The ability to use mobile phones as access credentials is one of the biggest trends in a market that historically has been slow in adopting new technology, writes Scott Lindley, pictured, General Manager of the US-based RFID product manufacturer Farpointe Data.
As a matter of fact, research analyst Gartner has predicted that, by 2020, one in five organisations will be using smartphones instead of traditional physical access cards to access offices and other premises. David Anthony Mahdi, research director at Gartner avows that “replacing traditional physical access cards with smartphones enables widely sought-after cost reductions and user experience benefits. We recommend that security and risk managers work closely with physical security teams to carefully evaluate the user experience and total cost of ownership benefits of using access credentials on smartphones to replace existing physical cards.”
Yet, this new information comes directly on the back of a major task of the last several years, a focus by users to assure that their card-based access control systems are secure. Indeed, in the United States, the Federal Trade Commission (FTC) has decided to hold the business community responsible for failing to implement good cybersecurity practices and is now filing lawsuits against those that don’t. Other international governmental/law enforcement agencies are doing likewise. Safety and security have become prime issues.
So, as companies are learning how to protect card-based systems, such as their access control solutions, along comes mobile access credentials and their companion readers which use smartphones instead of cards as the vehicle for carrying identification information. Many companies perceive that they are safer with a card and won’t consider that mobile access can be a far more secure option, even though mobile has various more features to be leveraged. They also argue that market-specific security specifications can show that phone-based credentials are not a good fit for government, high-security and institutional customers. However, is it the credentials or how they are deployed?
Problem
It’s easy to detail how and why mobile access is safer. But, before we do, we need to understand, that like many recently introduced innovations, the problem isn’t with the new technology; it’s how the industry tries to retrofit the old system into the new. For instance, Mahdi says, one potential hindrance to wider adoption is the limitations of certain smartphones, as different brands and models feature different capabilities. This means upgrades may be needed to ensure all staff authorised to access a certain area are able to do so. True, but even that isn’t the prime obstacle we face with the security of mobile credentials. Some access companies are trying to kluge their present offerings into new mobile solutions. For instance, is the mobile radio module a snap-on arrangement to the back of the card reader? Is the module weatherised and secured against tamper. If not, then from the get-go, the system is not safe.
Bottom line – the mobile system needs to have been designed to be a mobile system, not just a hastily-produced option to the old card reader solution. Yes, it should work in conjunction with the card-based system. But, it should not be an offset of it.
Smartphone credentials
As far as security goes, the smartphone credential, by definition, is already a multi-factor solution. Access control authenticates you by following three things. It recognises:
– something you have (RFID card or tag),
– something you know (PIN) or
– something you are (biometrics).
Your smartphone has all three authentication parameters. This soft credential, by definition, is already a multi-factor solution. Simply assure that your mobile credentials remain protected behind a smart phone’s security parameters, such as biometrics and PINs. Once a biometric, PIN or password is entered to access the phone, the user automatically has set up two-factor access control verification – what you know and what you have or what you have and a second form of what you have.
To emphasise, one cannot have access to the credential without having access to the phone. If the phone doesn’t work, the credential doesn’t work. The credential operates just like any other app on the phone. The phone must be ‘on and unlocked’. These two factors – availability and built-in multi-factor security verification – are why organisations want to use smartphones in their upcoming electronic access control implementations.
Plus, once a mobile credential is installed on a smartphone, it cannot be re-installed on another smartphone. You can think of a soft credential as being securely linked to a specific smartphone. Similar to a card, if a smartphone is lost, damaged or stolen, the process should be the same as with a traditional physical access credential. It should be immediately deactivated in the access control management software – with a new credential issued as a replacement.
Leading smartphone readers additionally use the symmetric Advanced Encryption Standard (AES) encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers resist skimming, eavesdropping and replay attacks.
When the new mobile system leverages the Security Industry Association’s (SIA) Open Supervised Device Protocol (OSDP), it also will interface easily with control panels or other security management systems, fostering secure bidirectional interoperability among security devices. Likewise, new soft systems do not require the disclosure of any sensitive end-user personal data. All that should be needed to activate newer mobile systems is simply the phone number of the smartphone.
A special word of caution here. Many legacy systems require the use of back-end portal accounts. In addition to being rich caches of sensitive end-user data, a target of hackers, these portals can include hidden fees. What are these annual fees? Are they fixed through the life of the system? And who’s responsible for paying? It is best to simply avoid these types of systems.
Those days of jerry rigging are over. To start, all one needs to do anymore is to place their order, just like they presently do for physical credentials. Mobile credentials can be quickly and conveniently emailed in the exact quantity and format ordered. Alternatively, in cases where compliance with data regulations have a role, credentials can be shared confidently via enterprise file sharing. Once received, the credential detail, typically format, facility code and IDs from their order summary sheet, will be entered into the access control system software just like before. Finally, issue registration key certificates representing the individual mobile credentials to the staff and employees. It’s just that simply and error-free. To emphasize, there are no subscription or license fees required.
Installation is just as easy and safe. First, users go to either the Apple App Store or Google Play and download the wallet app. Enroll the device. Keep in mind, no portal account or on-board information is needed. To add the credential, simply scan the QR code or enter the 16-digit registration key found on the registration key certificate. Mobile credential download is assured via multiple layers of ciphers. Further, these credentials are not easily discoverable while stored in the file system of the mobile phone, as each is individually encrypted.
Smartphone-based reduces installation costs
This hasn’t been always true. Some mobile systems force the user to register themselves and their integrators for every application. Door access – register. Parking access – register again. Data access – register again, with each registration requiring the disclosure of sensitive personal information.
Newer solutions provide an easier way to distribute credentials with features that allow the user to register their handset only once and need no other portal accounts, activation features or hidden fees. Users don’t need to fill out several different forms.
Finally, access control specialists can order and install mobile access control in the way they have always wanted in the quantities they precisely need. They can advocate for availability, compatibility and security, forgetting about authentication portals, subscription structures, licensing fees and the other hindrances that create confusion and install mobile systems that are now safer than card-based.
About the writer: Scott Lindley is a 25-plus year veteran of the contactless card access control industry. He is general manager of Farpointe Data, the US-based OEM for cards and readers. He can be contacted at [email protected].
