Mobile Credentials (BLE / NFC / Apps) Guide

By: Brian Rhodes, Published on Nov 14, 2017

One of the biggest trends in access for the last few years has been the marriage of mobile phones and access cards.

In this guide, we examine:

  • 4 key management problems
  • 2 practical problems for users
  • BLE vs NFC vs Apps Comparison

[Note: This tutorial was originally published in 2014 and substantially revised in 2017]

Mobile Credentials Are Slick

At a basic level, using mobile phones or tablets as credentials to open doors has a big cool factor. Take this simple demo of one setup below:

In simple terms, instead of ringing a card, fob, PIN, or fingerprint at a reader, a user flashes a phone and the door is unlocked.

Based on the rather personal value of phones, the idea that they accompany users like keys, wallets, or ID cards and they are protected (ie: not easily lost or misplaced) items make them good potential card replacements.

Management Problems

However, the transition is not a simple one, especially for commercial access control. A range of credential and access control management issues crop up not often issues with traditional credential methods. These include:

*** ** *** ******* trends ** ****** *** the **** *** ***** has **** *** ******** of ****** ****** *** access *****.

** **** *****, ** examine:

  • * *** ********** ********
  • * ********* ******** *** users
  • *** ** *** ** Apps **********

[****: **** ******** *** originally ********* ** **** and ************* ******* ** 2017]

Mobile *********** *** *****

** * ***** *****, using ****** ****** ** tablets ** *********** ** open ***** *** * big **** ******. **** this ****** **** ** one ***** *****:

** ****** *****, ******* of ******* * ****, fob, ***, ** *********** at * ******, * user ******* * ***** and *** **** ** unlocked.

***** ** *** ****** personal ***** ** ******, the **** **** **** accompany ***** **** ****, wallets, ** ** ***** and **** *** ********* (ie: *** ****** **** or *********) ***** **** them **** ********* **** replacements.

Management ********

*******, *** ********** ** not * ****** ***, especially *** ********** ****** control. * ***** ** credential *** ****** ******* management ****** **** ** not ***** ****** **** traditional ********** *******. ***** include:

[***************]

***** *** *****

****** ******, **** *********** ones, *** ******* *** - *** *** **** of * ****. *** the **** ** *********** a ***** ** **** higher, ********* ******** ********* and ******** ******* ***** a **** ******* **** inexpensive *** *********** **** to ******** **** ******. If * **** ****** or ** ****, *** employer ******** * $** piece ** *******, ***** if * ***** ****** or ** ****, ******* must *** ******** ** dollars ** ******* **.

**** ** *******

** **** *****, ********* will *** ** ****** employee ******. *********, '***** Your *** ******', ** the **** ***** ******** their ******** ****** *** commercial **** ******** ******** problems, **** *** ********** network ******** ** ********** to ******* ** *** phone ****** *** ******* to ****** ******** ************ and ******* ********** ********* on ******** *******.

******* ******* *******

******* *********** ***** ** what ******* ** *** phone **** ** ******? Do ******* ************* ****** the ************** ** *********, even ** **** ****** enter **** ********* ** a ******? ** **** employers ************ ******* *******? Either ***, *** ******** leaves * *** ****** to ** *********** *** otherwise ****** ** ****** credentials *** *** ****.

******** ********** ***********

****, ****** ******* *********** that *** ** ****** in *** ********** *********** when ********* ***** ** turn ****, ****** *********** must ** ******** *********** on * ****** **** may ****** ******. ***** not * *** ********* risk, *********** *** ****** for ****** ******** ******* or *** * ****** based ********** ** ***** invalidated ** *** ***** compared ** * **** that *** ****** ** confiscated ** **** *********.

Practical ********

*** ** ******** ** 'soft' ********** ******, *********** between ******* ***** ** fobs *** ****** ******* create '****' ******** ****** as ****, *********:

******* ** ** ******* IDs

****** ******** ***** **** are ***** ******* **** the ****'* *******, ****, and ***** ***** ******** details, ***** *** **** often ****** ** ******** by ******. ***** * user *** ** **** to ******* * ******* from * *****'* ****** on *******, *** ****** factor ** ********* ********** at * ****** **** a ******* ** **** are ****.

********** ***********

*** *** ***** ** technical ****** **** *** go ***** **** * mobile ***** ****** ** easily *********. **** ******** as ***** ** ******* life *** ****** **** phones, *** ***** ******* to ******** *********** ******** to ********* ********** **** or *****:

******, ******* *****, ********* condition, ******** ********, *** even *****-******* ******* *** mitigated ****** **** *****. While ***** *** **** to *********** ********** ** other ********** ** ******* doors **** ****

Three ***** ****** *******

** ***** ** *******, three ****** ******* ** mobile *********** *** **** in ******:

  • *** (********* *** ******)
  • *** (**** ***** *************)
  • *** ***** ***********

**** *** * ****** of ******** ******* ********* each *****, ******* ********** the **** **. **** of **** ******:

BLE (********* *** ******)

***** * ******** ****-******* to *** ****** *********** market, *** ** *** the **** ****** ****** used. *** ****** ** due ** *** ******** universal ********* ** *** in ****** ******, *** therefore * ****-******* ************* with ***** ******* ********** of ***** **** ** appreciated.

******* *** ******* ** that *** ********* ***** are **** ** *** cost ******** ** ***, and ************* ****** ****** money ** ******* *** compliant **** ********** ** volumes ****.

** ***** ** **********, BLE ******** ****** ***** to ********, ** **** phone ********* *** * showstopper *** ******* ********* of ****** ********** *******.

*** *** ****** *** most ****** ****** ** remote *************, ***** ******** engineering ********* ********** *** low/no *** ********* *****. Many ******** ***** ******** like******,****, *********, *** ***** smartlocks *** *** ** connect ***********, ********* *******:

** ******* *** ******* in ****** ** *** *** the ****** ** ****** Control****.

NFC (**** ***** *************)

**** *** ****** ****** darling, *** *** *** method *********** ***** *** Global ******* ** ***** out ** ***** **********/********** credential ****** ** ******. While ************ *******'* '***** *** **' Access ********** *** ******* ** only ***, *** *** prioritized **** ** **** NFC **** ****** ** use.

** ***** ** *********, NFC *** *******, ********* sidestepping *** ********** ** phone ***** ** *** a **********. **** ** NFC **** *** **** encoded ** ** ****** credential, ** *** ** used ** * ******* mode *** ***** ********* by *******.

*******, *** **** ** NFC ** **** ** terms **** ************ ********* to *** *** ******. While *** *********** *********** adoption **.** *** ****** formats **** **** ********* easier ** ******/ *******, no **** ******** **** exists *** *** ***.

** ***** ** **** and **** ******* *** and **'* ******* ********** format ***, *** ***** below ********* ***********:

*** ******* ********** ** NFC *** ****** *** some ******* ** ******* has *** ******* ***********. Indeed, ***'* *********** *** a ******* ******** ** the******** ****** ***'* *** Ouster.

App *****

** ******** ****** ** using ** *** ** piece ** ******** ** trigger * **** ****** directly ****** **** **** the ***** **** * credential. *** *** ****** first *** **** ** several ********-***** ********* *************, *** *** ***** into ********** ********* ********,*****, ********, *** ******.

***** **** ******, ****** bypass ******* ** **** readers **********, *** ****** directly ********* **** ********* door ***********. **** ********* requires *********** *** *********** work **** ** ***** OS ********, *** **** requires **** ******** ******** permit ****** ****** ******* firewalls ** **** ***********. For ***** *******, ** do *** ****** ** see * ****** ****** of ***-***** ****** ***********, but ** ******* * differentiator ***** ***** *** offer **.

Comments (21)

You can add compatibility to the comparison chart. Almost all devices now have BLE but NFC is a relatively wild distribution with differing adaptations of the NFC protocol as well as the dependency by Phone manufacturers and Telecoms provides allowing those devices to function and how.

I also noted in a test we did, the cost of the token was not well established. It was suggested by one manufacturer that 6-8$ a token which is basically the cost of a card personalized for an individual. I believe these tokens should be in the 1$ range or less and that will make it extremely interesting for the market.

Finally the provisioning mechanism is another issue. For a few people its fine, but when you start considering 100s or 000s of recipients how do you provision and also integrate with internal provisioning systems.

I understand you wanted to cover highly secured credentials in this report and of course those in the technology edge are NFC and BLE as well as customized apps based solutions. However, there's a more extended mobile based credential usage. This is using QR codes and millions of people use it when boarding a plane, train, etc. Of course it is not intended to have the same security integrity of the described technologies, but it's more usable, flexible, easy to send to the credential holder and easy to read by a scanner and by a video camera as well. The initial lack of security can be accepted if the use is restricted to one access only or a short time period validity. We at Axis are promoting that to be used with cameras at the access point or more adapted wioth video door stations, adding this credential verification to the main purpose of the door station for assisted access granting.

Axis is promoting QR codes for access control credentials?

We are conscious of the security limitations it may have since a QR code can be easily replicated. However in certain applications it is really useful since it is easy to send to a mobile device and used in frot of a surveillance camera or video door station. This is being promoted for those who need to have access during a known short time period such as visitors, deliveries, maintenance operators without the process to hand over a token. Of course if you have a camera and a security center, you could just open the door remotely, but for that a dedicated call center is needed. Instead, if the risk is not high and you trust the recipient, it's very flexible to just send (or make it available on line with previous login) the QR code and limit its validity for the desired time window (or just one access service). Of course if ¡we talk about permanent credentials we would not recommend that at all.

Isn't it an access control usage when applied to boarding gates?

Anyway, it is not intended to present the QR code as a real access control method in the way we all understand access control for security, but looking at the title of the report it just says "Mobile credentials"

Given the very narrow parameters that QR codes 'might' be a fit for visitor management systems, I am confident in keeping it exclusive from this report that is clearly addressing more general mobile-based access control credentials.

Sorry, what do you mean by "narrow parameters"?

Very interesting use of QR codes given the trend to merge access control with VMS systems.

Been a long time since I've seen Lisa Lake....not sure she's on Facebook, but thanks for bringing back the ol' memories.

Memories for sure... right out of the original Lenel OnGuard...

Good article, but it is not clear here or in the NFC vs BLE article that HID's mobile device solutions do now include BLE as well as NFC. iClass SE readers can be ordered to support either, both, or neither.

Great Article :)

Mobile phone credentials may not be a revolution but they will certainly be the evolution.

rbl

A quick question regarding NFC - is the reader reading the UID on the phone.

If so, what's the chance that there are duplicates?

Can you get Corporate 1000 / Elite key style NFC on devices?

HID uses the device endpoint ID in generating the mobile credential, but only the mobile credential data is read by the user. I don't know the possibility of devices existing with duplicate endpoint IDs, but I think credential duplication due to this would be almost impossible. If a phone is wiped or the Mobile Access app is deleted and re-installed, a new credential needs to be issued to the phone, even though the device remains the same.

I believe HID mobile credentials can be ordered in most formats. All operate similar to Elite cards as the readers and mobile credentials are end-user specific.

Mobile Credential Example

A quick question regarding NFC - is the reader reading the UID on the phone.

For HID my understanding is that a token is tied to a specific device, but it is the user's registration/account that is provisioned. Users can generally use different NFC devices with the same login. Is that your question?

Can you get Corporate 1000 / Elite key style NFC on devices?

You need to upgrade readers to use NFC, and those credentials do not emulate older card formats.

is there any statistics on adoption levels?. I know its cool and it will be the way forward for many, but have any surveys projected the up take level over the next years.

it seems even slower than IP cameras , but we all know where that went!

Bluetooth credentials still have a ways to go yet IMO. We have not had any real traction to this yet. On our office front door we have an HID Bluetooth reader and it seems like every couple of days it won't read the credential and have to end up using my fob. One day I walked up and my Apple watch started buzzing constantly and saying trying to connect, or at least something like that, but never unlocked the door. Every time when my phone won't unlock the door I always say "Why would i sell this if it doesn't always work here".

Can you imagine the service calls for this? I can... Arrrggghhh.

Do users every express concern that they could be near the door and have it unlock due to proximity when they did not intend to enter?

With HID Mobile Access this is not really a problem because it requires either a deliberate gesture or holding the phone up to the reader to unlock. We have one customer with two readers in an elevator vestibule about 10' apart, and we did have to adjust the BLE read range down to prevent users from inadvertently unlocking both doors.

There are other mobile device reader technologies that do allow passive activation from farther away, so you would have to be careful to enable passive activation only on doors where this would not be a concern, and keep other doors requiring deliberate activation.

Thank Dan

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Average Frame Rate Video Surveillance 2019 on May 23, 2019
What is the average frame rated used in video surveillance systems? In IPVM's 2011 statistics, the average was 6-8fps increasing to ~10fps in...
Access Control Job Walk Guide on May 22, 2019
Significant money can be saved and problems avoided with an access control job walk if you know what to look for and what to ask. By inviting...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Facial Recognition Systems Fail Simple Liveness Detection Test on May 17, 2019
Facial recognition is being widely promoted as a solution to physical access control but we were able to simply spoof 3 systems because they had no...
Maglock Selection Guide on May 16, 2019
One of the most misunderstood yet valuable pieces of electrified hardware is the maglock. Few locks are stronger, but myths and confusion surround...
Milestone XProtect 2019 R1 Tested on May 15, 2019
For the past few years, Milestone has released quarterly software updates XProtect VMS platform. What is new and how much impact do the updates...
Access Control Request to Exit (RTE) Tutorial on May 13, 2019
For access controlled doors, especially those with maglocks, 'Request to Exit', or 'RTE' devices are required to override electrified locks to...
Mining Company Security Manager Interview on May 10, 2019
First Quantum Minerals Limited (FQML) is a global enterprise with offices on 4 continents and operations in 7 countries with exploratory operations...
10 Facial Recognition Providers Review (Secutech) on May 09, 2019
Adding to our 19 Facial Recognition Providers Profiled report from ISC West, IPVM focused on facial recognition technology for our Day 2 coverage...
Proxy Access Control Tested on May 09, 2019
Silicon Valley Access Startup Proxy raised $13.6 Million in May 2019, focusing on mobile physical access control. Beyond the fund raising, Proxy...

Most Recent Industry Reports

NJ Law Requires Apprenticeship For Public Works Integrators on May 24, 2019
Few integrators do a formal apprenticeship program. However, now a NJ law is requiring any integrator on public works projects (such as state...
Security / Privacy Journalist Sam Pfeifle Interview on May 24, 2019
Sam Pfeifle is best known as the outspoken former Editor of Security Systems News. After that, he was publications director at the International...
Verkada Video Quality Problems Tested on May 23, 2019
Verkada suffers from numerous video quality problems, not found in commercial IP cameras, new IPVM testing of Verkada vs Axis and Hikvision...
Average Frame Rate Video Surveillance 2019 on May 23, 2019
What is the average frame rated used in video surveillance systems? In IPVM's 2011 statistics, the average was 6-8fps increasing to ~10fps in...
Access Control Job Walk Guide on May 22, 2019
Significant money can be saved and problems avoided with an access control job walk if you know what to look for and what to ask. By inviting...
ASCMA / Monitronics Declares Chapter 11 Bankruptcy Plan on May 22, 2019
Monitronics is entering into Chapter 11 bankruptcy. The company, also called Ascent Capital Group Inc., aka ASCMA, aka Brinks Home Security,...
US Considers Sanctions Against Hikvision and Dahua on May 22, 2019
The US government is considering blacklisting "up to 5" PRC surveillance firms, including Hikvision and Dahua, Bloomberg reported, with human...
Dahua USA Celebrates 5 Years of Errors on May 21, 2019
Dahua USA is, in their own words, 'celebrating' 5 years in North America or as trade magazine SSN declared: Dahua Technology finds success in...
Axis ~$150 Outdoor Camera Tested on May 21, 2019
Axis has released the latest in their Companion camera line, the outdoor Companion Dome Mini LE, a 1080p integrated IR model aiming to compete with...
Covert Facial Recognition Using Axis and Amazon By NYTimes on May 20, 2019
What if you took a 33MP Axis camera covering one of the busiest parks in the US and ran Amazon Facial Recognition against it? That is what the...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact