SECURITY SOLUTIONS TODAY29 Mar 2019
Why Mobile Credential Is More Secure than Card-Based Systems

In recent years, integrators and customers have focused on ensuring that their card-based access control systems are secure.

To give businesses extra incentive to address cybersecurity threats, the Federal Trade Commission these days holds the business community responsible for failing to implement good cybersecurity practices and has proceeded to file lawsuits against those that don't. The Federal Trade Commission filed a lawsuit against D-Link and its U.S. subsidiary, for instance, alleging that its inadequate safeguards on its wireless routers and IP cameras left them vulnerable to hackers.

Even as companies are learning how to protect card-based systems, along comes mobile access credentials and their companion readers that use smartphones instead of cards as the vehicle for carrying identification information.

Mobile Credentials: A Rising Tide

Gartner suggests that by next year, 20% of organisations will use mobile credentials for physical access in place of traditional ID cards. Let’s rephrase that last sentence. In less than nine months, one-fifth of all organisations will use the smartphone as the focal point of their electronic access control systems. Not proximity. Not smart cards. Phones!

Smartphone Credentials Are Inherently More Secure

While many companies perceive that they are safer with a card, in my opinion, mobile access can be a far more secure option.

Why are smartphone credentials more secure? To start, the smartphone credential is a multi-factor solution.

Access control authenticates you by scrutinising three things. It:

  • recognises something you have (RFID tag/card/key),
  • recognises something you know (PIN) or
  • recognises something you are (biometrics).

Your smartphone will have all three of the above authentication parameters. This makes smartphone credential, by definition, a multi-factor solution. Your mobile credentials remain protected behind a smartphone's security parameters, such as biometrics and PINs. Once a biometric, PIN or password is entered to access the phone, the user automatically sets up a 2-factor access control verification - what you know and what you have or what you have and a second form of what you have.       

In addition, you can’t access the credential without having access to the phone. If the phone doesn’t work, the credential doesn’t work. The credential operates just like any other app on the phone. The phone must be “on and unlocked”. These two factors – availability and built-in multi-factor security verification – are why organisations want to use smartphones in their upcoming electronic access control implementations.

Plus, once a mobile credential is installed on a smartphone, it cannot be reinstalled on another smartphone. Think of a soft credential as being securely linked to a specific smartphone. If a smartphone is lost, damaged or stolen, the process should be the same as for a card. It should be immediately deactivated in the access control management software, with a new credential issued as a replacement.

Leading smartphone readers additionally use AES encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers resist skimming, eavesdropping and replay attacks.   

When the new mobile system leverages the Security Industry Association's (SIA) Open Supervised Device Protocol (OSDP), it also will interface easily with control panels or other security management systems, fostering interoperability among security devices.

Likewise, new soft systems do not require the disclosure of any sensitive enduser personal data. Activating newer systems simply requires the phone number of the smartphone.

A special word of caution here. Many legacy systems require the use of backend portal accounts. In addition to being rich caches of sensitive enduser data, a target of hackers, these portals can include hidden fees. What are these annual fees? Are they fixed through the life of the system? And who’s responsible for paying?  It is best to simply avoid these types of systems.

Smartphone Credentials Can Do Much More

Plus smartphones offer many more features to be leveraged. What are these features? They include biometric capture and comparison as well as an array of communication capabilities from cellular and Wi-Fi to Bluetooth LE and NFC.

 

Anything a card credential can do can be replicated by a smartphone credential. However, smartphone credentials can exploit new technologies in a way not possible with cards.

As Suzi Abell of 3xLOGIC wrote in the September 14, 2018 issue of SIA newsletter, "a credential – supporting two-way communication with active notification capabilities – can be leveraged to send automated or ad-hoc notifications to users. Add location services and geo-fencing capability, and you can send notifications only to those people who are within a specific geographic area. And you can further target those notifications to specific people."

She suggests, "Stop treating a smartphone like a legacy credential; no one should ever 'badge' a phone at a reader. By using location services, administrators will define how near to the door a person must be to request access. A mobile app that functions as the user’s credential and provides two-way communications with a central monitoring station will also provide a path for two-way emergency communications. For example, an employee leaving the building at the end of the shift on the way to her car can quickly and easily ask for assistance or notify security of a potential issue remotely via the mobile device in her hand.”

Lower Installation Costs With New Generation Smartphone-Based Implementations

Newer solutions provide an easier way to distribute credentials with features that allow the user to register their handset only once and need no other portal accounts, activation features or hidden fees. Users don't need to fill out several different forms.

Some older mobile systems force the user to register themselves and their integrators for every application. Door access – register. Parking access – register again. Data access – register again, with each registration requiring the disclosure of sensitive personal information.

By removing these intrusive information disclosures, these new solutions also get rid of privacy concerns that have been slowing down adoption of this technology. All that is needed to activate the credential is simply the phone number of the smartphone. When mobile credentials are sold from OEM to integrator to end user, it avoids setting up multiple accounts and eliminates sensitive personal information from being available for hacking.

Bluetooth or NFC?

Bottom line: both Bluetooth and NFC credentials are safer than hard credentials. However, read range difference makes a difference between the two.

There are advantages to a closer read range. NFC eliminates any chances of the smartphone unknowingly getting read as can happen with a longer read range. There are also applications where multiple access readers are installed very near to one another due to many doors being close to each other. One reader could open multiple doors simultaneously. The shorter read range or tap of an NFC-enabled device would remove such problems. However, it must also be understood that Bluetooth-enabled readers can provide various read ranges, including tap range.

There are advantages to a longer reader range capability. Since NFC readers have such a short and limited read range, they must be mounted on the unsecure side of the door. This exposure breeds problems. In contrast, Bluetooth readers can be mounted on the secure side of doors and kept protected out of sight.

Also, you don’t want hackers listening in on your Bluetooth transmissions, replaying them and getting into your building. So make very sure that the system is immunised against such replays. That’s simple to do. Your manufacturer will show you which system will be best for your application.

Research shows that Bluetooth-enabled smartphones are continuing to expand in use to the point where those that are not Bluetooth-enabled are already the exceptions. There is no doubt that Bluetooth-enabled smartphones are going to be a major force in physical and logical access control.

 

Scott Lindley is a veteran of the contactless card access control industry.