Skyrocketing innovation in mobile credentialing is redefining access control for organizations, integrators, and end users. As Bluetooth-based systems give way to near-field communications (NFC) and beyond, new challenges arise that require security practitioners to rethink their roles and responsibilities. On the morning of November 21st at ISC East, three industry experts joined moderator Lee Odess, CEO of The Access Control Collective, to discuss what this might mean.
The End User at the Door
For Mike Green, Product Manager of Mobile Solutions at LenelS2, the crux of the mobile credential revolution lies in improving the end-user experience at the door. A user’s first interaction with an access control system is using it as an entry point, and mobile credentials offer a practical solution to employee forgetfulness that complements ease of use.
“How often do you leave your badge at home?” Green asks. “If I realize I’ve lost my badge driving into the office, I’ll just wear the red badge of shame for the rest of the day. Now, how often do you forget your phone? If I left that behind, I would just turn around and drive back home.”
Green explains that phones are the perfect credentials to combat forgetfulness. Mobile phones' utility has made them indispensable in day-to-day life—their absence is felt more profoundly than a missing badge or key card. The potential catastrophe of losing access to a mobile phone is usually enough to incentivize vigilance in their owners.
This behavior comes with the benefit of eliminating lost or compromised employee badges, a common vulnerability in credential access systems. It also frees security administrators from having to replace or remove lost badges in the system. Green points to delays in employee reporting that exacerbate this issue by allowing lost credentials to remain active, potentially lengthening the window a threat actor can use to breach the building.
“We’ve all had that sinking feeling when leaving our badge or phone at home,” concurs Danny Smith, owner of ColorID. “But the user experience also relies on interacting with access control and other third-party systems.”
According to Smith, an “explosion of use case variety” depends on the verticals serviced. New cloud-based access systems and other integrated services have helped streamline mobile credentialing implementation. “Mobile credentialing is a great vehicle for enhancing the user experience,” he comments.
A challenging implementation
The increased prevalence of NFC credentials, alongside their ease of use for the end user, implies that their implementation is far simpler than it actually is. Multiple avenues of pushback prevent the modernization of these systems:
Legacy Infrastructure
As security technology advances rapidly, many organizations are left with a staggering amount of legacy infrastructure that isn’t compatible with more modern systems. Though using a mobile credential is highly convenient, Smith elaborates, the pathway to implementation is not—the pricing and effort of replacing this infrastructure is a significant barrier to adoption.
“All of that legacy technology needs to be backwards and forwards compatible,” says Jason Glover, Wavelynx’s Vice President of Sales. “It needs to be adaptable and interoperable moving forward, and if we want continued adoption, we need to enable people to do that more easily.”
Glover points to the involvement of industry titans like Apple, Google, and Samsung that change the rules of engagement. “When working with other major manufacturers of access control, we were able to chart our own course,” says Glover. “As these companies continue to get more involved in our space, they need to realize that they have to change how they interact with our entities. As we work with them, we need to educate them.”
“We need to make sure we have a clear integration roadmap,” adds Smith. “Approach the discussion with strategies for customers and end users.”
Price
To Green, the greatest barrier to adoption is price. The involvement of multiple parties and integrations invites additional costs from each. “When an end user hears that their NFC credential is going to cost them $15 to $25 per user per year, it deters them from the conversation,” he explains.
The cost impact of third-party credentialing, coupled with the cost of the credential itself and the fees imposed by wallet providers, upholds this barrier. Green suggests that providing a complete solution eliminates this, stating that processes must be streamlined to reduce integration complexity and mitigate costs.
Legacy infrastructure contributes to this as well, Smith adds. Existing environments often do not support NFC credential technology, and ripping and replacing infrastructure only serves to drive up costs.
“I think we’re having a one-sided conversation about this,” Smith says. “There is no one right approach for every deployment you’re going to have. You need strategies that work for each end user.”
Leadership Support
Implementing mobile credentials is already costly. Potential integrations or replacements of legacy infrastructure further increase the bill, making it a hard sell to company leadership, whose security budgets are typically already under immense strain.
“If it were free, everyone would already have it,” says Smith. “But it’s not, and that’s the problem. We can’t get support from leadership or funding to replace all of the infrastructure.”
“The industry itself is still part of the problem,” Glover agrees. “We all need to generate revenue and manage our own business stats.”
Smith advocates for cost reduction through planning to convince hesitant leadership. Adjust plans for each customer, meet necessary requirements, and apply a solutions-based selling process around choice and user experience.
Staying on Track
Users need to know what they’re getting into to ease these challenges. From a supply-side perspective, Glover champions enablement. Providing options and remaining adaptable are key to this approach.
“Regardless of manufacturer or technology, what do you get moving forward?” he asks. “What can I use from a backwards compatibility standpoint to move the technology in a different direction if I need to?”
“It is vital to understand what the customer needs,” adds Green. “Understand what their expectations and use cases are from their perspective.”
On the integration side, Smith emphasizes the importance of an inclusive process. “When you have a large population base with different departments and multiple stakeholders, everyone needs to share the journey. Spend time working with customers, pull together your stakeholders, and create a clear integration channel with policies and procedures.”
Removing this fractionization allows for the pulling together of physical access control solutions into the integration, saving time and energy. Smith says a clear integration pathway enhances the user experience, which is the primary driver for adoption and value creation.
“Education and collaboration drive innovation in this field,” finishes Smith. “We have to come together as an industry to deliver successful projects.”
A Glimpse into the Future
The access control industry has made impressive strides in technological innovation in recent years, and Green does not expect this to slow down.
“We started this journey with Bluetooth credentials and then onward to NFC, with even more precise technologies looming on the horizon,” he says. “I see a world like the Jetsons where you can walk up to a door and open it with your phone still in your pocket.”
“I see biometrics as very future-forward,” adds Smith. “Biometrics have improved over the years, and they’re only going to become more dominant in North America for specific applications and in certain verticals.”
Glover, however, sees a fundamental change on the horizon. “Contractors and integrators are coding integration to make things interoperable,” he says. “Every access company is now a video company, and vice versa. The definition of the word ‘integrator’ is changing in the security space.”
