The Truth about Mobile Access Control
The truth about Mobile Access Control
"Mobile access" refers to using a smartphone to identify a person and allowing that person access to an entrance. Mobile access control is a popular concept that is supported by a growing number of products and technology platforms from a variety of vendors. Smartphone access is a driver for change in the security industry and any other industry in which people need to be identified for registration purposes or to allow them access to services. Event ticketing, public transport, customer loyalty programs: just think about every situation in which momentarily a card (with RFID, magnetic stripe or barcode) is used to identify people.
But why is mobile access getting so popular?
There are a few reasons. The first reason is that mobile access control takes away the burden related to the physical distribution of cards. A virtual card on a mobile phone can be sent to that phone using the Internet connection. This saves time and money. Another reason is that virtual cards can be contained in the phone, which makes them easier to carry around than physical cards. And virtual access control cards on a phone can potentially make use of other technology on that phone. They can be built into apps from cities, hotel chains, transport companies, access control vendors and enjoy the benefits of smartphone technology, like a rich user interface, communication technology, cameras, GPS positioning and even fingerprint scanning.
What is the basic technology behind mobile access?
Most mobile access control platforms use Bluetooth to make the phone communicate with a reader which is situated next to the door or potentially to a reader that is built into the door locks. Bluetooth Low Energy (BLE) enables devices to communicate with the need of manual pairing: that process that we all feel takes so much time and often just fails. Bluetooth supports long ranges of communication (several feet) and offers sufficient bidirectional bandwidth to set up a secure connection.
In addition to Bluetooth other technologies on the smartphone can be used, like NFC for example. NFC, Near Field Communication, also supports smooth communication between a reader (lock) and a smartphone. Nut NFC only support a short range of communication (several inches) and is not available to be used by third parties on Apple iPhone.
Nedap's MACE platform even adds QR-code presenting capability to the app and a QR-code scanner to the reader for increased flexibility.
All common platforms utilize a cloud based service to enable sending a unique number, the identifier, to the apps of the platform. This number is then sent to the reader or the lock using the technologies.
Is it secure to use smartphones in access control?
Security questions are always a little tricky to answer in a straightforward way. The security level of any technology is defined by the weakest link in the chain of events and technological choices related to the system. In general, most mobile access control platforms use encryption to secure the communication between the cloud based server and the smartphone and also between the smartphone and the mobile access control reader. Encryption keys are used to authenticate the identity of the smartphone and its user. In general one can say the security level related to mobile access is comparable to the use of conventional RFID cards commonly used in access control applications.
Why do most mobile access platforms use BLE?
Like we mentioned above: Bluetooth Low Energy offers a wide, but still manageable, communication range between a smartphone and a reader. It offers an increase in convenience when compared to some short range RFID smartcards. And since the need for manual pairing is no longer there, it is also fairly easy for users to have their smartphone communicate effectively with any reader. In addition, BLE is supported on most Android and iPhone smartphones. Which makes it a technology that most people can utilize.
So what is the catch with Mobile Access?
Like with any technology used in access control applications, there are pros and cons related to that technology in that situation. The application of BLE and NFC may sound straightforward, but both technologies are under continuous development, which requires a great deal of effort for mobile access control vendors to keep up with those developments. The great variety of smartphones out there also makes any smartphone access control platform more likely to run into occasional compatibility issues.
Another thing to consider is that many people use their own phone in their corporate environment. Personal phones are not managed by their employer and are considered BYOD: Bring Your Own Device. This requires special attention.
Mixing mobile access with conventional RFID card technology is also a thing to consider. It is not likely that your entire population of users is willing or able to use a smartphone. Smartphones and conventional RFID cards will coexist in installations for a long time. Mobile access platforms should support that combination.
Finally, an important element to remember when considering to use mobile access technology is that the manufacturers of smartphones decide on the functionality of their mobile operating system. Apple for example is very strict about the background processes’ capabilities to access the Bluetooth communication stack. In practice this means that on iPhones most mobile access apps will work best when they are opened.
What smartphones are supported in mobile access systems?
Most vendors look at what is going on in the smartphone market and will support Android phones and iPhones. These two flavors together make up for more than 95% of the current population of smartphones.
How do I combine mobile access with my access control installation?
Mobile access platforms can connect to access control systems in three ways. Most systems will support an import process for users and virtual credentials. Using a manual import usually is easy but may not be sufficient to deal with daily administration tasks.
An alternative would be an online connection using a modern software interface, like REST. The access control systems would however need to be able to real-time connect to the mobile access cloud based server to enable issuing and revoking of virtual credentials.
If that is not possible it makes sense to use the administration portal and enable your clients to issue and revoke credentials manually using a web based interface.
What should I do as a next step?
Like with any technological innovation it makes sense to start with piloting the technology. Make sure you are familiar with the pros and cons of mobile access and see for yourself what the benefits and pitfalls are for your specific situation. And make sure you deal with a manufacturer that is sincere about the pros and cons of the technology and that is willing, but also capable to comprehensively explain how to best utilize smartphone access in your specific situation.