For the past several years, there has been a focus by users to assure that their card-based access control systems are secure. To give businesses an extra incentive to meet their cybersecurity threats, the Federal Trade Commission (FTC) has decided to hold the business community responsible for failing to implement good cybersecurity practices and is now filing lawsuits against those that don't.

Now, as companies are learning how to protect card-based systems, such as their access control solutions, along comes mobile access credentials and their companion readers which use smartphones instead of cards as the vehicle for carrying identification information. Many companies perceive that they are safer with a card but, if done correctly, mobile access can be a far more secure option with many more features to be leveraged.

Smartphone Credentials Are Inherently More Secure

As far as security goes, the smartphone credential, by definition, is already a multi-factor solution. Access control authenticates you by following three things:

  • Recognizes something you have (RFID tag/card/key),
  • Recognizes something you know (PIN) or
  • Recognizes something you are (biometrics).

Your smartphone has all three authentication parameters. This soft credential, by definition, is already a multi-factor solution. Your mobile credentials remain protected behind a smart phone's security parameters, such as biometrics and PINs. Once a biometric, PIN or password is entered to access the phone, the user automatically has set up 2-factor access control verification - what you know and what you have or what you have and a second form of what you have.  

To emphasize, one cannot have access to the credential without having access to the phone. If the phone doesn’t work, the credential doesn’t work. The credential operates just like any other app on the phone. The phone must be “on and unlocked.” These two factors – availability and built-in multi-factor security verification – are why organizations want to use smartphones in their upcoming electronic access control implementations.

Plus, once a mobile credential is installed on a smartphone, it cannot be re-installed on another smartphone. You can think of a soft credential as being securely linked to a specific smartphone. Similar to a card, if a smartphone is lost, damaged or stolen, the process should be the same as with a traditional physical access credential. It should be immediately deactivated in the access control management software - with a new credential issued as a replacement.

Leading smartphone readers additionally use AES encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers resist skimming, eavesdropping and replay attacks. 

When the new mobile system leverages the Security Industry Association's (SIA) Open Supervised Device Protocol (OSDP), it also will interface easily with control panels or other security management systems, fostering interoperability among security devices.

Likewise, new soft systems do not require the disclosure of any sensitive end-user personal data. All that should be needed to activate newer systems is simply the phone number of the smartphone.

A special word of caution here. Many legacy systems require the use of back-end portal accounts. In addition to being rich caches of sensitive end-user data, a target of hackers, these portals can include hidden fees. What are these annual fees? Are they fixed through the life of the system? And who’s responsible for paying?  It is best to simply avoid these types of systems.

New Generation Smartphone-based Implementations Reduce Installation Costs

This hasn't been always true. Some mobile systems force the user to register themselves and their integrators for every application. Door access – register. Parking access – register again. Data access – register again, with each registration requiring the disclosure of sensitive personal information.

Newer solutions provide an easier way to distribute credentials with features that allow the user to register their handset only once and need no other portal accounts, activation features or hidden fees. Users don't need to fill out several different forms.

It's Important to Understand the Improved Cybersecurity of Mobile Credentials

Gartner suggests that, by next year, 20 percent of organizations will use mobile credentials for physical access in place of traditional ID cards. Let’s rephrase that last sentence. In less than six months, one-fifth of all organizations will use the smartphone as the focal point of their electronic access control systems. Not proximity. Not smart cards. Phones!