Physical access control is a key component of many organisations and can be used for anything, from opening doors to car parks, buildings, secure rooms or even accessing computer files. Much of the technology and systems have remained the same over the past twenty years, but as technology is developing, security providers are increasingly turning to mobile devices for a range of security devices.
Replacing traditional security cards or fobs with a mobile application is becoming increasingly popular, but there is still hesitancy within the end-user space about the merits of mobile access. The pointers below try to dispel some of the common myths associated with mobile access devices.
#1 Not broken, do not fix
There is the commonly held assumption that to change or upgrade an organisations physical access control system, it will have to rip out the existing framework and start from scratch. The hesitance by senior management to spend money on areas that are not traditionally seen as a key priority, or those that do not demand immediate attention, like security, often leads to the view that if the system is not broken, why change it.
On further inspection however, the replacement of legacy physical access control systems is very straightforward. Most security systems can actually be installed onto existing infrastructure, with everything from cables, panels and even readers being re-used, helping to significantly reduce the overall costs of an upgrade, as well as disruption to building occupants.
Some suppliers even design their products as backwards-compatible, enabling them to easily integrate into existing infrastructures. Even user mobile devices are virtually unchanged. Mobile driven security access does not require specialised mobiles or new microSD’s fitted to existing versions. The only alteration to the mobile is downloading the corresponding application.
Facilities managers are understandably hesitant to limit the disruption to their site, especially for a retrofit that is not deemed high priority. While there will be some disruption to systems, if a reliable supplier is chosen their products will be simple and easy to install into the existing systems, keeping disruption to the minimum.
#2 No network, low charge
What happens when weak network coverage drops out a mobile device? There are usually spots in a building where the network coverage drops too low to get a signal. Will user access be locked in or out if the network coverage drops? Communication between physical access control readers and a mobile phone is an offline communication so there is no need to be concerned about signal dead spots within a facility.
Smartphones notoriously have a short battery life and the misconception is that if Bluetooth is activated, it will reduce this even further. Mobile access is typically designed with Near Field Communication or Bluetooth Low Energy, which are both low battery consumption so the battery reduction should be negligible.
#3 How secure
Surely it is much easier to gain access to a piece of technology that can be hacked remotely, rather than a card that is kept on its user at all times? If anything, mobile identifications are actually more secure than legacy systems, owing to the use of encryption data with high-end security and data privacy features, all of which are very difficult to add to an identity card.
What about if the user’s mobile phone is stolen? Similar to security cards, a credential can be revoked once the theft has been reported. The difference between cards however, is that this revocation is immediate and the mobile identity ceases to provide access.
Additionally, mobile devices have the ability to dynamically update their security payload whilst changing data on cards takes more time and involves additional costs. After a user downloads their application, they will have to validate it through their internal system when they will be provided with a confirmation code. Only after the registration code has been authenticated can the device be eligible for use as a mobile identity.
#4 Privacy
Another misconception for employees, installing a security pass on their mobile is just another way for the IT department and the senior leadership team to monitor, not just their movements but their mobile habits as well. This view, whilst understandable, is simply not true. An organisation cannot access an employee’s personal information apart from the identity application on their private smartphone.
Most mobile access control providers will only store limited information that is necessary for the application to function, like mobile device push identity and operating software version, similar to many commercial applications. Location data should not be stored but it is important to check the privacy policy when installing the application, as some vendors may vary.
Many security applications will use a sandboxing technique, isolating programmes so that malicious or intrusive programmes cannot damage a user’s phone or steal their information, to ensure users data is protected. Sandboxing the mobile access application and providing it with little permission keeps the rest of the contents on a phone kept safe. If an individual attempts to access information outside the scope of an application’s permission settings, such as the user’s location, the permission can easily be denied. This stops both external hackers and internal team members from accessing the phone user’s information.
#5 Mobile operating system
Android or iOS? Thankfully this is a debate that most providers do not have to settle and will provide the same compatibility for mobile access identification in all mobile operating systems. Thanks to Android’s host based card emulation, Android applications can emulate a contactless card without the need of a secure element, thereby eliminating dependency on the mobile network operator. This allows Android applications to communicate directly with NFC readers and terminals, eliminating any mobile operator incompatibility.
When considering an update to physical access control systems, there are many other considerations to take into account other than the financial implications. While it can be seen that many mobile identification provider solutions can easily be incorporated into existing physical access infrastructures, there are also a host of other benefits that are not available to traditional card or fob users. The added encryption data offered by mobile devices ensures that the security identification of the individual is kept safer than it would be on a traditional device.
Ultimately it is down to the security provider to ensure that end-users concerns are understood and put to rest. Traditional physical access control systems still have a place in security and facility protection, but with the increasing use of mobiles in everyday life, how long it takes before traditional devices become obsolete is up for debate.
Key takeaways
- Communication between physical access control readers and a mobile phone is an offline communication so there is no need to be concerned about network dead spots within a facility
- Mobile devices have ability to dynamically update their security payload whilst updating data on cards takes more time and additional costs
- Mobile identifications are more secure than legacy systems owing to the use of data encryption with high-end security and privacy features
The advantages of mobile based identity access far exceed those from traditional card based access, explains Harm Radstaak from HID Global.