Mobile Credentials (BLE / NFC / Apps) Guide

Author: Brian Rhodes, Published on Nov 14, 2017

One of the biggest trends in access for the last few years has been the marriage of mobile phones and access cards.

In this guide, we examine:

  • 4 key management problems
  • 2 practical problems for users
  • BLE vs NFC vs Apps Comparison

[Note: This tutorial was originally published in 2014 and substantially revised in 2017]

Mobile Credentials Are Slick

At a basic level, using mobile phones or tablets as credentials to open doors has a big cool factor. Take this simple demo of one setup below:

In simple terms, instead of ringing a card, fob, PIN, or fingerprint at a reader, a user flashes a phone and the door is unlocked.

Based on the rather personal value of phones, the idea that they accompany users like keys, wallets, or ID cards and they are protected (ie: not easily lost or misplaced) items make them good potential card replacements.

Management Problems

However, the transition is not a simple one, especially for commercial access control. A range of credential and access control management issues crop up not often issues with traditional credential methods. These include:

*** ** *** ******* ****** ** ****** *** *** **** few ***** *** **** *** ******** ** ****** ****** *** access *****.

** **** *****, ** *******:

  • * *** ********** ********
  • * ********* ******** *** *****
  • *** ** *** ** **** **********

[****: **** ******** *** ********** ********* ** **** *** ************* revised ** ****]

Mobile *********** *** *****

** * ***** *****, ***** ****** ****** ** ******* ** credentials ** **** ***** *** * *** **** ******. **** this ****** **** ** *** ***** *****:

** ****** *****, ******* ** ******* * ****, ***, ***, or *********** ** * ******, * **** ******* * ***** and *** **** ** ********.

***** ** *** ****** ******** ***** ** ******, *** **** that **** ********* ***** **** ****, *******, ** ** ***** and **** *** ********* (**: *** ****** **** ** *********) items **** **** **** ********* **** ************.

Management ********

*******, *** ********** ** *** * ****** ***, ********** *** commercial ****** *******. * ***** ** ********** *** ****** ******* management ****** **** ** *** ***** ****** **** *********** ********** methods. ***** *******:

[***************]

***** *** *****

****** ******, **** *********** ****, *** ******* *** - *** the **** ** * ****. *** *** **** ** *********** a ***** ** **** ******, ********* ******** ********* *** ******** updates ***** * **** ******* **** *********** *** *********** **** to ******** **** ******. ** * **** ****** ** ** lost, *** ******** ******** * $** ***** ** *******, ***** if * ***** ****** ** ** ****, ******* **** *** hundreds ** ******* ** ******* **.

**** ** *******

** **** *****, ********* **** *** ** ****** ******** ******. Therefore, '***** **** *** ******', ** *** **** ***** ******** their ******** ****** *** ********** **** ******** ******** ********, **** how ********** ******* ******** ** ********** ** ******* ** *** phone ****** *** ******* ** ****** ******** ************ *** ******* management ********* ** ******** *******.

******* ******* *******

******* *********** ***** ** **** ******* ** *** ***** **** is ******? ** ******* ************* ****** *** ************** ** *********, even ** **** ****** ***** **** ********* ** * ******? Or **** ********* ************ ******* *******? ****** ***, *** ******** leaves * *** ****** ** ** *********** *** ********* ****** if ****** *********** *** *** ****.

******** ********** ***********

****, ****** ******* *********** **** *** ** ****** ** *** physically *********** **** ********* ***** ** **** ****, ****** *********** must ** ******** *********** ** * ****** **** *** ****** unseen. ***** *** * *** ********* ****, *********** *** ****** for ****** ******** ******* ** *** * ****** ***** ********** is ***** *********** ** *** ***** ******** ** * **** that *** ****** ** *********** ** **** *********.

Practical ********

*** ** ******** ** '****' ********** ******, *********** ******* ******* cards ** **** *** ****** ******* ****** '****' ******** ****** as ****, *********:

******* ** ** ******* ***

****** ******** ***** **** *** ***** ******* **** *** ****'* picture, ****, *** ***** ***** ******** *******, ***** *** **** often ****** ** ******** ** ******. ***** * **** *** be **** ** ******* * ******* **** * *****'* ****** on *******, *** ****** ****** ** ********* ********** ** * glance **** * ******* ** **** *** ****.

********** ***********

*** *** ***** ** ********* ****** **** *** ** ***** with * ****** ***** ****** ** ****** *********. **** ******** as ***** ** ******* **** *** ****** **** ******, *** their ******* ** ******** *********** ******** ** ********* ********** **** or *****:

******, ******* *****, ********* *********, ******** ********, *** **** *****-******* demands *** ********* ****** **** *****. ***** ***** *** **** to *********** ********** ** ***** ********** ** ******* ***** **** with

Three ***** ****** *******

** ***** ** *******, ***** ****** ******* ** ****** *********** are **** ** ******:

  • *** (********* *** ******)
  • *** (**** ***** *************)
  • *** ***** ***********

**** *** * ****** ** ******** ******* ********* **** *****, frankly ********** *** **** **. **** ** **** ******:

BLE (********* *** ******)

***** * ******** ****-******* ** *** ****** *********** ******, *** is *** *** **** ****** ****** ****. *** ****** ** due ** *** ******** ********* ********* ** *** ** ****** phones, *** ********* * ****-******* ************* **** ***** ******* ********** of ***** **** ** ***********.

******* *** ******* ** **** *** ********* ***** *** **** or *** **** ******** ** ***, *** ************* ****** ****** money ** ******* *** ********* **** ********** ** ******* ****.

** ***** ** **********, *** ******** ****** ***** ** ********, so **** ***** ********* *** * *********** *** ******* ********* of ****** ********** *******.

*** *** ****** *** **** ****** ****** ** ****** *************, given ******** *********** ********* ********** *** ***/** *** ********* *****. Many ******** ***** ******** **********,****, *********, *** ***** ********** *** *** ** ******* ***********, including *******:

** ******* *** ******* ** ****** ** *** *** *** ****** ** ****** ***********.

NFC (**** ***** *************)

**** *** ****** ****** *******, *** *** *** ****** *********** giant *** ****** ******* ** ***** *** ** ***** **********/********** credential ****** ** ******. ***** ************ *******'* '***** *** **' ****** ********** *** ******* ** **** ***, *** *** *********** **** to **** *** **** ****** ** ***.

** ***** ** *********, *** *** *******, ********* ************ *** limitation ** ***** ***** ** *** * **********. **** ** NFC **** *** **** ******* ** ** ****** **********, ** can ** **** ** * ******* **** *** ***** ********* by *******.

*******, *** **** ** *** ** **** ** ***** **** manufacturer ********* ** *** *** ******. ***** *** *********** *********** adoption **.** *** ****** ******* **** **** ********* ****** ** demand/ *******, ** **** ******** **** ****** *** *** ***.

** ***** ** **** *** **** ******* *** *** **'* closest ********** ****** ***, *** ***** ***** ********* ***********:

*** ******* ********** ** *** *** ****** *** **** ******* as ******* *** *** ******* ***********. ******, ***'* *********** *** a ******* ******** ** *********** ****** ***'* *** ******.

App *****

** ******** ****** ** ***** ** *** ** ***** ** software ** ******* * **** ****** ******** ****** **** **** the ***** **** * **********. *** *** ****** ***** *** seen ** ******* ********-***** ********* *************, *** *** ***** **** ********** ********* ********,*****, ********, *** ******.

***** **** ******, ****** ****** ******* ** **** ******* **********, but ****** ******** ********* **** ********* **** ***********. **** ********* requires *********** *** *********** **** **** ** ***** ** ********, and **** ******** **** ******** ******** ****** ****** ****** ******* firewalls ** **** ***********. *** ***** *******, ** ** *** expect ** *** * ****** ****** ** ***-***** ****** ***********, but ** ******* * ************** ***** ***** *** ***** **.

Comments (18)

You can add compatibility to the comparison chart. Almost all devices now have BLE but NFC is a relatively wild distribution with differing adaptations of the NFC protocol as well as the dependency by Phone manufacturers and Telecoms provides allowing those devices to function and how.

I also noted in a test we did, the cost of the token was not well established. It was suggested by one manufacturer that 6-8$ a token which is basically the cost of a card personalized for an individual. I believe these tokens should be in the 1$ range or less and that will make it extremely interesting for the market.

Finally the provisioning mechanism is another issue. For a few people its fine, but when you start considering 100s or 000s of recipients how do you provision and also integrate with internal provisioning systems.

I understand you wanted to cover highly secured credentials in this report and of course those in the technology edge are NFC and BLE as well as customized apps based solutions. However, there's a more extended mobile based credential usage. This is using QR codes and millions of people use it when boarding a plane, train, etc. Of course it is not intended to have the same security integrity of the described technologies, but it's more usable, flexible, easy to send to the credential holder and easy to read by a scanner and by a video camera as well. The initial lack of security can be accepted if the use is restricted to one access only or a short time period validity. We at Axis are promoting that to be used with cameras at the access point or more adapted wioth video door stations, adding this credential verification to the main purpose of the door station for assisted access granting.

Axis is promoting QR codes for access control credentials?

We are conscious of the security limitations it may have since a QR code can be easily replicated. However in certain applications it is really useful since it is easy to send to a mobile device and used in frot of a surveillance camera or video door station. This is being promoted for those who need to have access during a known short time period such as visitors, deliveries, maintenance operators without the process to hand over a token. Of course if you have a camera and a security center, you could just open the door remotely, but for that a dedicated call center is needed. Instead, if the risk is not high and you trust the recipient, it's very flexible to just send (or make it available on line with previous login) the QR code and limit its validity for the desired time window (or just one access service). Of course if ¡we talk about permanent credentials we would not recommend that at all.

Isn't it an access control usage when applied to boarding gates?

Anyway, it is not intended to present the QR code as a real access control method in the way we all understand access control for security, but looking at the title of the report it just says "Mobile credentials"

Given the very narrow parameters that QR codes 'might' be a fit for visitor management systems, I am confident in keeping it exclusive from this report that is clearly addressing more general mobile-based access control credentials.

Sorry, what do you mean by "narrow parameters"?

Very interesting use of QR codes given the trend to merge access control with VMS systems.

Been a long time since I've seen Lisa Lake....not sure she's on Facebook, but thanks for bringing back the ol' memories.

Memories for sure... right out of the original Lenel OnGuard...

Good article, but it is not clear here or in the NFC vs BLE article that HID's mobile device solutions do now include BLE as well as NFC. iClass SE readers can be ordered to support either, both, or neither.

Great Article :)

Mobile phone credentials may not be a revolution but they will certainly be the evolution.

rbl

A quick question regarding NFC - is the reader reading the UID on the phone.

If so, what's the chance that there are duplicates?

Can you get Corporate 1000 / Elite key style NFC on devices?

HID uses the device endpoint ID in generating the mobile credential, but only the mobile credential data is read by the user. I don't know the possibility of devices existing with duplicate endpoint IDs, but I think credential duplication due to this would be almost impossible. If a phone is wiped or the Mobile Access app is deleted and re-installed, a new credential needs to be issued to the phone, even though the device remains the same.

I believe HID mobile credentials can be ordered in most formats. All operate similar to Elite cards as the readers and mobile credentials are end-user specific.

Mobile Credential Example

A quick question regarding NFC - is the reader reading the UID on the phone.

For HID my understanding is that a token is tied to a specific device, but it is the user's registration/account that is provisioned. Users can generally use different NFC devices with the same login. Is that your question?

Can you get Corporate 1000 / Elite key style NFC on devices?

You need to upgrade readers to use NFC, and those credentials do not emulate older card formats.

is there any statistics on adoption levels?. I know its cool and it will be the way forward for many, but have any surveys projected the up take level over the next years.

it seems even slower than IP cameras , but we all know where that went!

Bluetooth credentials still have a ways to go yet IMO. We have not had any real traction to this yet. On our office front door we have an HID Bluetooth reader and it seems like every couple of days it won't read the credential and have to end up using my fob. One day I walked up and my Apple watch started buzzing constantly and saying trying to connect, or at least something like that, but never unlocked the door. Every time when my phone won't unlock the door I always say "Why would i sell this if it doesn't always work here".

Can you imagine the service calls for this? I can... Arrrggghhh.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Startup SafePass Profile on Oct 19, 2018
A major problem with visitor management is that the systems mostly require adhesive printed paper labels and paper logs, creating waste and an...
Video Quality / Compression Tutorial on Oct 17, 2018
While CODECs, like H.264, H.265, and MJPEG, get a lot of attention, a camera's 'quality' or compression setting has a big impact on overall...
Integrator Laptop Guide on Oct 16, 2018
This 18-page guide provides guidance and statistics about integrator laptop use. 150 integrators explained to IPVM in detail about their laptops,...
Higher Power PoE 802.3bt Ratified, Impact on Security Products Examined on Oct 12, 2018
Power over Ethernet has become one of the most popular features of many video, access, and other security products. See our PoE for IP Video...
Door Hinges Guide on Oct 10, 2018
Some of the trickiest access control problems are caused by bad door hinges. From doors not closing right, to locks not locking, worn or warped...
Security System Health Monitoring Usage Statistics 2018 on Oct 09, 2018
How well and quickly do integrators know if devices are offline or broken? New IPVM statistics show that typically no health monitoring is...
IP Camera Installability Shootout - Avigilon, Axis, Bosch, Dahua, Hanwha, Hikvision, Uniview, Vivotek on Oct 08, 2018
What are the best and worst cameras from an installation standpoint? Which manufacturers make it harder or easier to install their cameras? We...
UTC Merges Lenel and S2, Creates LenelS2 on Oct 03, 2018
UTC has completed the acquisition of S2, launching literally Lenel's2 LenelS2 with UTC declaring that "LenelS2 unites two world-class teams with...
Anti-Tailgating Startup: Spyfloor on Oct 03, 2018
A Canadian startup, Spyfloor, is using a different approach to warn against tailgating, a common access control problem. By counting feet,...
Network Cable Testing Guide on Oct 02, 2018
Proper cable installation is key to trouble-free surveillance systems. However, testing is often an afterthought, with problems only discovered...

Most Recent Industry Reports

Startup SafePass Profile on Oct 19, 2018
A major problem with visitor management is that the systems mostly require adhesive printed paper labels and paper logs, creating waste and an...
China Is Not A Security Megatrend, Says SIA on Oct 19, 2018
The US Security Industry Association has released its 10 "Security Megatrends" for 2019. SIA declares that these megatrends, such as "Advanced...
Hanwha Dual Imager Dome Camera Tested (PNM-7000VD) on Oct 18, 2018
Hanwha has introduced their first dual-imager model, the PNM-7000VD, a twin 1080p model featuring independently positionable sensors and a snap-in...
Camera Height / Blind Spot Added to IPVM Camera Calculator on Oct 18, 2018
IPVM has added camera height and blind spot estimation to the Camera Calculator. This is especially helpful for those who need to mount cameras up...
Axis Strong US Growth, Flat EMEA - Q3 2018 Financials on Oct 18, 2018
This spring, Axis had its best financials in many years (see Axis Strong Q2 2018 Results). However, over the summer, Axis had many products sold...
Best Alternatives to Banned Dahua and Hikvision on Oct 17, 2018
With the US government ban and a growing number of users banning Dahua and Hikvision, one key question is what to use for low cost? While Dahua and...
Video Quality / Compression Tutorial on Oct 17, 2018
While CODECs, like H.264, H.265, and MJPEG, get a lot of attention, a camera's 'quality' or compression setting has a big impact on overall...
Knightscope Winning Investors, Struggling With Growth on Oct 16, 2018
While Knightscope's new financials show the company only winning 11 new customers in the past 12 months, the company continues to win new...
Integrator Laptop Guide on Oct 16, 2018
This 18-page guide provides guidance and statistics about integrator laptop use. 150 integrators explained to IPVM in detail about their laptops,...
Huawei Admits AI "Bubble" on Oct 16, 2018
A fascinating article from the Chinese government's Global Times: Huawei’s AI ambition to reshape industries. While the Global Times talks about...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact