The ability to use mobile phones as access credentials is one of the biggest trends in a market that historically has been slow in adopting new technology. As a matter of fact, research analyst Gartner has predicted that, by 2020, one in five organizations will be using smartphones instead of traditional physical access cards to access offices and other premises.
Yet, this new information comes directly on the back of a major task of the last several years, a focus by users to assure that their card-based access control systems are secure. Indeed, in the United States, the Federal Trade Commission (FTC) has decided to hold the business community responsible for failing to implement good cybersecurity practices and is now filing lawsuits against those that don’t. Other international governmental/law enforcement agencies are doing likewise. Safety and security have become prime issues.
David Anthony Mahdi, research director at Gartner avows that “replacing traditional physical access cards with smartphones enables widely sought-after cost reductions and user experience benefits. We recommend that security and risk managers work closely with physical security teams to carefully evaluate the user experience and total cost of ownership benefits of using access credentials on smartphones to replace existing physical cards.?
So, as companies are learning how to protect card-based systems, such as their access control solutions, along comes mobile access credentials and their companion readers which use smartphones instead of cards as the vehicle for carrying identification information. Many companies perceive that they are safer with a card and won’t consider that mobile access can be a far more secure option, even though mobile has various more features to be leveraged.
They also argue that market-specific security specifications can show that phone-based credentials are not a good fit for government, high-security and institutional customers. However, is it the credentials or how they are deployed?
The Big Major Problem
It’s easy to detail how and why mobile access is safer. But, before we do, we need to understand, that like many recently introduced innovations, the problem isn’t with the new technology; it’s how the industry tries to retrofit the old system into the new. For instance, Mahdi says, one potential hindrance to wider adoption is the limitations of certain smartphones, as different brands and models feature different capabilities. This means upgrades may be needed to ensure all staff authorized to access a certain area are able to do so.
True, but even that isn’t the prime obstacle we face with the security of mobile credentials. Some access companies are trying to kluge their present offerings into new mobile solutions. For instance, is the mobile radio module a snap-on arrangement to the back of the card reader? Is the module weatherized and secured against tamper. If not, then from the get-go, the system is not safe.
Bottom line – the mobile system needs to have been designed to be a mobile system, not just a hastily-produced option to the old card reader solution. Yes, it should work in conjunction with the card-based system. But, it should not be an offset of it.
Smartphone Credentials Are Inherently More Secure
As far as security goes, the smartphone credential, by definition, is already a multi-factor solution. Access control authenticates you by following three things:
- Recognizes something you have (RFID card or tag),
- Recognizes something you know (PIN) or
- Recognizes something you are (biometrics).
Your smartphone has all three authentication parameters. This soft credential, by definition, is already a multi-factor solution. Simply assure that your mobile credentials remain protected behind a smart phone’s security parameters, such as biometrics and PINs.
Once a biometric, PIN or password is entered to access the phone, the user automatically has set up 2-factor access control verification – what you know and what you have or what you have and a second form of what you have.
To emphasize, one cannot have access to the credential without having access to the phone. If the phone doesn?t work, the credential doesn?t work. The credential operates just like any other app on the phone.
The phone must be ?on and unlocked.? These two factors