With the ubiquity of mobile and smart devices, access control manufacturers must strive to be relevant in today's environment. End-user demands for mobile credentialing are exploding as mobile solutions offer a secure and convenient way to reduce costs and other concerns associated with plastic badges.
To get an idea of the impact mobile devices can have on access control, consider this scenario:
An employee of a multinational corporation arrives at a foreign location for important departmental meetings. Her corporate identification badge doesn’t provide access to this facility but her hosts have prepared for the visit by emailing her a badge invitation and sending the badge number to a Cloud server and the access controller. The email contains a link to download a mobile app as well as an authorization to activate the credential.
As the woman approaches the access point, readers are detected and displayed on her smartphone. She taps the desired reader icon to enter that door. The app authenticates through the reader and authorization is granted or denied by the controller based on current access levels.
Unlike printed plastic ID badges, this credential can be reused, transferred and remotely deactivated. The readers for this solution support not only smart devices but also traditional RFID cards.
Solving the Trust Issue
In the past, there were two important issues to address before mobile devices were truly ready to augment or replace a card-based system. The first was trust that smart devices would offer a secure way to interact with the system. Today, that’s a proven solution with use worldwide in the hospitality, real estate, and retail industries.
The second was identifying the phone and linking it to the proper owner within the enterprise environment. In order to completely replace plastic badges, mobile credentials must not only replace the technology but also replace the human aspect of confirming identity. While there’s still no industry standard, some manufacturers are moving forward with 2-factor authentication, which binds the mobile device to the person each time it is unlocked. For instance, when an employee’s or visitor’s device nears a guard, the employee’s ID and the photo pops up on the guard’s phone so the guard can authenticate identity.
The solution also provides multi-factor identification as smartphones can require a security code or biometric verification for access as well as possession of the device, an app and downloaded credential. Additional authentication can come from wall-mounted biometric readers requiring iris scans, facial recognition or fingerprints. Smartphone users can also be asked to enter personal identification numbers (PINs) through the device’s keypad.
Meanwhile, our mobile devices know where we are. Built-in GPS technology can let employers know where each device (and employee) is located with appropriate privacy safeguards and consent.
Our smart devices are also versatile enough to support different security protocols that may vary among locations, even among doors within the same facility. For example, a door to a research lab using radioactive material may require the device to communicate with a reader at the door while a second biometric reader on the wall authenticates employee identity. On the other hand, accessing a restroom in a fast food restaurant may only require an installed mobile app, having the phone within a few inches of the door.
Here are some other advantages offered by smart devices used as access credentials:
- Smart devices, particularly smartphones, are routinely carried by people no matter where they go. There is no need to add an access card to the wallet or wear a badge hanging from a lanyard.
- Smartphones are less likely to be lost or misused. A 2016 study by the marketing firm Dscout found the average American touches his or her smartphone more than 2,600 times each day. So, it’s fair to assume that smartphones might be more often within our sight. And because of their cost and the personal information they contain, people are less likely to share a smartphone as compared to an access card.
- Smartphones may offer greater security than many types of access cards. The devices offer multiple layers of authentication—biometrics, PINs, GPS and MAC addresses—unique to each device.
Mobile smart devices have the obvious advantage of convenience but there are more subtle benefits as well. For example, using a phone as a credential makes it possible for organizations to eliminate the direct cost of plastic badges, printers and consumables, handling and incorrect orders–as a result of leveraging existing expenditures by the employer or cardholder. Think of the cost of access cards to a large university. Each year, administrators know they must create and issue thousands of badges to an incoming freshman class. That expense is alleviated by using smartphones as credentials.
Also, smartphones are becoming universal. Another 2016 survey, by the Pew Research Center, found 77 percent of U.S. adults now own a smartphone – and that percentage has increased steadily each year since the first study in 2011.
So, does this mean smartphones will replace access cards?
Yes, in the long term. But enterprise organizations will be using card-based systems for years to come. One reason is the remaining one-quarter of U.S. adults who still don’t own a smartphone.
Many organizations still prefer badge/access cards as they usually include a photo of the person to whom the badge was issued. It clearly shows security and other employees that the carrier has been cleared for facility access.
Another potential deterrent is that while the most recent smart devices have onboard biometrics that makes multifactor authentication particularly seamless, the diversity of devices and operating systems – Android, Apple iOS, Windows, Blackberry and more – offers no guarantee of biometric authentication across the entire device population. This may resolve itself over time but until then, administrators must either accept a variety of authentication factors (such as biometric or PIN) as interchangeable or else rely on independent secondary (likely wall mounted) authentication.
The Evolution Continues
In the interim, card technology continues to evolve in terms of convenience, speed, and security. The industry has gone from magstripe and proximity protocols to today’s smart cards with embedded integrated circuits. These are capable of encrypted communication with readers and storing information and biometric data about the carrier.
It’s clear both smart devices and cards have much to offer. Fortunately, the choice of a credential method doesn’t have to be one or the other. The best solution may be to use both, although organizations installing their first enterprise system may opt for the smartphone solution and skip entire generations of plastic access cards.
New readers can support both proximity cards and smartphone credentials – that’s 30 to 40 years of technology in a single reader. This helps end users make an orderly migration. With a large population, it may take years to roll out a smartphone-only credential system, especially when many employees are not carrying the proper technology. Simultaneous support for a wide range of smart devices and cards allows newer readers to provide a bridge from legacy plastic badges to card-free mobile access control.
The industry now offers add-on readers, which can provide smartphone capabilities in conjunction with existing card readers. These add-ons are installed near existing readers without replacing them. Hidden in a wall or ceiling, they add Bluetooth capability to most existing installations. Bluetooth capability can even be added to older magstripe cards in many cases.
Mobile solutions are also increasing the convenience of card-based systems. Self-service visitor modules allow system administrators to pre-register guests and send an invitation code via email. Upon arrival, visitors enter the code into a smart tablet and sign company compliance documents before printing a temporary photo badge. The tablet’s integrated camera even allows the badge to include a photo.
No matter which credential system an organization chooses, end users want solutions, not potential dead ends. That’s why standards and open systems are becoming increasingly important. Customers expect their security to be modular so that one piece (whether it is credential technology or the main operating software) can be replaced without replacing everything else. This makes proprietary, closed solutions a non-starter for forward-looking companies.
For access system administrators, smart devices can simplify credential management with no need for procurement, storage, handling, shipping or printing of physical badges. By using a proven mobile credentialing technology in the reader, users can gain the advantages of mobile credentials today. As the capabilities evolve, new apps can be downloaded to the mobile devices–something not possible with plastic badges.
About the Author: Dave Weinbach is product marketing manager for Pittsford, N.Y.-based Lenel–part of UTC Climate, Controls & Security, a unit of United Technologies Corp. – a leading provider of advanced security systems.
