Mobile Credentials for Access Control—Everything Has Changed
According to Proxy’s 2019 Physical Security Trends Report, 17.3 percent of card or fob users have lost at least one card or fob in the last year. The era of legacy physical access control credentials is rapidly transforming. A convergence in physical and logical access control is driving completely new and different behaviors.
In an ever-accelerating trend, estimates are that 90 percent of the wireless locks sold are integrated with other smart devices. No longer will you struggle to manage a variety of insecure and vulnerable physical credentials when you can manage all of that through a mobile app. As this market expands into non-traditional access control applications, the necessity for an access control credential on an ubiquitous mobile device becomes mandatory. In the very near future, everyone will carry a credential, and a mobile credential housed on a smartphone is the only viable way to address these needs.
Why do we make this claim? Four main reasons: Smartphone-based credentials are inherently more secure, can do so much more, can significantly reduce installation costs and are nearly impossible to clone.
What’s Your Single Largest Security Risk?
Forget about high-security credentials such as MIFARE and sophisticated certificate handshakes. The single largest security risk for access control is a valid credential in the wrong hands. It doesn’t matter if it’s a 125KHz “dumb” prox card or the most sophisticated smart, because now a potentially malicious user has access, and no one will know if that lost card isn’t reported.
Your smartphone as your credential is significantly more secure because of one simple fact: people may not know where their access control credential is at any given time, but they are intimately aware of where their smartphone is at all times and this location can be tracked. In addition, users are quite careful who they allow to hold or use their phone.
A large manufacturer end user once estimated that approximately 30 percent of its employees entered the grounds without their credential on any given day. Employees would wave something looking like a credential at the guard shack and yell that it didn’t work. With 600 people coming in during a shift change and cars backing up at the gate, the guard would open up to keep traffic flowing. That’s not a solution, that’s a huge security risk.
The World of Mobile Credentials
So, how is the world of credentials changing forever? A smartphone-based credential can do so much more. Now and in the near future, we’ll see features such as:
Multifactor authentication (MFA). Smartphones already implement MFA. Soon, new mobile credential implementations will allow administrators to require a screen unlock pin/biometric/gesture to set up a mobile credential, thus implementing MFA with no new hardware at the door.
Mass notification. A credential—supporting two-way communication with active notification capabilities—can be leveraged to send automated or ad-hoc notifications to users. Add location services and Geo-fencing capability, and you can send notifications only to those who are within a specific geographic area.
Location awareness. Stop treating a smartphone like a legacy credential; no one should ever “badge” a phone at a reader. By using location services, administrators can define how near to the door a person must be to request access.
Virtual buttons. With an app for users that uniquely identifies them, why not give them more? We’ll have the ability to add virtual buttons to an app to perform functionality specified by the administrator and distributed only to those allowed to use them.
Personal Safety/Personal Emergency Response (PERS). A mobile app that functions as the user’s credential and provides two-way communications with a central monitoring station will also provide a path for two-way emergency communications. An employee leaving the building at the end of the shift can quickly and easily ask for assistance or notify security of a potential issue remotely via the mobile device in her hand.
Revoking a credential. An administrator can disable a user’s mobile credential at any time from the server with no need to access the actual smartphone. The smartphone app knows how to submit a credential request but has no idea how to unlock a door. Administrators can also remotely wipe smartphones of the mobile credential and related apps connected to a corporate network.
Lower Costs and Added Features
A smartphone credential adds significant functionality over a traditional credential and is always upgradeable to add new capabilities—all for the same cost, or less, than traditional credentials. Also, users do not require a reader to enter a door, so enterprises can eliminate readers on most doors to keep the entrance looking clean and reduce installation costs.
We are witnessing unprecedented changes in the tools and services used every day, and one of those tools is your access control credential. The security of a door is only as strong as the management of the credential. It makes sense for that critical credential to be secured inside the most highly encrypted device—your own smartphone.