The Future of Mobile Credential Standards

Over lunch recently, a former Secretary of the Department of Homeland Security asked me, “How long do you think it will be until mobile credentials fully replace plastic badges and cards?” My reply was that “I would like to see it happen within the next five years. I usually give that number in public, and it always stirs up discussion. However, the reality is probably somewhere between 10 years and never.” He paused for a moment and said, “You’re way off. I think it’s going to be within three years.”

The former Secretary clearly works with a different constituency than I do on a day-to-day basis. Not a huge surprise. But his view is intriguing because somewhere, there’s a group of corporate and government leaders who are pushing this technology much harder and much faster than what we see in the commercial security channel, where old habits die hard. They must see the benefits for trust, convenience and cost that are primary motivators for people concerned with ROI and effective defense at the highest level.

Taking it further, though, we agreed that the various timeframes we bandied about for adoption of mobile credentials depended a great deal on standards. But standards cut both ways. On the one hand, they can be an accelerant, removing technical and financial uncertainty so that manufacturers and buyers alike can feel confident that they are placing their bets on a technology that will last. On the other hand, the process of creating and adopting standards can be very protracted. This can delay implementation decisions for many years while everyone sits around waiting to see which standard will win.

In the midst of this standards conundrum, what seems to have triumphed often in recent years is the promotion of a de facto standard. Such standards begin their lives as proprietary implementations belonging to a single company or perhaps a consortium. Then, through a combination of market dominance and open sourcing the underlying technology, they become widely adopted as the path of least resistance. By the time the standards are actually published in their final form, there can be many nearly compatible products on the market or nearly ready to be released.

And then there are the cases where no one agrees with each other and an entire genre of products remain incompatible with each other for many generations. Users suffer. Profits suffer. Technology suffers.

In the case of mobile credentials, Bluetooth is the odds-on favorite for radio transmission of credentials between smartphones and readers. Everyone has it on their smartphones already, and it’s free of the implementation headaches of NFC and its dependence on device manufacturers’ APIs, SDKs and “secure elements.”

But Bluetooth alone is not the end of the story. It’s not a “full stack” protocol. It doesn’t specify the application layer – the part that distinguishes one use case from another. It says nothing about what kind of data is transmitted, its format, or what it means to the transmitting and receiving parties.

For mobile credentials exchanged between smartphone apps and readers, saying that they all use Bluetooth does not mean that they will work with each other. Every mobile credential app in the market today is manufacturer-specific, and only works with that manufacturer’s hardware. If users need to access buildings that happen to be equipped with components from different sources, they will need to have multiple apps and multiple credentialing processes for each.

This is extremely inconvenient, to say the least. It is also error-prone because there are more credentials and systems that need to be managed, and in many cases be consistent with one another. That makes it ultimately less secure than what could be accomplished with unified management and a common credential format.

This problem is being attacked by a number of organizations, both inside and outside of the security industry.

The Security Industry Association’s Standards Committee is one organization working on creating common standards for mobile credentials. Specifically, the Cloud, Mobility and IoT Subcommittee has formed a working group to study the possible scope and levels of standardization that might be practical to pursue for access control systems and smartphone apps. The working group has received several proposals, and remains open to additional technical approaches.

Unfortunately, this standards activity is occurring at a time when many manufacturers have already invested significant resources in creating their own proprietary credential exchange protocols. These circumstances mean that if and when one or more standards are published, manufacturers will need to decide whether to invest additional resources in conforming to the standard – assuming they see convincing business value in doing so.

An analogous standards battle is taking place in the IoT community. The standards are not about mobile credentials as such, although they do include the broader concepts of trust, authentication and data exchange between smartphones and IoT devices. They also address these same transactions among groups of IoT peers, and with other computing services in general.

What they also have in common is that they are all published and open to debate. Dozens of them. They are available for public review and commentary right on the Internet. Many are open sourced, and can be evolved by the entire community of interest. Some are promoted by industry consortia with hundreds of members. But they are all aimed at making devices and services more interoperable with one another.

The point is that the IoT industry (if it can be called a single industry) is making an effort (or many efforts) to put standards in place for important classes of interactions between our connected devices. That’s because they know the price of not doing so: frustrated users, lower security, slower growth for the whole industry and higher maintenance expenses for all.

The security industry should take note. The secure exchange of credentials between people and systems is one of the bedrock requirements of physical security.

Let’s get it right. Even better, let’s do it in the next three years.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.