For the past several years, there has been a focus by integrators and customers to assure that their card-based access control systems are secure. To give businesses an extra incentive to meet their cybersecurity threats, the Federal Trade Commission (FTC) has decided to hold the business community responsible for failing to implement good cybersecurity practices and is now filing lawsuits against those that don't.

For instance, the FTC filed a lawsuit against D-Link and its U.S. subsidiary, alleging that it used inadequate safeguards on its wireless routers and IP cameras that left them vulnerable to hackers.Many companies perceive that they are safer with a card but, if done correctly, the mobile can be a far more secure option 

Now, as companies are learning how to protect card-based systems, such as their access control solutions, along comes mobile access credentials and their readers which use smart phones instead of cards as the vehicle for carrying identification information. Many companies perceive that they are safer with a card but, if done correctly, the mobile can be a far more secure option with many more features to be leveraged.

Handsets deliver biometric capture and comparison as well as an array of communication capabilities from cellular and Wi-Fi to Bluetooth LE and NFC. As far as security goes, the soft credential, by definition, is already a multi-factor solution.

Types Of Access Control Authentication

Access control authenticates you by following three things: 

  • Recognises something you have (RFID tag/card/key),
  • Recognises something you know (PIN) or
  • Recognises something you are (biometrics).

Your smart phone has all three authentication parameters. This soft credential, by definition, is already a multi-factor solution. Your mobile credentials remain protected behind a smart phone's security parameters, such as biometrics and PINs. Organizations want to use smart phones in their upcoming access control implementations Once a biometric, PIN or password is entered to access the phone, the user automatically has set up 2-factor access control verification - what you know and what you have or what you have and a second form of what you have.                

To emphasize, one cannot have access to the credential without having access to the phone. If the phone doesn’t work, the credential doesn’t work. The credential operates just like any other app on the phone. The phone must be “on and unlocked.” These two factors – availability and built-in multi-factor verification – are why organizations want to use smart phones in their upcoming access control implementations.

Smart Phone Access Control Is Secure

Plus, once a mobile credential is installed on a smart phone, it cannot be re-installed on another smart phone. You can think of a soft credential as being securely linked to a specific smart phone. Similar to a card, if a smart phone is lost, damaged or stolen, the process should be the same as with a traditional physical access credential. It should be immediately deactivated in the access control management software - with a new credential issued as a replacement.

one cannot have access to the credential without having access to the phone. If the phone doesn’t work, the credential doesn’t work. The credential operates just like any other app on the phone.
Your mobile credentials remain protected behind a smart phone's security parameters, such as biometrics and PINs

Leading readers additionally use AES encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers resist skimming, eavesdropping and replay attacks.           

When the new mobile system leverages the Security Industry Association's (SIA) Open Supervised Device Protocol (OSDP), it also will interface easily with control panels or other security management systems, fostering interoperability among security devices.

Likewise, new soft systems do not require the disclosure of any sensitive end-user personal data. All that should be needed to activate newer systems is simply the phone number of the smart phone.All that should be needed to activate newer systems is simply the phone number of the smart phone

Bluetooth And NFC The Safer Options

Bottom line - both Bluetooth and NFC credentials are safer than hard credentials. Read range difference yields a very practical result from a security aspect. First of all, when it comes to cybersecurity, there are advantages to a closer read range. NFC eliminates any chances of having the smart phone unknowingly getting read such as can happen with a longer read range.

There are also those applications where multiple access readers are installed very near to one-another due to many doors being close. One reader could open multiple doors simultaneously. The shorter read range or tap of an NFC enabled device would stop such problems. However, with this said in defense of NFC, it must also be understood that Bluetooth-enabled readers can provide various read ranges, including those of no longer than a tap as well.

One needs to understand that there are also advantages to a longer reader range capability. Since NFC readers have such a short and limited read range, they must be mounted on the unsecure side of the door and encounter all the problems such exposure can breed. Conversely, Bluetooth readers mount on the secure sides of doors and can be kept protected out of sight.

Aging Systems Could Cause Problems

Research shows that Bluetooth enabled smart phones are continuing to expand in use to the point where those not having them are already the exceptions With that said, be aware. Some older Bluetooth-enabled systems force the user to register themselves and their integrators for every application. Door access – register. Parking access – register again. Data access – register again, etc.

Newer solutions provide an easier way to distribute credentials with features that allow the user to register only once and need no other portal accounts or activation features. By removing these additional information disclosures, vendors have eliminated privacy concerns that have been slowing down acceptance of mobile access systems.

In addition, you don’t want hackers listening to your Bluetooth transmissions, replaying them and getting into your building, so make very sure that the system is immunised against such replays. That’s simple to do. Your manufacturer will show you which system will be best for each application. Research shows that Bluetooth enabled smart phones are continuing to expand in use to the point where those not having them are already the exceptions. They are unquestionably going to be a major component in physical and logical access control.

Gartner suggests that, by 2020, 20 percent of organizations will use mobile credentials for physical access in place of traditional ID cards. Let’s rephrase that last sentence. In less than 18 months, one-fifth of all organizations will use the smart phone as the focal point of their electronic access control systems. Not proximity. Not smart cards. Phones!

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

In case you missed it

How Does Audio Enhance Security System Performance?
How Does Audio Enhance Security System Performance?

Video is widely embraced as an essential element of physical security systems. However, surveillance footage is often recorded without sound, even though many cameras are capable of capturing audio as well as video. Beyond the capabilities of cameras, there is a range of other audio products on the market that can improve system performance and/or expand capabilities (e.g., gunshot detection.) We asked this week’s Expert Panel Roundtable: How does audio enhance the performance of security and/or video systems? 

What Are The Mainstream Uses For Thermal Cameras?
What Are The Mainstream Uses For Thermal Cameras?

The high cost of thermal imaging cameras historically made their use more likely in specialized law enforcement and military applications. However, lower pricing of thermal imaging technologies has opened up a new and expanding market for thermal cameras in the mainstream. We asked this week’s Expert Panel Roundtable: What are the new opportunities for thermal cameras in mainstream physical security?

Identiv Unveils Cloud Access Control and Frictionless Mobile Solution
Identiv Unveils Cloud Access Control and Frictionless Mobile Solution

Even though ISC West 2020 was canceled, many of the product introductions planned for the trade show still happened. For example, physical security and secure identification company Identiv introduced the Hirsch Velocity Cirrus and MobilisID. Hirsch Velocity Cirrus is a cloud-based Access Control as a Service (ACaaS) solution. It is an optimal solution for both end-users and integrators, with lower upfront costs, reduced maintenance, enhanced portability, and the future-proof assurance of automatic security updates and feature sets. Smart mobile physical access control solution Identiv’s MobilisID is a smart mobile physical access control solution that uses Bluetooth and capacitive technologies to allow frictionless access to a controlled environment without the need to present a credential. We caught up with Jason Spielfogel, Identiv’s Director of Product Management, to discuss the new products and other topics. Q: How is Identiv positioned in the market as a whole? What philosophy drives your product offerings? What vertical markets do you target? Every customer needs every one of these components Spielfogel: Identiv provides a total solution. Our platforms provide access control hardware and software, video surveillance and analytics, door access readers, and ID credentials, both cards and mobile, for a variety of vertical markets: Federal government, state, local and education government agencies (SLED), healthcare, schools, banks/financial services, retail, airports and transportation, and infrastructure. Every customer needs every one of these components in every physical security deployment, and we ensure that all parts are working together at all times, even as technology continues to evolve. With that said, our philosophy is very customer-centric, and we position ourselves as a trusted partner. Our products and technology platform always strive to reflect and anticipate the environment our customers are facing, both in terms of technical requirements and functional capabilities. Q: How does the MobilisID system eliminate "friction?" Spielfogel: Identiv’s MobilisID eliminates the “friction” of access control by forgiving the user from presenting a physical credential to the reader. A simple wave of their hand over the MobilisID reader establishes a connection, and the reader reads their mobile device’s credential from the MobilisID app.  No badge or access card to read, and no contact with the reader, makes this a frictionless access control experience. Administrative friction is also eliminated because there is no physical credential to issue or withdraw; it’s all done via the MobilisID Manager. Q: Discuss the advantages of Bluetooth over competing technologies. Bluetooth offers a blend of reliability and specificity Spielfogel: There are two primary competing technologies: WiFi and Near Field Communication (NFC). The problem with WiFi is that it’s not location-specific. In other words, the WiFi router can’t tell which door the user is near. NFC has the opposite problem in that it’s impossible to get credential reads unless the phone is presented within an inch or two of the reader. Bluetooth offers a blend of reliability and specificity to create frictionless access. Q: "Touchless" has always been a big selling point. Doesn't the coronavirus improve the outlook for these systems even more? Spielfogel: The coronavirus certainly highlights the value of frictionless access. But the vast majority of access systems today use proximity which was already touchless. But for systems using touchpads or contact-based credentialing, certainly frictionless is offering some alternatives that would help keep employees and visitors safer in the current climate. Q: How else might the current pandemic change the security market forever (i.e., more teleworking?) Spielfogel: Permanent changes are not likely, but it does force security directors to rethink how their employees interact physically with systems for both physical and logical access. As a result, we might see accelerated adoption of some emerging technologies, such as greater use of mobile logical access solutions, as well as frictionless physical access control. We’ve already seen an uptick in our smart card reader and token line and our Thursby enterprise and personal mobility offering during the coronavirus pandemic. Q: There are a lot of cloud systems in the access control space. How is your Cirrus cloud product different? Velocity already has all those features Spielfogel: Cirrus is different from many others in that it’s built on one of the most mature, feature-rich, secure physical access solutions available today – Hirsch hardware and Velocity Software. While many competitors are scrambling to add features to their relatively new ACaaS platforms, Velocity already has all those features. While they are building up their encryption capabilities and cybersecurity testing, we’ve already been doing that for two decades. We certainly have some more development ahead of us for Cirrus, but most of it is just surfacing features we already have into the Cirrus interface. Q: How do you guide customers as their needs change? Spielfogel: Whether users want solutions that are on-prem, in the cloud, or anything in between, Identiv’s full architecture ensures that customers can adopt and migrate to new solutions as they see fit. No two customers are alike, so providing the flexibility to gradually update or change systems is a real differentiator. Our competitors either want customers to jump all at once to the cloud or push to keep everything on-prem/legacy. CSOs and CISOs live in a different world: They've got it all to deal with.  We're there with them across all of it, because that's the true reality.