Using Mobile Devices as Access Credentials
Business and commerce has embraced the use of smart mobile devices to enhance process and operational requirements. The use of apps and on-board technologies continues to grow as developers and manufacturers race to offer advanced solutions that also offer business efficiencies. One area is access control and the use of smartphones either as credentials to deliver permissions to discreet devices.
The use of mobile devices in place of access control credentials offers a wide range of benefits, but these are balanced with a number of considerations when designing systems. Currently, acceptance amongst end users is growing but there are also a number of customer concerns that also need to be addressed.
Manufacturers and service providers have pointed out many of the benefits of such a technology adoption. Many people already carry smart and mobile devices as a part of their working lives, a single device is preferable to a number of different cards and tokens, management of credentials – and especially the issue of permissions – becomes a significantly simpler task and the elimination of physical credentials introduces a cost-saving.
Of course, there are counter-arguments that are equally valid. Whilst people are more careful with their phones than access cards, phones are also more vulnerable to theft because of their value. A stolen access card immediately raises concerns over security, while a stolen phone might create different priorities for the user. Equally, the cost of purchasing and managing credentials pales into insignificance if a business has to supply a percentage of its workforce with smartphones.
As with any business technology, the time that mass acceptance occurs is when the financial savings are obvious and significant. Currently that is not the case. Despite this, many users like the notion of mobile-based access control and the supply of multi-technology readers is opening the market up for staged migrations.
For installers and integrators, it is hard to find a case for a concrete either/or decision when it comes to a transition from traditional to mobile-based access systems. The flexibility is key when considering any implementation.
Benchmark spoke to a number of access control specialists about the potential offered by mobile-based access control solutions to discover the pros and cons of this emerging option for credential management.
Andrew Fulton, Access Control Product Manager, Vanderbilt
While much fanfare exists surrounding the increased use of mobile-based credentials in access control applications, it has to be accepted there are some potential issues that are currently preventing this approach from gaining more market traction and acceptance.
There are several concerns that make the widespread adoption of mobile devices as credentials difficult at this point in time, the first of which is the sheer number of different smartphones and other devices, along with the varied platforms on which they run. Uniformity does not exist and is not likely to in the future, such is the nature of competition in this sector.
Not everyone carries the same type of smartphone, or even use a smart device as a part of their working lives. When you have many thousands of people in a company who all require credentials to access a facility, it is rarely feasible to give each person a smartphone that will run the application needed.
Another consideration is how to handle visitors and contractors that might require short- or long-term access to a facility. There are also a number of logistical issues which must be addressed. One example is the challenge that emerges when a mobile device’s battery is flat, thereby rendering it useless when trying to access a facility.
Another challenge end users face when considering implementing a mobile-based access control solution is the concern employees may have regarding personal privacy. When using mobile credentials on a private mobile phone, there’s a certain level of access an employer will have to the device.
Employees may be concerned as to how their employers are using that information with regards to location-based data, or tracking where an employee is at any given moment.
Naturally, with this level of access to personal information, there’s going to be a concern about how peripheral data might be used.
While there is definite movement towards support for mobile credentials across enterprises, another issue is the proprietary nature of the technology. Since it’s still emerging, there are no common standards in place that police its use, so end users that choose to invest in the technology are often locked into a single manufacturer’s system without the flexibility that the more open-platform solutions allow.
Currently, a number of end users are shifting toward a hybrid approach to access control that utilises both traditional credentials that allow access to a facility, as well as the option for the use of mobile devices as credentials. The argument is that many employees will have their phones on them at all times, but might not always remember a badge or ID.
Having the option to use either solution is becoming the more widespread adoption of mobile-based systems. With regard to privacy concerns, it’s important for security managers to work closely with Human Resources Departments and other C-level executives to implement best practices for the use of this technology in an effort to better inform employees and guide implementation.
There are a number of considerations that have to be made from a customer standpoint before implementing mobile credentials into a company’s overall security policy. There is a definite increase in customer demand for mobile credentials, so it’s important to understand users’ needs when discussing which access control solutions are right for an organisation. Many want the flexibility to offer multiple options to employees, but again have to consider the privacy implications as well as the technology involved in trying to implement such a solution.
Another consideration is the actual physical implementation. Most mobile-based credentialing systems are built with Bluetooth, which has a long-range capability and this can be problematic. For example, turnstiles that are in close proximity to each other might pick up credentials that are a greater distance away.
Standards such as near-field communications (NFC) that can be found in a lot of devices can address some of these concerns, but NFC’s ability to be used openly in an iPhone environment is not fully established and therefore isn’t a viable option unless the same devices are used across an entire organisation.
Freeing Up Time
Pip Courcoux, Sales and Product Manager, CLIQ Systems, Abloy UK
It’s likely that many installers and integrators will be familiar with well-known sayings such as ‘time is money’ or ‘time is our most valuable commodity’. These phrases suggest that people are not measured on age, success or wealth, but in hours, seconds and minutes.
This notion that time is a currency and if you don’t have any you cease to exist may be an exaggeration, but it does hold some truth when you consider the fast-paced demanding dynamic nature of the world businesses operate in today.
When trying to break barriers to success, one of the biggest challenges to overcome is time. What could a business or organisation do with an extra minute or two each day? Could an extra daily minute per person help businesses and organisations run more effectively? If so, is access control the key to unlocking this extra time?
There are some solutions, such as PROTEC2 CLIQ, that provide users with an electronic key cut to the same code as their mechanical keys. However, these electronic keys feature the addition of time-based access rights and flexible opening permissions.
What’s more, when used in conjunction with smart technologies and Bluetooth Low Energy (BLE), keys can be activated and managed through a smartphone. This enables more flexible remote access control by bringing access control into the mobile era, offering greater flexibility, time-savings and ease of use.
The use of a BLE online key takes advantage of the latest Bluetooth 4.0 technology, and this connectivity can also provide a real-time audit trail on wire-free products such as padlocks and cam locks. Because of the mobile nature of the system, access rights can be granted to the user while they are on-site.
This approach not only offers enhancements with regard to security, but a significant efficiency is realised in terms of time. In the past, businesses and organisations were bound by the shackles of risk. A mechanical key, once lost, could only truly be eliminated by the introduction of a new mechanical suite of locks at an often unwelcome cost.
The use of an electronic key system with mobile connectivity provides a way for each staff member with a requirement to have their own key to access relevant assets, when and where they need to, without fear of incurring unacceptable risks through the loss or theft of keys.
In the critical infrastructure space, the hybrid between mechanical and electronic technologies is critical to the success of any security system, maintaining the strict standards required for security whilst enhancing the operational efficiencies and the security for the future.
For many end users, data is the new gold, so using a system capable of allowing real-time data collection and audit trails within critical infrastructure organisations – whether these are water, communications, transport, energy or other utilities – delivers the depth of information that can help the various organisations to break operational barriers. As a result, a wealth of new opportunities is made available.
Imagine the financial savings, energy and emissions control and management, sustainability benefits and, most importantly, time savings that could be made by linking to enterprise resource planning systems to identify key holders on shift. Additionally, there is the potential to link Permit to Work systems to ensure staff are still compliant for the job at hand, and telemetry and SCADA systems to see where they need to be working.
With such solutions, employees only activate their key for access when and where they need to, without human intervention, without the need to collect a specific key while removing a need for key holding services or attended visits.
Electronic systems offer automation and integration in a key that only has access rights for the few seconds it is required. While the key is doing what it is supposed to do, it also gathers data and creates traceability and information that can further enhance the efficiency and security of the access control system.
Milou Post, Global Marketing & Communication Manager, Nedap Identification Systems
Technology is never deployed without reason and this applies to the use of smartphones in access control. Mobile access control has advantages and disadvantages, like any technology that can be used to identify people. The biggest advantage of platforms based on mobile technology is that they take away the physical element of access control cards.
With mobile solutions there is no technical need for users to be physically present to enrol them in the access control system. There are no cards that require physical distribution and people do not have to carry an extra physical card just to gain access to the building.
When setting up a new access control system for a building or site, smartphones are one identifying technology that can be used. When planning to deploy mobile technology, it is vital to make sure the user understands what that want to get out of it. The technology can deliver benefits, but also comes with some rules of application.
The first step is to ascertain if the technology can meet the site’s requirements. It is also important to investigate if the site’s infrastructure can meet the requirements to successfully implement the technology.
When planning the project, it is important to have a well constructed ‘use case’. Good technology should be self-explanatory, but it never hurts to make sure the user will deploy the technology to meet best practices.
Many people understand that smartphones have a place in access control. Most also believe that sales of conventional access cards will drop in the years to come, but most industry representatives also expect that cards will remain in use for a long time. Modern platforms that support mobile security credentials will increasingly incorporate multi-technology readers that allow users to have a mixed population of identifying credentials. This enables them to keep using any existing access cards and gradually increase the use of mobile credentials on smartphones.
Additionally, the technologies used on smartphones can be mixed: multi-technology readers, such as MACE, allow smartphones to operate as credentials using BLE, NFC and QR-codes. This means that almost every smartphone in common use can be deployed in the system.
Sending mobile credentials to the supporting app on smartphones is usually done via a cloud-based service. This makes sense since it removes the physical element of distributing access credentials.
Opening a security system up to communicate with the cloud may sound terrifying to some security managers. However, there are benefits as modern platforms for mobile access control will allow them to manage all credentials on an admin portal. The portal can be used to allocate and revoke mobile credentials, manually or as a batch.
Mobile credentials usually do not contain access rights. They are used to identify the person. The secured access control system contains the access rights of the person and basically decides whether they should get access or not.
These platforms also support the ability to revoke credentials. In the event that a mobile credential is lost, the access control system can allocate a new credential and remove the rights related to the compromised one.
A full integration of the access control system with the cloud-based server means that mobile credentials can be assigned to users from the interface of the system. Many systems already use private clouds to support centrally managed installations and this offers sufficient means to connect to the cloud in a secure way.