Government credentials finding a new home on the smartphone
- By Scott Lindley
- May 01, 2018
Smartphones fulfill many needs, including telephone, camera,
navigation, music, video, clock, news, calculator, email, internet,
gaming, contacts, and more. Security professionals creating
access control systems need to be aware that more than
95 percent of all adults 18 to 44 years old own smartphones. Plus,
69 percent of the entire population (babies through seniors) already
use smartphones. The average smartphone user touches their device
2,617 times a day, according to Dscout Research.
Thus, practically anyone using an access control system already
carries a smartphone. Another way to look at it: Every smartphone
user, or almost everybody, can now easily download an access control
Mobile credentials are smartphone-based versions of traditional
RFID cards and tags. Mobile credentials make it possible for smartphones,
such as the Apple iPhone and range of Google Android devices,
to be used as an electronic access control credential.
No longer will government employees need various physical credentials
to move throughout a facility. Instead, a person’s iPhone or
Android smartphone, which they carry with them wherever they go,
will have the credentials they need to enter into any authorized access
system. In fact, such a system can reach beyond the facility into their
homes, their automobiles or at the gym.
“Mobile has already disrupted so much in both our personal lives
and the enterprise, but we are still tapping an old school badge on
a door access reader,” David Anthony Mahdi, research director at
Gartner Research said. “It’s a dichotomy. On one side we are doing
all these amazing things with our phones but then we are still using
20-plus year-old technology to get into our buildings.”
Referred to as mobile or soft, smartphone-based access control
credentials are another version of traditional RFID cards and tags,
joining proximity and smart card credentials to support a user as they
move about a secured facility. Gartner suggests that by 2020, 20 percent
of organizations will use mobile credentials for physical access in
place of traditional ID cards. Soft credentials provide several advantages
over hard credentials. They are more convenient, less expensive
and more secure. This is true for both end users and installers.
They are more convenient because the user already has his credentials
and already carries it with him wherever he goes. Credentials
can be delivered to the end user in either paper or electronic
form, such as via email or text. The dealer has nothing to inventory
and nothing to ship. Likewise, the user sponsor has nothing to store,
nothing to lose and faces no physical replacement hassles. Costs are
lowered as nobody must undertake “1sy-2sy” replacement orders.
Original soft access control systems are already being used by innovators,
approximately five percent of users, according to Gartner.
There were the typical drawbacks with a new technology. Before they
switched to soft credentials, the next wave of users requested smartphone
solutions that eliminate many of the frustrations that they discovered
with their original smartphone apps and hardware, the main
one being complicated implementation practices. The newer solutions
provide an easier way to distribute credentials with features that
allow the user to register only once and need no other portal accounts
or activation features. By removing these additional information disclosures,
vendors eliminated privacy concerns that have been slowing
down acceptance of mobile access systems.
One additional concern held back some buyers: What if the baby
boomers at our facility don’t have a smartphone? Problem solved. Just
be sure that your soft credential reader can also use a smart card.
Technical Stuff Quickly Explained
Just like hard credentials, soft credentials can support the 26-bit Wiegand
format along with custom Wiegand, ABA Track II magnetic
stripe and serial data formats. They can be ordered with specific facility
codes and ID numbers. They are delivered in the exact number
sequence ordered with no gaps and no under- or over-runs.
Two technologies are used: Bluetooth and near field communication
(NFC). Bluetooth readers are less expensive because almost
every smartphone already has Bluetooth. Not even 50 percent of all
smartphones yet have NFC.
Bluetooth’s other big advantage is read range, up to 30 feet. Plus,
installers can provide adjustable read ranges and differ them for various
applications. For instance, they could be six inches at the computer
access control reader but 24 inches at the front door. When
entering the facility gate, a still longer read range, perhaps six feet, can
be provided so users don’t have to open their car window to reach the
reader. NFC readers only operate with a read range of a few inches, that of a proximity card, eliminating any possibilities
of simply leaving the smartphone in
the pocket or purse and still get reads.
Many companies still perceive that they are
safer with a card, Gartner’s Mahdi notes,
but if done correctly, the mobile can be a far
more secure option with many more features
to be leveraged. Handsets deliver biometric
capture and comparison as well as an array
of communication capabilities from cellular
and Wi-Fi to Bluetooth LE and NFC, he said.
The bottom line is both Bluetooth and
NFC credentials are safer than hard credentials.
Read range difference yields a
very practical result from a security aspect.
A Bluetooth reader can be installed on the
secure side of the door while NFC must be
mounted on the unsecured side.
As far as security goes, the soft credential,
by definition, is already a multi-factor solution.
Mobile credentials remain protected
behind a smartphone’s security parameters,
such as biometrics and PINs. Once a biometric,
PIN or password is entered to access the
phone, the user automatically has set up twofactor
access control verification—what you
know and what you have or what you have
and a second form of what you have.
To emphasize, one cannot have access to
the credential without having access to the
phone. If the phone doesn’t work, the credential
doesn’t work. The credential works
just like any other app on the phone. The
phone must be “on.”
Leading readers additionally use AES encryption
when transferring data. Since the
Certified Common Criteria EAS5+ Computer
Interface Standard provides increased hardware
cybersecurity, these readers resist skimming,
eavesdropping and replay attacks. With
the Federal Trade Commission (FTC), among
others, now holding the business community
responsible for implementing good cybersecurity
practices, such security has become an
increasingly important consideration.
If the new system leverages the Security
Industry Association’s (SIA) Open Supervised
Device Protocol (OSDP), it also will
interface easily with control panels or other
security management systems, fostering interoperability
among security devices.
Likewise, check if the new soft system
requires the disclosure of any sensitive enduser
personal data. All that should be needed
to activate newer systems is the phone number
of the smartphone.
Lastly, once a mobile credential is installed
on a smartphone, it cannot be reinstalled
on another smartphone. Think of a
soft credential as being securely linked to a
smartphone. If a smartphone is lost, damaged
or stolen, the process should be the same as
with a traditional physical access credential.
It should be immediately deactivated in the
access control management software—with a
new credential issued as a replacement.
Soft Credentials Are Easier
Smartphone credentials are sold in the same
manner as traditional 125-kHz proximity or
13.56-MHz smart cards—from the existing
OEM to the dealer to the end users. For the
dealer, smartphone credentials will be more
convenient, less expensive and more secure.
They can be delivered in person or electronically.
They are quicker to bill with nothing to
inventory or to be stolen. Also, in most cases,
soft credentials can be integrated into an existing
access control system. Distribution can also
be via independent access control software.
There are two types of software. First is
the Wallet Application, a free software that is
downloadable from the Apple App Store or
the Google Play Store. Its purpose is to hold
the access control credentials. Typically, the
Mobile Wallet App will store as many credentials
as you will want, all at one time.
The Mobile Access Credentials are the
individual credentials needed to gain access.
Each credential can be programmed to work
with a specific access control system. This
means that, yes, a single smartphone, holding
multiple access credentials, can be used
to gain access on multiple access systems.
No longer will users be required to carry individual
multiple hard credentials. The employee
just carries her smartphone which has
them all within it.
Smartphone credentials deploy so much
faster than hard credentials. To install a mobile
credential, a user needs to first have the
Wallet App installed on a supported smartphone.
Next, you launch the App and select
the “Add” button, indicating that you would
like to load a new credential. A Registration
Key Certificate is provided for each credential
ordered. Now, enter the unique 16-character
Key from the Certificate and tap “Submit.”
Once successfully registered, the new
mobile credential will appear in the Wallet
App ready for use. From that point on, the
user simply holds their smartphone up to
reader when they approach it.
Why Multiple Credentials Are
Emphasized with Smartphone
The simple reason is that this is the future.
Already, we’ve discussed access control at the
front door, the parking gate and for the data
system. But, at lunch, soft credential would
also be available at the cafeteria or the vending
machines. Building planning employees could
check out schematics while machinists select
the tools they need. They become a photo ID
at a crime scene. All are separate applications
with their own access control systems.
Thus, a Mobile Wallet App will normally
store many credentials on a smartphone at
one time. The actual quantity is dynamic and
is related to the memory specifications and
internal storage space available on each individual
And, more opportunities are on the way.
How about using your smartphone as an
intelligent key for the agency car? Want to
know where your employee is driving, how
fast or if he added gas or oil? Forget all those
other tags and cards. Your smartphone will
become the passport to all aspects of your
work life. At a fraction of the investment you
have in hard credentials, secure soft, digital
credentials are all you need.
The Hard Fact
Soft, mobile, smartphone-based access control
credentials are inevitable. Every governmental
security professional needs to get on board.
This article originally appeared in the May 2018 issue of Security Today.