Mobile Access Control Guide

By Brian Rhodes, Published Aug 28, 2019, 12:05pm EDT (Info+)

One of the biggest trends in access for the last few years has been the marriage of mobile phones and access cards. But how does this work?

Based on our mobile access control shootout, in this guide, we examine:

  • BLE vs NFC vs Apps comparison
  • Why many access systems use multiple methods
  • Mobile pricing compared
  • Mobile access OEMs are common
  • Limited reader model selection typical

Plus we detail factors that may limit mobile's appeal for some users:

  • Cards & Fobs Are Inexpensive
  • 'Bring Your Own Device' (BYOD) Can Be Awkward
  • Ongoing Service Billing
  • Awkward or No Picture IDs
  • Battery Power Limitations

Mobile *********** ***********

***** ****** ******* ** *********** ** open ***** *** * *** **** factor.

** **** *****, *** ***** *** not **** ** ** ******** ** app ********* ** ***** ** **** a ****, **** **** ***** ********* or ***** ******** ***** ****** ** send ******* **** ********** ****.

******* ** ******** * ****, ***, PIN, ** *********** ** * ******, a **** ******* * ***** ** activates ** *** *** *** **** is ********.

***** ** *** ****** ******** ***** of ******, *** **** **** **** accompany ***** **** ****, *******, ** ID ***** *** **** *** *** easily **** ** ********* **** **** good ********* **** ************.

Three ***** ****** *******

** ***** ** *******, ***** ****** methods ** ****** *********** *** **** in ******:

  • *** (********* *** ******)
  • *** (**** ***** *************)
  • *** ***** ***********

Mobile ********** ****** **********

************ ***** ****** ** **** ***** a *** ********** *** ******* ****** access ***********. ** *******, ****** ************ data ****** **** ****** *****/*** **** methods *** ********* **** ***** *******, with **** ****** ****** ********* *********** and ********.

*** ********* ***** ***** *** ***** differences ******* *****:

*** *******, ****** *** ********** ** Range ******* *** ***** *******. ***** NFC ***** ** ***** (********* **** than * ******), *** ***** *** BLE ** ****** ** ~*** ****, while *** ******* *********** **** ****** only ******* ** **-** *** ******** connectivity.

** ***** *****, ***** ****** ** used ******* *********** ***. *** *******, with *** ******, ***** *** ** less ******** *** ********** ** *** reader **** ***, *** ******* ********* phone ***** *** ***** ***** ****** is ******* ****, ******* **** ********** is ***** ********** ** ***** ****** access ****** **** ***.

Many ****** ******* *** ******** *******

** ***** ** ******** *** ******** of * ********** ******, **** ****** access ******* *********** ******** ****** ******* in ***** *******.

*** *******,*** ********** **** *** ** ***, ***************** *** *****. *** ********* ******* depend ** *** ****** ** ********** into *** ****** ********, ** ** the **** ********** ********************* (***) ***** **. ****** **** *** *** **** underlying *******, *** ********** ***** *** and *** **. *** **** *** the ****** *******.

***** *** ** *** ******* **** support **** ***********, **** ******* *********** directly **** ******* **********,** *** **-** ** *********** ** the ******.

BLE (********* *** ******)

*** ** *** **** ****** ****** mobile ****** ******, ******** ** ****** all ****** ****** *** ****** ****** products.

* *** ******* ** **** *** licensing ***** *** **** ** *** cost ******** ** ***, *** ************* expend ****** ***** ** ******* *** compliant **** ********** ** ******* ****.

** ***** ** **********, *** ******** device ***** ** ********, ** **** phone ********* *** * *********** *** often ******* ****** ********** ******* **** cards, ****, ** **** ** ** used.

*** *** ****** *** **** ****** method ** ****** *************, ***** ******** engineering ********* ********** *** ***/** *** licensing *****. **** ********-***** ******** **********,****, *** ***** ********** *** *** to ******* ***********.

NFC (**** ***** *************)

*** ********* ** ****** ** *****, with ******* ****** ******** ******** ***************, but *****/******* ***** **************** ******* **** *** **** **** ****** access.

** ***** ** *********, *** ********* the ********** ** ***** ***** ** use * **********. **** ** *** chip *** **** ******* ** ** access **********, ** *** ** **** in * ******* **** *** ***** energized ** *******, * ******* ******* BLE ** **** *****.

***** ****** ******* *** ** *** applications **** *******, ******* *****, *** mass *******, *** *** ** ***** fragmented ****** *** ** *** ********* BLE ** **** ****** ****.

App *****

* *****, *** **** ******, ****** uses ** *** ** ******* * door ****** ********.

*** *** ****** ***** *** **** in ******* ********-***** ********* *************, *** *** ******** **** ********** platforms *********,********* ****,****,********,*****, *** ******.

*** ***** ** ***** ***** * 'Tap **** ** ******' ****** ********* as ********** **** ********* ******:

***** **** ******, ****** *** **-** to *********** **** ******* ** ******** interface **** ********* **** ***********.

**** ********* *** ******* ******** ******** to ***** ****** ****** *** *** or ******* *********, ***. ** **** controllers.

Pricing *** ****** ****** *******

*** **** ** ****** ****** ** exist ****** ********* ******** ***** ******* (often ********* ***** ****) *** * software / ********* ****.

******* *** ******* ********* ***** ~$*** - $*** ****.

******** / ********* **** ****** *************:

  • *** **** ******** ******* ***: **** is ********* *** ***** ********* ******* typical ****** **** ******* **** ********* Data *** ****** ********* ******** ***** $10 *** ******, *** **** ****.
  • ******* ******** ******* *** *** ******: OpenPath *** ***** ****** * ******* fee *** ****** ** $**. ***** a ****** ***** ** ** ******* (or ****) *** ******, **** ** an ********* **** ** * *** dollars *** ***** *** ******.
  • ******* ******** ******* *** *** ******: This ** ********* *** **** ********* overall ****** **** ******* **** *** and ***** ********* ******** $* ** more *** ****** *** *****.

** *** **** *** ** ****** licensing, **** $**+ ** **** *** year *** ******, ********** ***** *** increase *** ** **** ******** ** conventional ******** *********** **** ***** **** $2 ** $* **** ***, ** average, **** ** ***** * ****, if *** ******** *****.

Mobile ****** **** ******

***** ****** ******* ******* *** ******* labeled/OEM'd ********* *** ***** ****** ****** offerings.

*** *******, *** ****** ****** ***** use ***** *********:

**** ******** ********** ****** ****** ****, often *** ***** ****** **** ***** vendors, *** ***** ******** * ****** system *** *** **** ***** ** licensing *** ***********, *** ********* ***********.

Limited ****** ***** *********

** ******* ********** ** ****** ****** is **** **** * *** ******* are **********, ***** *** ***** ********* and **** *** *** ****** ** connected ** * **** ********** *** Wiegand ** ****.

*** ********** ***** ***** **** *** shootout ***** *** ********* ** ******** reader ****, *** ****** *********** ***** like ******* ****** *** *** ** possible ***** ** ***** ******* ** used:

** **** *****, **** ******* ******, * ****** ** **** ******, card ********** ****** *******, *** ******* vs. **** ********** ******* *** ********* because *** ****** *** ** ****** line ** ****** **********.

*******, ******* *** ************* ******* **** a ****** ********** **** ******** **** *** ****, *** *** and *******-**** ***** *********.

Management & ***** ********* ********

************* *** ******** ****** ****** ** not ****** *** ********** ****** *******.

* ***** ** ********** *** ****** control ********** ****** **** ** **** are *** ********* ******* **** *********** credential *******. ***** *******:

  • ***** & **** *** ***********
  • '***** **** *** ******' (****) *** Be *******
  • ******* ******* *******
  • ******* ** ** ******* ***
  • ******* ***** ***********

Cards & **** *** ***********

****** ******, **** *********** ****, *** roughly *** - *** *** **** of * ****. *** *** **** of *********** * ***** ** **** higher, ********* ******** ********* *** ******** updates ***** * **** ******* **** inexpensive *** *********** **** ** ******** once ******.

** * **** ****** ** ** lost, *** ******** ******** * $** piece ** *******, ***** ** * phone ****** ** ** ****, ******* must *** ******** ** ******* ** replace **.

'Bring **** *** ******' (****) *** ** *******

** **** *****, ********* **** *** be ****** ******** ******. *********, '***** Your *** ******', ** ****** ***** to ******** ***** ******** ****** *** commercial **** ******** ******** ********.

****** *** ***** **** *** ********** network ******** ** **********, ** ******* or *** ***** ****** *** ******* to ****** ******** ************ *** ******* management ********* ** ******** *******.

Ongoing ******* *******

******* *********** ***** ** **** ******* if *** ***** **** ** ******?

** ******* ************* ****** *** ************** of *********, **** ** **** ****** enter **** ********* ** * ******? Or **** ********* ****** *******?

****** ***, *** ******** ****** * new ****** ** ** *********** *** otherwise ****** ** ****** *********** *** not ****.

Awkward ** ** ******* ***

****** ******** ***** **** *** ***** printed **** *** ****'* *******, ****, and ***** ******** ******* **** ** Codes ** **********, ***** *** ****** or ******** **** ***** **** ******.

******* *** *** * ****** ** identity ************ *** ***** ******** *****, where ** * ****** ****** *** match *** ******* ** * **** to *** ****** ********** ** *** access.

************* *** ****** ****** **** ** made ********* ** ********* ******, ***** require ***** ** **** ***** ******** or ***** ***** *** ***** **** is ******.

******** **** ****** ******** ** ********* unlocking *** ****** *** ** ******** for ****** *****, *** ***** ******** is *********, ******* ********** *** **** to ****** *** ***** *** ******** some ** *** '****** ******' *****.

Battery ***** ***********

**** ******** ** ***** ** ******* life *** ****** **** ******, *** their ******* ** ******** *********** ******** to ********* ********** **** ** *****:

******, ******* *****, ********* *********, ******** function, *** **** *****-******* ******* *** mitigated ****** **** *****.

Mobile ****** ********

*** * ******** **** ** **** of *** ******* ****** ****** *********, see ********* ****** ******* ************* ** ******* *** *** ********* and ********** ** ****.

***** **** ******* ** **** ** those ********* ** *** ****** ****** test ******:

Comments (23)

does this exist yet, (as a commercial product)?

Agree
Disagree
Informative: 1
Unhelpful
Funny: 5

ha!

There are options I've seen and resold as an integrator, but they are not that common these days. I did not see any examples at ADI or Anixter.

I don't think you will find HID formats for these types of phone cases, either. You'll need to buy HID mobile for those. Usually I've seen 125 kHz or MIFARE versions on Alibaba or eBay.

Agree
Disagree
Informative
Unhelpful
Funny

How is the uptake of mobile access technologies for hotels? As per my understanding it is more popular with hotels than with the enterprise (I think Vingcard and Salto both support mobile technologies). Do you have any idea why this may be the case?

Agree
Disagree
Informative: 2
Unhelpful
Funny

I believe uptake is indeed stronger for mobile in hospitality systems, especially for higher-end properties.

Because hospitality systems generate lots and lots of credentials, hundreds in a single night even, (used just once or twice) the operating expense of these badges can grow quite large - this is why you'll often see advertising printed on them, to help offset or subsidize the cost of the card.

One of my IPVM colleagues told me of a recent stay where mobile hospitality systems were used. The entire process of check-in, room access, and check-out was done via the app.

Mobile allows the marketing advantages of downloading an app to patron phones (marketing 'hot' or 'getaway' deals, frequent booking points, etc), plus leverages the 'cool factor' of mobile with other business utilities, and avoids consuming/purchasing as many badges.

Agree
Disagree
Informative: 3
Unhelpful
Funny

Can you confirm that mobile hotel credentials automatically expire when the hotel guest check out time arrives same as with cards?

Agree
Disagree
Informative
Unhelpful
Funny

We are actively looking for a partner to build the hotel reservation system on top of our platform. We will mount a tablet on each hotel door. The customer will book online and receive a QR code to open the door when they arrive. Obviously the code only works during their duration of stay. If they needed to contact the hotel staff, they can make a video call from the tablet. In the other 99.999% of the time that the tablet is doing nothing, it can display a video AD.

Our system already does everything except the reservation part.

Agree
Disagree
Informative
Unhelpful
Funny

question, do any of these BLE readers include a courtesy charging dock?

Agree
Disagree
Informative
Unhelpful
Funny

You mean for charging potentially dead phones?

It's an interesting idea. None of the readers we've tested include a feature like that.

Agree: 2
Disagree
Informative: 2
Unhelpful
Funny

i’d imagine its an idea that would come quite naturally to a person standing at a reader with a dead phone :)

Agree
Disagree
Informative
Unhelpful
Funny

We've seen a few products where phone power can be transmitted to a dead lock via 'solar/light' power:

The idea is if the lock battery is dead, users can turn on the LED flashlight on their phones and charge up the lock enough to get access.

Of course, we haven't tested this, and the idea is not included in commercial products we have seen.

Agree
Disagree
Informative: 3
Unhelpful
Funny

so is NFC really MiFare in a phone?

if so why can’t legacy MiFare card readers read NFC phones?

Agree
Disagree
Informative
Unhelpful
Funny

so is NFC really MiFare in a phone?

No. Same frequency, but NFC is a standard transmission format all its own.

Agree: 1
Disagree
Informative: 3
Unhelpful
Funny

since the frequencies are the same, i wonder if a mifare reader would power the NFC chip of a dead smartphone brought close enough. though i suppose it wouldn’t respond as it wouldn’t understand the request.

Agree
Disagree
Informative
Unhelpful
Funny

what do you make of this list of mobile devices with NFC/Mifare compatibility of some sort:

Agree
Disagree
Informative: 1
Unhelpful
Funny

It's interesting. One stackexchange poster (some years ago) modified his NFC chip to emulate MIFARE to readers, apparently transparently to the system, but he calls it 'a hack and a half' that physically required a valid card and modification of NFC's signature file:

However, in the end the solution was a hack and a half. Only devices with NXP NFC controllers could this be possible on. Further, I had to modify the nfc_access.xml (remount the file system to rw) system file and include the signature of the application. Then using reflection, enable mifare emulation. Then using a mifare reader/writer (hid 6055b), I encode the data (sectors and blocks, in my case sector 1) onto the phone. In essence, I treat the phone as a mifare ID card. That is, i copied my id card to the phone. You can't programmatically set this.

At the end, the poster writes 'Although I proved it possible, it is not feasible for production.' Furthermore, I expect he was using MIFARE classic (the format on the list you linked) or DESFire EV1; which are 'cracked' formats and not DESFire EV2. [Note: EV1 is commonly used in a way that is still uncracked and secure, with 'unique' keys.]

I am not familiar enough with the practical barriers to comment on whether or not non-NFC readers can read emulated MIFARE or similar formats without problems.

Agree
Disagree
Informative
Unhelpful
Funny

You state « Furthermore, I expect he was using MIFARE classic (the format on the list you linked) or DESFire EV1; which are 'cracked' formats and not DESFire EV2 »

Mifare Classic was famously cracked but Desfire EV1 was never cracked, to my knowledge. Please provide more information if you have it (Desfire EV1 is not the same thing as Mifare Desfire, which was cracked)

Agree: 1
Disagree
Informative
Unhelpful: 1
Funny

Ah, that's a good catch. EV1 is only crackable when the reader key is known (or if the default key is used, which makes it materially the same as 'Classic').

The Proxmark3 and other sniffers cannot detect these keys, and the value must otherwise be obtained. If that value is known, then the string can be decompiled.

It is my understanding that EV2 forces unique keys to be used.

So your point is a good one. Neither EV1 nor EV2 have been cracked when deployed as recommended.

Agree
Disagree
Informative
Unhelpful
Funny

Integrated Control Technology (ICT) offers a completive product based on this post offering NFC (for Android) BLE (iOS due to Apple restrictions), wifi/cellular within the app itself and "shake to unlock". It's reader checks all the items off this list as well as being 125k or mifare compatible.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Mobile access can be limited to specific employees (e.g. directors, board members) and applications

1. Give the mobile access to the user whom are not frequently visiting the office or often in travelling multiple office locations.

2. Can be used for operating drop arm barrier becz of its long read range, alternative to RFID

Agree
Disagree
Informative
Unhelpful
Funny

I personally had some little "issue" with HID mobile few months ago on a costumer's site.They all had different telephones on Android it worked pretty well with IoS blueetoth was too powerfull so when the person was walking around the reader's area (I.E. when they went out for a smoke ) it was continuosly intercepted by the reader.Since on Android in the HID app you can set Bluetooth output trasmission (and so you solve this issue) Apple doesn't allow 3rd parties to set basic telephone features (and blouetooth power was on maximum mode) and there was nothing to do eccept to tell these guys to be carefull in their moves or to go away from that plattform

Agree
Disagree
Informative: 3
Unhelpful
Funny

Mobile credentials are getting more polar now.

Agree
Disagree
Informative
Unhelpful
Funny

The info shared here is an eye-opening.

Agree
Disagree
Informative
Unhelpful
Funny

I'd like to point out a mobile access method which has not been discussed here - we call it "readerless". It does not require any kind of reader for online operation. For offline operation the controller can talk directly with phones over bluetooth via external USB dongle - a much cheaper and simpler solution than readers. And if cards are required, readerless can be combined with any kind of card readers. Except us (DoorCloud.com) I think only Brivo offers something similar. May be good to know.

NOTICE: This comment has been moved to its own discussion: "Readerless" Mobile Access Control - What Do You Think?

Agree
Disagree
Informative
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports