One of the biggest trends in access for the last few years has been the marriage of mobile phones and access cards.
In this guide, we examine:
4 key management problems
2 practical problems for users
BLE vs NFC vs Apps Comparison
[Note: This tutorial was originally published in 2014 and substantially revised in 2017]
Mobile Credentials Are Slick
At a basic level, using mobile phones or tablets as credentials to open doors has a big cool factor. Take this simple demo of one setup below:
In simple terms, instead of ringing a card, fob, PIN, or fingerprint at a reader, a user flashes a phone and the door is unlocked.
Based on the rather personal value of phones, the idea that they accompany users like keys, wallets, or ID cards and they are protected (ie: not easily lost or misplaced) items make them good potential card replacements.
However, the transition is not a simple one, especially for commercial access control. A range of credential and access control management issues crop up not often issues with traditional credential methods. These include:
You can add compatibility to the comparison chart. Almost all devices now have BLE but NFC is a relatively wild distribution with differing adaptations of the NFC protocol as well as the dependency by Phone manufacturers and Telecoms provides allowing those devices to function and how.
I also noted in a test we did, the cost of the token was not well established. It was suggested by one manufacturer that 6-8$ a token which is basically the cost of a card personalized for an individual. I believe these tokens should be in the 1$ range or less and that will make it extremely interesting for the market.
Finally the provisioning mechanism is another issue. For a few people its fine, but when you start considering 100s or 000s of recipients how do you provision and also integrate with internal provisioning systems.
I understand you wanted to cover highly secured credentials in this report and of course those in the technology edge are NFC and BLE as well as customized apps based solutions. However, there's a more extended mobile based credential usage. This is using QR codes and millions of people use it when boarding a plane, train, etc. Of course it is not intended to have the same security integrity of the described technologies, but it's more usable, flexible, easy to send to the credential holder and easy to read by a scanner and by a video camera as well. The initial lack of security can be accepted if the use is restricted to one access only or a short time period validity. We at Axis are promoting that to be used with cameras at the access point or more adapted wioth video door stations, adding this credential verification to the main purpose of the door station for assisted access granting.
We are conscious of the security limitations it may have since a QR code can be easily replicated. However in certain applications it is really useful since it is easy to send to a mobile device and used in frot of a surveillance camera or video door station. This is being promoted for those who need to have access during a known short time period such as visitors, deliveries, maintenance operators without the process to hand over a token. Of course if you have a camera and a security center, you could just open the door remotely, but for that a dedicated call center is needed. Instead, if the risk is not high and you trust the recipient, it's very flexible to just send (or make it available on line with previous login) the QR code and limit its validity for the desired time window (or just one access service). Of course if ¡we talk about permanent credentials we would not recommend that at all.
Isn't it an access control usage when applied to boarding gates?
Anyway, it is not intended to present the QR code as a real access control method in the way we all understand access control for security, but looking at the title of the report it just says "Mobile credentials"
Given the very narrow parameters that QR codes 'might' be a fit for visitor management systems, I am confident in keeping it exclusive from this report that is clearly addressing more general mobile-based access control credentials.
Good article, but it is not clear here or in the NFC vs BLE article that HID's mobile device solutions do now include BLE as well as NFC. iClass SE readers can be ordered to support either, both, or neither.
HID uses the device endpoint ID in generating the mobile credential, but only the mobile credential data is read by the user. I don't know the possibility of devices existing with duplicate endpoint IDs, but I think credential duplication due to this would be almost impossible. If a phone is wiped or the Mobile Access app is deleted and re-installed, a new credential needs to be issued to the phone, even though the device remains the same.
I believe HID mobile credentials can be ordered in most formats. All operate similar to Elite cards as the readers and mobile credentials are end-user specific.
A quick question regarding NFC - is the reader reading the UID on the phone.
For HID my understanding is that a token is tied to a specific device, but it is the user's registration/account that is provisioned. Users can generally use different NFC devices with the same login. Is that your question?
Can you get Corporate 1000 / Elite key style NFC on devices?
You need to upgrade readers to use NFC, and those credentials do not emulate older card formats.
Bluetooth credentials still have a ways to go yet IMO. We have not had any real traction to this yet. On our office front door we have an HID Bluetooth reader and it seems like every couple of days it won't read the credential and have to end up using my fob. One day I walked up and my Apple watch started buzzing constantly and saying trying to connect, or at least something like that, but never unlocked the door. Every time when my phone won't unlock the door I always say "Why would i sell this if it doesn't always work here".
With HID Mobile Access this is not really a problem because it requires either a deliberate gesture or holding the phone up to the reader to unlock. We have one customer with two readers in an elevator vestibule about 10' apart, and we did have to adjust the BLE read range down to prevent users from inadvertently unlocking both doors.
There are other mobile device reader technologies that do allow passive activation from farther away, so you would have to be careful to enable passive activation only on doors where this would not be a concern, and keep other doors requiring deliberate activation.
Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting...
The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.