Mobile Credentials (BLE / NFC / Apps) Guide

Author: Brian Rhodes, Published on Nov 14, 2017

One of the biggest trends in access for the last few years has been the marriage of mobile phones and access cards.

In this guide, we examine:

  • 4 key management problems
  • 2 practical problems for users
  • BLE vs NFC vs Apps Comparison

[Note: This tutorial was originally published in 2014 and substantially revised in 2017]

Mobile Credentials Are Slick

At a basic level, using mobile phones or tablets as credentials to open doors has a big cool factor. Take this simple demo of one setup below:

In simple terms, instead of ringing a card, fob, PIN, or fingerprint at a reader, a user flashes a phone and the door is unlocked.

Based on the rather personal value of phones, the idea that they accompany users like keys, wallets, or ID cards and they are protected (ie: not easily lost or misplaced) items make them good potential card replacements.

Management Problems

However, the transition is not a simple one, especially for commercial access control. A range of credential and access control management issues crop up not often issues with traditional credential methods. These include:

*** ** *** ******* ****** ** ****** *** *** **** few ***** *** **** *** ******** ** ****** ****** *** access *****.

** **** *****, ** *******:

  • * *** ********** ********
  • * ********* ******** *** *****
  • *** ** *** ** **** **********

[****: **** ******** *** ********** ********* ** **** *** ************* revised ** ****]

Mobile *********** *** *****

** * ***** *****, ***** ****** ****** ** ******* ** credentials ** **** ***** *** * *** **** ******. **** this ****** **** ** *** ***** *****:

** ****** *****, ******* ** ******* * ****, ***, ***, or *********** ** * ******, * **** ******* * ***** and *** **** ** ********.

***** ** *** ****** ******** ***** ** ******, *** **** that **** ********* ***** **** ****, *******, ** ** ***** and **** *** ********* (**: *** ****** **** ** *********) items **** **** **** ********* **** ************.

Management ********

*******, *** ********** ** *** * ****** ***, ********** *** commercial ****** *******. * ***** ** ********** *** ****** ******* management ****** **** ** *** ***** ****** **** *********** ********** methods. ***** *******:

[***************]

***** *** *****

****** ******, **** *********** ****, *** ******* *** - *** the **** ** * ****. *** *** **** ** *********** a ***** ** **** ******, ********* ******** ********* *** ******** updates ***** * **** ******* **** *********** *** *********** **** to ******** **** ******. ** * **** ****** ** ** lost, *** ******** ******** * $** ***** ** *******, ***** if * ***** ****** ** ** ****, ******* **** *** hundreds ** ******* ** ******* **.

**** ** *******

** **** *****, ********* **** *** ** ****** ******** ******. Therefore, '***** **** *** ******', ** *** **** ***** ******** their ******** ****** *** ********** **** ******** ******** ********, **** how ********** ******* ******** ** ********** ** ******* ** *** phone ****** *** ******* ** ****** ******** ************ *** ******* management ********* ** ******** *******.

******* ******* *******

******* *********** ***** ** **** ******* ** *** ***** **** is ******? ** ******* ************* ****** *** ************** ** *********, even ** **** ****** ***** **** ********* ** * ******? Or **** ********* ************ ******* *******? ****** ***, *** ******** leaves * *** ****** ** ** *********** *** ********* ****** if ****** *********** *** *** ****.

******** ********** ***********

****, ****** ******* *********** **** *** ** ****** ** *** physically *********** **** ********* ***** ** **** ****, ****** *********** must ** ******** *********** ** * ****** **** *** ****** unseen. ***** *** * *** ********* ****, *********** *** ****** for ****** ******** ******* ** *** * ****** ***** ********** is ***** *********** ** *** ***** ******** ** * **** that *** ****** ** *********** ** **** *********.

Practical ********

*** ** ******** ** '****' ********** ******, *********** ******* ******* cards ** **** *** ****** ******* ****** '****' ******** ****** as ****, *********:

******* ** ** ******* ***

****** ******** ***** **** *** ***** ******* **** *** ****'* picture, ****, *** ***** ***** ******** *******, ***** *** **** often ****** ** ******** ** ******. ***** * **** *** be **** ** ******* * ******* **** * *****'* ****** on *******, *** ****** ****** ** ********* ********** ** * glance **** * ******* ** **** *** ****.

********** ***********

*** *** ***** ** ********* ****** **** *** ** ***** with * ****** ***** ****** ** ****** *********. **** ******** as ***** ** ******* **** *** ****** **** ******, *** their ******* ** ******** *********** ******** ** ********* ********** **** or *****:

******, ******* *****, ********* *********, ******** ********, *** **** *****-******* demands *** ********* ****** **** *****. ***** ***** *** **** to *********** ********** ** ***** ********** ** ******* ***** **** with

Three ***** ****** *******

** ***** ** *******, ***** ****** ******* ** ****** *********** are **** ** ******:

  • *** (********* *** ******)
  • *** (**** ***** *************)
  • *** ***** ***********

**** *** * ****** ** ******** ******* ********* **** *****, frankly ********** *** **** **. **** ** **** ******:

BLE (********* *** ******)

***** * ******** ****-******* ** *** ****** *********** ******, *** is *** *** **** ****** ****** ****. *** ****** ** due ** *** ******** ********* ********* ** *** ** ****** phones, *** ********* * ****-******* ************* **** ***** ******* ********** of ***** **** ** ***********.

******* *** ******* ** **** *** ********* ***** *** **** or *** **** ******** ** ***, *** ************* ****** ****** money ** ******* *** ********* **** ********** ** ******* ****.

** ***** ** **********, *** ******** ****** ***** ** ********, so **** ***** ********* *** * *********** *** ******* ********* of ****** ********** *******.

*** *** ****** *** **** ****** ****** ** ****** *************, given ******** *********** ********* ********** *** ***/** *** ********* *****. Many ******** ***** ******** **********,****, *********, *** ***** ********** *** *** ** ******* ***********, including *******:

** ******* *** ******* ** ****** ** *** *** *** ****** ** ****** ***********.

NFC (**** ***** *************)

**** *** ****** ****** *******, *** *** *** ****** *********** giant *** ****** ******* ** ***** *** ** ***** **********/********** credential ****** ** ******. ***** ************ *******'* '***** *** **' ****** ********** *** ******* ** **** ***, *** *** *********** **** to **** *** **** ****** ** ***.

** ***** ** *********, *** *** *******, ********* ************ *** limitation ** ***** ***** ** *** * **********. **** ** NFC **** *** **** ******* ** ** ****** **********, ** can ** **** ** * ******* **** *** ***** ********* by *******.

*******, *** **** ** *** ** **** ** ***** **** manufacturer ********* ** *** *** ******. ***** *** *********** *********** adoption **.** *** ****** ******* **** **** ********* ****** ** demand/ *******, ** **** ******** **** ****** *** *** ***.

** ***** ** **** *** **** ******* *** *** **'* closest ********** ****** ***, *** ***** ***** ********* ***********:

*** ******* ********** ** *** *** ****** *** **** ******* as ******* *** *** ******* ***********. ******, ***'* *********** *** a ******* ******** ** *********** ****** ***'* *** ******.

App *****

** ******** ****** ** ***** ** *** ** ***** ** software ** ******* * **** ****** ******** ****** **** **** the ***** **** * **********. *** *** ****** ***** *** seen ** ******* ********-***** ********* *************, *** *** ***** **** ********** ********* ********,*****, ********, *** ******.

***** **** ******, ****** ****** ******* ** **** ******* **********, but ****** ******** ********* **** ********* **** ***********. **** ********* requires *********** *** *********** **** **** ** ***** ** ********, and **** ******** **** ******** ******** ****** ****** ****** ******* firewalls ** **** ***********. *** ***** *******, ** ** *** expect ** *** * ****** ****** ** ***-***** ****** ***********, but ** ******* * ************** ***** ***** *** ***** **.

Comments (21)

You can add compatibility to the comparison chart. Almost all devices now have BLE but NFC is a relatively wild distribution with differing adaptations of the NFC protocol as well as the dependency by Phone manufacturers and Telecoms provides allowing those devices to function and how.

I also noted in a test we did, the cost of the token was not well established. It was suggested by one manufacturer that 6-8$ a token which is basically the cost of a card personalized for an individual. I believe these tokens should be in the 1$ range or less and that will make it extremely interesting for the market.

Finally the provisioning mechanism is another issue. For a few people its fine, but when you start considering 100s or 000s of recipients how do you provision and also integrate with internal provisioning systems.

I understand you wanted to cover highly secured credentials in this report and of course those in the technology edge are NFC and BLE as well as customized apps based solutions. However, there's a more extended mobile based credential usage. This is using QR codes and millions of people use it when boarding a plane, train, etc. Of course it is not intended to have the same security integrity of the described technologies, but it's more usable, flexible, easy to send to the credential holder and easy to read by a scanner and by a video camera as well. The initial lack of security can be accepted if the use is restricted to one access only or a short time period validity. We at Axis are promoting that to be used with cameras at the access point or more adapted wioth video door stations, adding this credential verification to the main purpose of the door station for assisted access granting.

Axis is promoting QR codes for access control credentials?

We are conscious of the security limitations it may have since a QR code can be easily replicated. However in certain applications it is really useful since it is easy to send to a mobile device and used in frot of a surveillance camera or video door station. This is being promoted for those who need to have access during a known short time period such as visitors, deliveries, maintenance operators without the process to hand over a token. Of course if you have a camera and a security center, you could just open the door remotely, but for that a dedicated call center is needed. Instead, if the risk is not high and you trust the recipient, it's very flexible to just send (or make it available on line with previous login) the QR code and limit its validity for the desired time window (or just one access service). Of course if ¡we talk about permanent credentials we would not recommend that at all.

Isn't it an access control usage when applied to boarding gates?

Anyway, it is not intended to present the QR code as a real access control method in the way we all understand access control for security, but looking at the title of the report it just says "Mobile credentials"

Given the very narrow parameters that QR codes 'might' be a fit for visitor management systems, I am confident in keeping it exclusive from this report that is clearly addressing more general mobile-based access control credentials.

Sorry, what do you mean by "narrow parameters"?

Very interesting use of QR codes given the trend to merge access control with VMS systems.

Been a long time since I've seen Lisa Lake....not sure she's on Facebook, but thanks for bringing back the ol' memories.

Memories for sure... right out of the original Lenel OnGuard...

Good article, but it is not clear here or in the NFC vs BLE article that HID's mobile device solutions do now include BLE as well as NFC. iClass SE readers can be ordered to support either, both, or neither.

Great Article :)

Mobile phone credentials may not be a revolution but they will certainly be the evolution.

rbl

A quick question regarding NFC - is the reader reading the UID on the phone.

If so, what's the chance that there are duplicates?

Can you get Corporate 1000 / Elite key style NFC on devices?

HID uses the device endpoint ID in generating the mobile credential, but only the mobile credential data is read by the user. I don't know the possibility of devices existing with duplicate endpoint IDs, but I think credential duplication due to this would be almost impossible. If a phone is wiped or the Mobile Access app is deleted and re-installed, a new credential needs to be issued to the phone, even though the device remains the same.

I believe HID mobile credentials can be ordered in most formats. All operate similar to Elite cards as the readers and mobile credentials are end-user specific.

Mobile Credential Example

A quick question regarding NFC - is the reader reading the UID on the phone.

For HID my understanding is that a token is tied to a specific device, but it is the user's registration/account that is provisioned. Users can generally use different NFC devices with the same login. Is that your question?

Can you get Corporate 1000 / Elite key style NFC on devices?

You need to upgrade readers to use NFC, and those credentials do not emulate older card formats.

is there any statistics on adoption levels?. I know its cool and it will be the way forward for many, but have any surveys projected the up take level over the next years.

it seems even slower than IP cameras , but we all know where that went!

Bluetooth credentials still have a ways to go yet IMO. We have not had any real traction to this yet. On our office front door we have an HID Bluetooth reader and it seems like every couple of days it won't read the credential and have to end up using my fob. One day I walked up and my Apple watch started buzzing constantly and saying trying to connect, or at least something like that, but never unlocked the door. Every time when my phone won't unlock the door I always say "Why would i sell this if it doesn't always work here".

Can you imagine the service calls for this? I can... Arrrggghhh.

Do users every express concern that they could be near the door and have it unlock due to proximity when they did not intend to enter?

With HID Mobile Access this is not really a problem because it requires either a deliberate gesture or holding the phone up to the reader to unlock. We have one customer with two readers in an elevator vestibule about 10' apart, and we did have to adjust the BLE read range down to prevent users from inadvertently unlocking both doors.

There are other mobile device reader technologies that do allow passive activation from farther away, so you would have to be careful to enable passive activation only on doors where this would not be a concern, and keep other doors requiring deliberate activation.

Thank Dan

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

2019 Access Control Book Released on Dec 12, 2018
This is the best, most comprehensive access control book in the world, based on our unprecedented research and testing has been significantly...
Startup Sunflower Labs' Autonomous Drone Security System on Dec 11, 2018
Startup Sunflower Labs is claiming a unique design on a home security system, combining autonomous drones and 'Sunflower' sensors. Imagine an...
The 2019 Video Surveillance Industry Guide on Dec 10, 2018
The 300 page, 2019 Video Surveillance Industry Guide, covers the key events and the future of the video surveillance market, is now available,...
Multi-Factor Access Control Authentication Guide on Dec 10, 2018
Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting...
Top 2019 Trend - AI Video Analytics on Dec 10, 2018
160+ Integrators answered: What do you think the top industry trend will be in 2019? Why? AI / video analytics was the run-away winner with...
Cybersecurity Insurance For Security Integrators on Nov 29, 2018
Most security industry professionals carry insurance to cover themselves in the event of a general loss. However, most are not carrying cyber...
Startup Qumulex Aims For Unified Platform, Adds Infinias Access Founder on Nov 29, 2018
The startup founded by former Exacq executives, Qumulex has hired Wayne Jared, founder of access control manufacturer Infinias and most recently a...
HID Product Configurator Examined on Nov 26, 2018
HID is widely used. However, figuring out all the different configurations of features for a final credential or reader part number can be a real...
Axis Bad Marketing - Panoramic Commercial on Nov 23, 2018
Axis is bad at marketing. Recall last month - Axis: "No One Wants To Buy A Camera" and, more generally their 2018 production introductions. But...
Ideal SecuriTest IP Vs Unbranded IP Camera Install Tool Tested on Nov 21, 2018
In our recent IP camera installation tool shootout, multiple members questioned the Ideal SecuriTest IP's features compared to low-cost unbranded...

Most Recent Industry Reports

Imperial Capital Security Investor Conference 2018 Review - ADT, Resideo, Alarm.com, Arlo, Eagle Eye, ACRE, More on Dec 14, 2018
Imperial Capital Security Investor Conference is an event matching industry executives with financiers that frequently leads to future funding...
Cisco Meraki New Cameras and AI Analytics on Dec 14, 2018
Meraki has released their second generation of video surveillance with 3 new cameras, AI-based video analytics, and 2 cloud-based storage...
Foolish Strategy: OEMing Facial Recognition on Dec 13, 2018
Almost as 'hot' as face recognition marketing right now is OEMing facial recognition. Last year, they were a who's who of company's with...
DVR Examiner - Video Recovery from Recorder Hard Drives on Dec 13, 2018
Bypassing passwords and long download times on-site, DVR Examiner collects and organizes video evidence directly from a hard drive extracted from...
2019 Access Control Book Released on Dec 12, 2018
This is the best, most comprehensive access control book in the world, based on our unprecedented research and testing has been significantly...
Huawei Hisilicon Quietly Powering Tens of Millions of Western IoT Devices on Dec 12, 2018
Huawei Hisilicon chips are powering, at least, tens of millions of Western IoT devices, such as IP cameras and surveillance recorders, a fact that...
FLIR Launches Body Cameras Unified With VMS (TruWitness) on Dec 11, 2018
While FLIR is best known for their thermal cameras, now they have expanded into body cameras, launching TruWITNESS, a public safety focused body...
Startup Sunflower Labs' Autonomous Drone Security System on Dec 11, 2018
Startup Sunflower Labs is claiming a unique design on a home security system, combining autonomous drones and 'Sunflower' sensors. Imagine an...
The 2019 Video Surveillance Industry Guide on Dec 10, 2018
The 300 page, 2019 Video Surveillance Industry Guide, covers the key events and the future of the video surveillance market, is now available,...
Multi-Factor Access Control Authentication Guide on Dec 10, 2018
Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact