As mobile device technology continues to advance, so does their extensive use in new security and access control applications and functionality. Our smartphones provide a single, powerful device, which is mobile and connects us to the world in ways previously not imagined. Mobile device applications in the electronic security industry have become much more prevalent in recent years. For example, security and access control operators can conduct video surveillance, receive alarm notifications, and manage security systems remotely from mobile devices. And within the access control environment, a mobile access credential integrated within a smartphone, also referred to as mobile access or a mobile key, can now replace the physical access card to unlock doors.
Early on, the disparity in hardware and software produced by various smartphone manufacturers was a significant challenge for standardization and adoption of mobile credentials, as was the ability to ensure the security of data transfer between mobile device and host system card reader. Mobile access technology has made significant improvements since its inception and is now used successfully today. As new security systems are designed to be around for 20+ years, potential future migration to mobile access must be designed in.
IN THE BEGINNING…
Physical access control systems with card readers to grant access through electronically-secured openings have been around since the early 1980’s. Access control is an extremely important component in almost every physical security system. In addition to secured access, they offer many advantages, including convenience for users, centrally managed database, programmable features, door scheduling, audit trails, and reduced problems associated with issuing hard keys.
The conception of electronic access control ID credentials began with mag stripe cards, which used magnetically encoded, unencrypted data. These were highly susceptible to wear due to repeated physical use. Radio Frequency Identification (RFID) proximity cards and key fobs were next introduced to the market in the early 1990’s, providing ”contactless” use with 4” read range. At the time, “prox” cards became the industry standard, though card data was still unencrypted, and card credentials could unknowingly be scanned and cloned.
With the advent of the smart card about a decade later came the next significant development of more secure access credentials. Smart card data is encrypted, and the card must be mutually-authenticated with host card reader. As such, once reader and card each validate the secure parameters of the other, only then can encrypted data be exchanged. Second generation smart card technology was introduced around 2013, providing more secure cryptographic methods of encryption and data transmission. Unlike traditional prox cards, smart cards cannot be hacked or cloned. Smart card microchips also have read-write capability and can store large amounts of data, allowing for multi-application use. For example, in the educational environment, students and faculty can carry a single campus smart card for providing both physical access and cashless point-of-sale transactions. The card may be used for dining or bookstore purchases, and users manage and load funds to their campus card account. If implemented by the campus, the card can also support automated event or class attendance monitoring.
eBay’s 140,000 SF data center in Phoenix AZ required high-security building systems to ensure the safety and security of the mission critical facility, its equipment and stored data, and building occupants. The Sextant Group provided consultation and design services to program and implement comprehensive electronic security solutions, including alarm notification, digital video surveillance, and advanced access control system which provides flexibility for integration with third-party technologies and will be sustainable well into the future.
Which brings us to the newest generation of access control credentials, the mobile device key. Mobile access has been available for quite a few years now, and provides great convenience for users navigating access to controlled spaces. In lieu of carrying both a smartphone and access credential, the two are integrated into a single device — a very appealing solution for employers, staff and students. As organizations continue moving towards supporting more prevalent use of mobile platforms in business, mobile access is in harmony with the bring-your-own-device (BYOD) deployment model. Like smart cards, mobile credentials may also be used for multi-application use, as described above.
With mobile access, the user interface is provided by an app on the mobile device, which permits the user to access the digital key, or virtual credential. Authorized system administrators can issue or revoke digital keys over-the-air to user smartphones via encrypted data transmission. Each credential is unique to each mobile device, so they cannot be copied or duplicated. If a user replaces their smartphone, a new credential must be issued. Solutions may also allow for multiple devices to be assigned per user, each with an independent credential. Mobile keys can be set for ”always on”, allowing user to be on a phone call or multi-task with other apps in foreground while unlocking door.
And in the hospitality industry, prominent hotel brands such as Marriott, Hilton and others have begun to roll-out mobile key applications at designated properties, with plans for continued large scale expansion. Hotel guests may check-in and receive their digital room key via mobile app, allowing them to bypass the traditional check-in process, a much welcomed convenience.
NEAR FIELD OR BLUETOOTH?
Mobile devices can communicate with access readers using Near Field Communications (NFC) with a read-range of about 1.6”. The mobile device is tapped on the reader, similar as using a smart card. The mobile devices must support NFC in card emulation mode (CE) or host card emulation mode (HCE), also referred to as ‘secure NFC’. As opposed to ‘open NFC’ communication which is used for less secure applications such as reading NFC tags, smart posters, or data exchange with NFC peer devices. The card application and credential are stored in the secure element of the phone or as a service running on the operating system. Not all mobile device operating systems support card emulation mode, as do Android and Blackberry OS. For instance, Windows 10 for mobile devices requires a card emulation app using a SIM-based secure element. And though Apple’s iOS now enables NFC for tag reading, card emulation mode remains unsupported with iOS 11.
Bluetooth 4.0 Low-Energy (BLE) communication protocol is also used in mobile access, with the card application and credential securely stored in the operating system of the device. BLE does not require devices to be paired as did classic Bluetooth, which simplifies implementation of the technology. BLE has other advantages in mobile access, it is supported by any smartphone and has a much greater read-range up to 6’. BLE readers also incorporate device tap for user access, and reader chip sensitivity levels are adjustable by individual device to reduce false triggering. Manufacturers have developed unique applications to take advantage of extended read range capability of BLE. An example is HID’s Twist and Go gesture in which the phone is rotated 90 degrees and back to initiate the mobile key transaction to the reader upon approaching the door.
There are potential drawbacks with mobile access. With over-the-air transmission, data integrity can be a concern. And the nature of BLE with its long-range communication raises worry for potential eavesdropping of data transactions. However, mobile access solutions do incorporate AES128 encryption and mutual authentication protocol, similar to smart card technology described earlier. Other shortcomings of mobile access include the need for a charged battery. If completely drained where cell phone or text will not function, neither will the mobile access app. And though we may eliminate the need for access cards, a company’s policy may dictate that physical ID badges be worn and displayed for identification, erasing the benefit of carrying only a single device.
Those drawbacks aside, mobile credentials offer many other advantages. Mobile access readers can be integrated with high-security access control systems, and “multi-tech” readers are available, able to read both smart cards and mobile credentials. This allows employers to implement hybrid systems, giving staff the option of utilizing physical access card or mobile key. Manufacturers also offer “mobile ready” readers which can be upgraded for mobile access by the addition of a module, providing end-users flexibility for a more seamless migration path. Smartphones may be protected by locked screen, increasing security by introducing two-factor authentication: PIN+credential. And due to the personal nature of one’s mobile device, people are naturally very vigilant and protective of their smartphone, decreasing the likelihood of someone lending out or misplacing their mobile device, thus inherently reducing security risk.
Mobile access has overcome many of the initial obstacles, as the ecosystem of smartphones is becoming more interoperable with common technologies to meet the demands of the security industry. As manufacturers close the gaps in technological disparity, the mobile key is becoming more widely adopted as an alternate, favorable solution for physical access control. It provides convenience to administrators and staff, and enhances the user experience by moving the physical access card to the smartphone while adding the “wow factor”. Looking down the road, new access control system infrastructure should support future migration to mobile credentials. Attention should be given to preparing a system solution which is “mobile ready”, or capable to be retrofit in a cost-effective manner. Existing systems should be maintained with current software versions, and security renovation projects should consider feasible improvements which may also better prepare the system for potential migration. End-users, architects and engineers should be aware of the implications of mobile access on physical security so that informed decisions can be made early in the design process.
For in the end, early planning and preparation for Security and Access Control is the most important mobile device key of all.
Top image courtesy HID Global.