Introduction: Evolution of Credentials
Access control has always been a work-in-progress, readapting itself into new forms driven by the stunning, high-speed evolution of modern technology. We’ve seen hardware evolve from PIN pads to proximity cards to smart cards, and now — as we prepare to enter the 2020s — we are seeing the rise of mobile credentials for access control on smartphones. At the same time, the software that drives the solutions and supports the readers is also changing, from traditional hard-wired systems with local servers all the way skyward to wireless and cloud.
With each successive generation of access control, new technological capabilities have sought to increase both convenience and security. However, advancements in one area have not always translated equally well to the other. We have seen some technologies boost convenience but decrease security — as well as others that enhance security but make for a difficult user experience. This is certainly the case for mobile credentialing, and as a result, widespread adoption has stalled.
Fortunately, a new generation of mobile credential solutions is now arriving that promises to vault this technology into the mainstream, as it finally delivers superior performance on both fronts.
Two Steps Forward: Increased Security
Today, the market demand is strong for access control technology that employs mobile credentials that are managed and implemented via apps on personal smartphones, replacing the need for physical cards. Mobile credentialing has the potential to improve both security and convenience, and is delivering enhanced protection in many ways. To date, however, mobile credentialing has done a better job of increasing security than convenience. This is unfortunate, because for smartphone users – who comprise the vast majority of the public – there are few processes that phones cannot make easier, faster, and more accessible, and users look forward to incorporating new types of applications into their daily routines.
Where mobile credential solutions are an undeniable success is in increased security, a result of technology that leverages the smartphone’s alter ego as a mini computer to provide enhanced encryption. Josh Perry, Chief Technology Officer at ProdataKey (PDK) of Draper, Utah, an innovator of cloud-based networked and wireless access control products and services, explains, “When using smartphones, your access credential is actually encrypted in the memory of your device, making it much, much more secure than a normal proximity card.”
Another plus for mobile credentials is that they can be quickly disabled by their owner. “If someone loses their phone, because of all the personal information it carries, they deactivate it as fast as possible. By contrast, if an employee loses his wallet with an access control card inside, he’s initially much more concerned about canceling his credit cards or putting a freeze on his bank account,” says Perry. “It could be several days before the employee would bother to let an HR department know that a card key had been lost or stolen.”
There are additional drivers for adopting mobile credential solutions on the organizational side which are delivering positive results. These include a reduction in administrative costs, as there are no cards or fobs to purchase and, in some cases, no per-credential licensing fees. Also, in an age when a company’s green profile strongly matters, there is the assurance of no access-control relics destined for landfills or the oceans.
One Step Back: Inferior Customer Experience
For all the progress on the security front, the unfortunately truth is that most mobile credential solutions on the market today offer an inferior customer experience to cards or fobs.
For starters, the majority of solutions require the phone to be unlocked, removed from a user’s pocket or purse and held directly against or close to the Bluetooth door reader. Systems require this to keep the signal from being intercepted and to prevent the wrong person’s mobile credential from being validated. This can leave users struggling at doors or lobby turnstiles as they try to balance briefcases, bags, and coffee cups while making the required phone maneuvers. By contrast, a physical access control card can often be read through wallets and clothing. Yes, such cards can be cloned, shared and stolen, but they don’t require a juggling performance at the door.
Perhaps the most frustrating blow to users’ convenience is glitchy performance if the cellular or WiFi connection is too weak for the phone to validate credentials or if the app is designed to communicate with the cloud rather than directly with a reader. In those cases, if the connection is down, the system doesn’t work.
“The result of all these issues is that mobile credentialing ends up being more of a marketing bullet point than an added value customers fully embrace,” says Perry.
Finally, some organizations lose out on stronger security while trying to make mobile credentials work with legacy systems. Perry explains that when mobile credentials simply mimic the behavior of traditional access cards, then bad actors can clone that ID and fool the system. “The legacy system has effectively nullified all of the high-tech security that’s implemented by both the reader and in the phone to accomplish the secure communication,” he says.
A Great Big Leap: A Solution That Actually Works
The good news is that the convenience versus security trade-off is ending as manufacturers bring more solutions to market. A combination of cloud-based software and innovative hardware holds the potential to take mobile/Bluetooth access control to the next level, making it more convenient for users and administrators as well as delivering stronger security.
Cloud solutions that provide manufacturer-issued, unique credentials for each user are impossible to clone, and can be easy to issue through an automated process within the software’s administrative interface. Unique per-session encryption keys, made possible by the processors inside smartphones, further protect the privacy of transmission between phone and readers.
Also, new techniques will allow the identification and validation of credentials from farther away from the reader without risk of connecting with the “wrong” person’s phone. This makes sure that by the time a person indicates a request to enter when they reach the door, authorization has occurred and the unlocking can occur immediately. “This will create an extremely low friction experience for the user that is even easier and more convenient than using a card–that’s the goal,” Perry says.
“Touch io,” is a new PDK Bluetooth reader and credentialing option for smartphones and designed for use with the company’s network and cloud-based access control solution, pdk io. It includes a unique dual-antennae technology to differentiate whether a phone is on the inside or outside of a doorway, as well as machine learning that allows readers to recognize door use patterns. This helps to further hone access control over time.
Touch io also has the ability to differentiate between traditional cards and mobile credentials used at its readers, while accommodating both. This breakthrough supports most customers’ need for a transitional roadmap, but leverages the superior security and features of mobile credentialing whenever a smartphone is used.
The New Norm: Mobile Technology
Smartphones have impacted our lives in countless ways, but for each application that’s become mainstream, the phone has had to provide a superior experience than what it replaced. Some applications, like mobile banking, have had an even higher bar to cross – also ensuring privacy and security. With innovate access control solutions now coming to market, mobile credentialing will soon be equally commonplace.
While still not industry standard, some manufacturers are leading the way in offering this next level of mobile credentialing. If you’re serious about its use, look beyond marketing hype on data sheets as you investigate options. See a demo. Ask the right questions. Mobile is the way of the future; make sure the solution you invest in provides the superior experience that new technology is supposed to deliver.
About ProdataKey
PDK is a team of security integrators with decades of hands-on, in-the-field experience. PDK believes that the best technology is created by professionals who know what it takes to secure a facility properly and provide the end user with a solution that instills confidence and safety.
PDK is passionate about creating technology to enhance the security, safety, and overall experience of both the professionals installing electronic access control and those that live with and use the system. PDK continues to create technology every day to enhance its products and the products of its technology partners.
