A Word of Caution
Avoid portals in your mobile access control implementation
- By Scott Lindley
- Aug 01, 2019
A special word of caution needs to be
emphasized when changing over to
mobile systems. Many legacy access
control systems require the use of backend
portal accounts.
For hackers, they have become rich, easy to
access caches of sensitive end-user data. These older mobile systems
force the user to register themselves and their integrators for
every application with each registration requiring the disclosure
of sensitive personal information.
The bookkeeping can be confusing. Who signs you up? Who
is in charge of security? Does the end-user have responsibilities?
Oftentimes, these portals include hidden fees. What are these?
One-time or annual fees? Are the rates fixed through the life of
the system? Who’s responsible for paying? It can become both an
integrator and end-user nightmare.
Even Governments Agree
For the past several years, there has been a focus by integrators
and customers to assure that their card-based access control systems
are secure. To give businesses an extra incentive to meet their
cybersecurity threats, the United States Federal Trade Commission
(FTC) has decided to hold the business community responsible
for failing to implement good cybersecurity practices and is
now filing lawsuits against those that don’t.
Likewise, in Canada, data protection and cybersecurity are
governed by a complex legal and regulatory framework. Failure
to understand this framework and take active steps to reduce
risks, or the impact of such risks when they materialize, can have
serious legal and financial consequences for an organization.
In Europe, the Network and Information Security Directive
(NISC) is the main strategy taken to harmonize continent-wide
provisions on cybersecurity. As such, the European Union Agency
for Network and Information Security (ENISA) is its center of
expertise. The main goal is to set high standards of cybersecurity
to be respected by each European Union (EU) member state.
Now, as leading international companies are learning how to
protect card-based access control systems within these relatively
new standards, along comes mobile access credentials and their
readers which use smart phones instead of cards as the vehicle for
carrying identification information. While many companies still
incorrectly perceive that they are safer with a card, when done
properly, the mobile can be a far more secure option with many
more features to be leveraged. They deliver biometric capture and
comparison as well as an array of communication capabilities
from cellular and WiFi to Bluetooth LE and NFC.
Nonetheless, these portals yield a major caveat emptor with
switching over to mobile access control. Newer answers provide
an easier way to distribute credentials with features that allow the
user to register their handset only once and need no other portal
accounts, activation features or hidden fees. Users don’t need to
fill out several different forms. Today, all that should be needed to
activate newer systems is the phone number of the smartphone.
Why the Problem Has Been Portals
Too many providers seem to design systems around the way their
legacy products are created, not in the way that is logical for the
solution. Take, for instance, widgets. Wouldn’t it make sense to
take advantage of the way that the Apple iOS 12 delivers them?
Add 3D touch, Widget and Auto-Unlock all into the Wallet App?
Create increased user convenience, not manufacturer’s expediency.
For instance, what if the newly improved Widget let the user
make up to three mobile access control credentials as widgets. This
saves time by allowing quicker access to credentials supporting
divergent building systems such as payroll, parking and cafeteria
systems accessible directly from the smartphone’s home screen.
With 3D Touch, a new pressure-sensitive feature, the user
could simply push on the Wallet App to select from up to three of
the most commonly used mobile credentials. Each user chooses
their own combination. For example, a delivery driver may gain
entrance to the van parking area while the vice president gets access
to the boardroom.
Alternatively, Auto-Unlock could let a user select a certain
MAC as their favorite. Once designated, a little star appears in
the upper right corner of the mobile credential. As the favorite, it
is transmitted immediately whenever the Wallet App is selected.
Don’t Forget How Products
Get Sold Either
Smart phone credentials are best sold in the same manner as traditional
125-kHz proximity or 13.56-MHz smart cards—from the
existing OEM to the integrator to the end users. In this distribution
mode, integrators will find smart phone credentials will be
more convenient, less expensive and more secure. They can be
delivered in person or electronically. They are quicker to bill with
nothing to inventory or to be stolen. End-users will find, in most
cases, soft credentials can be easily integrated into their existing
access control system. Distribution can also be via independent
access control software.
When mobile credentials are sold from OEM to integrator to
end user, it avoids setting up multiple accounts and eliminates
sensitive personal information from being available for hacking.
By removing these and additional intrusive information disclosures,
vendors also eliminate privacy concerns that have been
slowing down adoption of this technology. They are also protecting
themselves from the wrath of governmental standards
organizations.
This article originally appeared in the July/August 2019 issue of Security Today.