a positive identification of the user, ensuring the individual is definitely the person who is authorised to use the given credential.
Mobile credentials offer a credible level of security, coupled with ease of issuance, remote control over privileges, and an ability to adjust, remove or restrict permissions instantly.
There are not many aspects of daily life that have not been touched by the use of smart mobile devices, and the world of access control is no exception. In business environments, most people will carry mobile telephones or tablets. An increasing number of manufacturers are enabling these to double as access control assets.
Research into users attitudes and patterns of behaviour with regard to mobile devices have shown some interesting traits. For example, people are less likely to forget their phones than a security pass or access token. They also are more likely to protect and secure a phone than a pass or credential, which can often be left on desks.
For businesses, the cost of credentials can be significant in terms of the procurement of the cards or tags, along with the management of card issuance and replacing or updating cards. If employees are issued with phones, using these as credentials reduces the overall total cost of ownership of an access control system.
There are also savings to be made with regard to visitor management. When appointments are booked, the visitor or contractor can be sent an email. They then download the linked app, which includes their temporary access privilege. This can be a single use privilege which expires when used, or time restricted, based upon their needs.
As well as issuing the access privilege across the air, systems also allow the privilege to be revoked, even if the visitor still has the app on their phone.
Access control systems which support digital credentials predominantly make use of two technologies: NFC (near field communication) and BLE (Bluetooth low energy). NFC was once considered to be the way forward, but it has battled with widespread acceptance due to the fact that some mobile phone manufacturers only use it in very limited ways.
NFC is a two-way communications standard, based on RFID, predominantly used in smartphones and other mobile devices. It allows devices to communicate, using a radio-based link, over very short distances. This usually requires devices to touch or be in very close proximity to the reader unit, usually within a few centimetres, but not more than 10 centimetres.
Whilst the highest profile use of NFC has been the utilisation of mobile devices for payments, the technology isn’t limited to financial transactions. It supports encryption, which enables it to be adopted in secure ID-based applications.
Increasingly common in access control and other security systems is support for BLE. BLE is a wireless technology. Many manufacturers argue the technology has a greater potential for security use based upon almost universal smart device support.
BLE requires a reader enabled with Bluetooth signalling. Software installed on the mobile device is profiled for the access system. The application communicates with the reader, without a need for pairing as is required in common Bluetooth signalling, and the security key authenticates the user’s identity.
BLE is power-efficient and can support increased reading distances. In many systems, the readers can be configured to restrict range dependent upon the requirements of a given entry-point. This increases flexibility, enabling hands-free applications with ranges of up to 10 metres to be mixed with more secure touch-to-enter configurations.
A wider choice
The use of mobile devices as access control credentials is becoming more common, with the majority of access control manufacturers offering such solutions. The use of deliberate movements, such as twisting the device to activate the security element, has been adopted by some to make the use of digital credentials more intuitive.
The growing use of cloud-based systems such as ACaaS (access control as a service) means that businesses and organisations are able to grant and revoke permissions to mobile credentials over-the-air in real-time. The approach also allows enhanced management of access control credentials, adding increased benefits for the user.
Advanced security implementations can ‘bind’ trusted identities to specific devices, ensuring that the relevant access control data is protected using best practice. It is also claimed that overall site security is increased thanks to the previously mentioned research which shows people take greater care of their mobile phones than they do with access or business identification cards.
It has to be said that there are pros and cons for the use of mobile devices as access control credentials. On the plus side, ease of use is increasing and the reduction in credential costs, including the time spent managing credentials, appeals to finance departments. Also, as the capabilities of mobile devices increase, so do the additional functions which could be added within the access control system.
The downside includes issues with personnel using their own smart devices in the business environment, the cost of the devices if certain staff are not supplied with phones, plus the fact that mobile devices are often targeted by thieves.
A final point is that some businesses are having success with a hybrid approach, coupling mobile devices with standard credentials to allow greater flexibility for authorised persons. This allows the benefits of digital credentials to be used for visitors and contractors, while allowing staff to transition from existing credentials to digital options in phased implementations. This is a cost-effective approach and allows the investment already made to be leveraged going forwards.
Site conditions and a thorough risk assessment should always be considered before mobile credentials are specified. It is not best practice to simply opt for a full switchover to mobile credentials on the basis of cost or because the approach is the latest trend.
However, the growth of cloud-based systems has been accelerated by user demand for service-based solutions, and mobile-based digital credentials can offer a wide range of benefits which decrease the total cost of ownership while increasing the return on investment. As such, they have to be considered when specifying an access control system.