printer friendly version

The promise of mobile credentials

While the use of cards and fobs as access control credentials are still widespread, some companies have chosen biometrics (mainly fingerprint or facial) to replace cards, except in specific high-security installations. Today, we have another credential growing in popularity: mobile credentials.

Mobile credentials take a different approach by installing the access ‘card’ onto a smartphone app, using NFC or Bluetooth to verify the user’s access credentials. While the uptake of mobile credentials has not been as swift as vendors would like, there is a greater drive to push these credentials out to market.

Mobile credentials offer several advantages over traditional credentials, such as key cards and fobs; including convenience and security. These credentials can be managed, enabled or disabled with the click of a button, even from a smart device, making granting temporary access or removing it, simple and almost immediate. They can also be matched with the user’s biometrics on their device, adding automatic multi-factor authentication, while keeping the ingress and egress process simple.

SMART Security Solutions approached three companies operating in sub-Saharan Africa and asked them to tell us about the current state of mobile credentials and how they see the market changing over the next year or two. Our questions went to:

• Ilze Blignaut, Regional Sales Manager, HID Global.

• John Lakin, Sales Director, sub-Saharan Africa, STid.

• Walter Rautenbach, MD, neaMetrics (Suprema distributor in Africa).

SMART Security Solutions: What has your experience been of the uptake of mobile credentials locally? Will the use of these credentials grow significantly over the next few years, or are we still seeing other credentials claiming the majority of the market share?

Blignaut: South Africans have embraced mobile technology, with more than 90% of the population owning a smartphone, according to the 2022 census. That, combined with shifting methods of work following the COVID-19 lockdown, saw an acceleration of digitisation across the board.

For the security industry, the changing requirements of access control systems have been more dramatic than ever before. Digitisation has brought convenience and security closer, but hybrid work models have also added prominence to building efficiencies and contactless solutions. Our 2024 State of Security and Identity Report, published annually by HID at a global scale, clearly describes this trend. Customers state they are increasingly interested in using digital identities such as student IDs, employee badges, and other corporate credentials. The HID survey found that two-thirds of organisations (64%) reported some level of mobile ID deployment, with that number expected to increase to almost 80% within the next five years. Industry partners are optimistic in their outlook, stating that a whopping 94% of their customers will deploy mobile IDs.

Lakin: The uptake of mobile credentials has been significant in the last few years, with forecasted growth expected to be exponential in the coming years. Increasing numbers of entrants into this market, beyond the traditional market leaders, is a sign of this interest proving too significant to ignore. They will still be the minority offering, with PVC remaining the most dominant product for a while longer. Still, mixed populations are likely to become more common as the older reader installations are upgraded with ‘mobile ready’ devices.

Rautenbach: Currently, we provide mobile credentials to our clients not as a core service, but as an added measure of security and convenience instead of cards and expanding application reach.

Measuring the uptake of mobile credentials should be done with care, depending on the application and provider. Specialist providers with mobile credentials as part of their core business surely have seen an increase in our mobile-centric society. The app offering in converging physical and logical security is one of the drivers for this growth.

Shifting to mobile credentials makes sense, considering that you always carry your mobile with you, and it is not something you would likely lend to someone; it is, therefore, more convenient and secure. Looking at the local biometric access markets, not having to carry a card, present a phone, or deal with a flat battery or ‘forgotten phone’, which can be used for intended access breaches, makes the proposition less attractive. It is an appealing option for non-biometric implementations, although our clients still prefer the security and convenience of pure biometrics.

The new offerings with biometrics on mobile, as part of mobile credentials, are attracting lots of attention when it comes to PoPIA, where storing biometrics centrally is avoided, especially in corporate environments, and mobile credentials, with biometrics or not, is very attractive for residential estates and member access to, i.e., gyms, sport, and entertainment facilities.

SMART Security Solutions: What are the benefits of mobile credentials for physical access control, from simple door access to access to secure locations, as well as multiple locations nationally or even internationally?

Blignaut: Using a mobile device as a security credential offers many benefits to organisations, from small businesses to large enterprises. Waving or tapping a mobile device to access a space is convenient for users, particularly for younger generations who have grown up in a world where they can seamlessly use their mobile devices to do anything, from paying for coffee to reserving a yoga class.

There are many other benefits, too. Take human resource administrators, for example, who can save time with secure, centralised mobile identity management, fast provisioning, and simple enrolment. Organisations can also efficiently manage multiple locations from a single platform, eliminating the need to ship plastic credentials to various facilities or individual employees. As more companies take action to meet concrete sustainability goals, mobile access offers an environmentally friendly solution that reduces the use of resources.

The use cases for mobile access are vast and exciting, going beyond simply opening doors to include providing contactless, seamless access to a wide range of devices and services, such as time-and-attendance terminals, cashless vending machines, printers, computers, workstations, and even parking locations.

Lakin: Mobile credentials are inherently more secure than their physical counterparts. They reside within a secure mobile device, protected with multiple levels of encryption and can only communicate with other secured devices. As with STid Mobile ID, additional layers of security can be added to a site/s or specific door/s by implementing multifactor authentication or even biometric authentication as a standard configuration option.

The flexibility of Bluetooth allows for multiple functionalities within the same credential, depending on the individual door requirements. Issuance and revocation can be managed instantly across multiple users in multiple real-time locations with no product redundancy.

Mobile credentials also provide users with the ability to implement a completely green solution.

Rautenbach: You always have your mobile, you do not need to remember something else, you do not easily lend it to someone else, and you surely report it when missing.

It is important to differentiate between online and offline mobile credentials. Offline resides on your device, with some expiry, whereas online is authenticated in real time using your mobile or access terminal. In the latter case, it is a good business case for assigning one-time access on demand for contractors who need to access facilities such as cell phone towers, substations, etc., or any other facilities on an ad-hoc basis.

SMART Security Solutions: Combining physical and digital access control would seem like a good idea when mobile credentials are used – is this happening in the real world? Are companies paying more attention to digital access that goes beyond passwords (or the highly annoying OTP)?

Blignaut: Integrating physical and digital access control, leveraging mobile credentials, has gained traction due to its convenience, flexibility, and heightened security. This approach allows users to access both physical spaces (like buildings or rooms) and digital resources (such as accounts or databases) using their mobile devices as authentication tools. Companies are increasingly adopting this method because it streamlines access management, offers better control over permissions, and reduces the reliance on traditional physical keys or access cards, which can be easily lost or stolen.

Of course, some industries require physical IDs or badges, even when mobile access control is being used. Such is the case in the healthcare industry or government, where employees are required to visibly display identification badges while at work due to compliance requirements.

There is a significant shift in attention towards digital access methods that surpass the limitations of passwords or one-time passwords (OTPs). Passwords are susceptible to being compromised or forgotten, leading to security vulnerabilities and user frustration. As a result, companies are exploring more robust authentication methods, such as biometrics (like fingerprint or facial recognition), multi-factor authentication (requiring multiple forms of verification), and token-based systems. These alternatives offer enhanced security layers, while providing a more user-friendly and seamless authentication experience; contributing to a more robust overall access control strategy.

Lakin: Combining the physical and digital worlds is a good idea regardless of the credentials used, and anything that can move away from OTP or passwords is good. Mobile credentials bring the focus from physical to digital because of the form factor of the verification method. The security levels, wording and functionality lend themselves to a greater understanding of the process by IT departments. This subtle change in positioning enables more ‘joined-up’ thinking instead of the traditional approach of two distinct budgets, one for security and one for IT.

Communication methodology is bringing the two worlds closer together. New European legislation, which demands that the two are closely associated, will speed this process as more businesses seek guidance with their security protocols. Not all European legislation lands in southern Africa, but globalisation will require local specifiers and consultants to be aware of these, at the very least, before making their final recommendations to their clients.

Rautenbach: I feel that the logical access applications are limited, and until we find a mobile credential supported across any operating system, it will remain as such. The challenge with OS providers is that these large companies each like to focus on their own revenue, with security as an excuse for not supporting cross-platform technology not belonging to them. Bridging this will surely boost physical and logical access convergence, although the lack of open standards in mobile credentials, especially inoperability, presents the same challenges.

SMART Security Solutions: One argument against mobile credentials is that users do not want ‘company stuff’ on their phones. Is this really a problem? If so, how does one get around it?

Blignaut: The beauty of mobile access is its convenience. Nowadays, employees can seamlessly integrate their employee badge into their digital wallet, granting them access to their workplace and authorised corporate applications without needing a dedicated work app.

Digital wallets can store diverse credentials – employee badges, tickets, and passes – each with unique encryption, ensuring clarity and avoiding confusion between different access items. For example, when presented to access control readers like the HID Signo, the mobile device automatically selects the correct access credential, simplifying entry without manual selection.

By eliminating the need for separate work-related apps and consolidating access into a familiar digital wallet environment, it addresses concerns about cluttering personal devices with ‘company stuff’ while delivering a user-friendly, highly secure and efficient access control solution.

Lakin: Historically, employees have looked for any reason to ‘buck the system’ with many excuses provided. There have been multiple complaints about biometric data and its storage, maintenance, accessibility and disposal. Most of these issues are born from ignorance and can be dealt with in a proper consultative phase with user information sharing.

Mobile credentials are not just being used in the workplace, with an increasing number of other business applications having adopted Bluetooth devices in one form or another. These include residential estates and complexes, sports clubs and gyms, storage facilities, parking garages and workspace environments.

In absolute worst-case scenarios, the technology allows for conventional PVC solutions to work alongside the virtual, with similar levels of security depending on the card technology chosen.

Rautenbach: I believe that, in some way, employees are getting over this. Yes, sure, some might still prefer to carry two devices or use a card, but from personal experience, newer generations become accustomed to using tablets as part of school, are far too eager to install any attractive or useful app and easily frown upon the thought of requiring an additional device. I am describing the attitude and not saying we will give such employees dedicated work devices, although some large corporates prefer doing just that to keep their IP/data safe.

In most cases, we have the option to use a card or perhaps a PIN if the company policies allow these more susceptible technologies within their environment.

SMART Security Solutions: Following on from above, what has your company done (what is it doing) to make implementing mobile credentials as simple and streamlined as possible for customers, without requiring substantial rip-and-replace investments?

Blignaut: The transition to mobile access requires an ecosystem of partners, from the manufacturer of the mobile access systems to the integrators who install the readers and integrate the various software and hardware platforms in your facility. These mobile access experts can help you assess your needs, plus the readiness of your legacy system, and recommend future-proof components, making it easier to evolve as mobile technology does.

For example, some readers can easily be made mobile-capable by adding a small device, while older legacy readers may need to be replaced with mobile-ready models. Many readers from HID are already equipped for mobile readiness, even if they were previously installed for traditional card access. As such, a range of experience, verified security credentials and a broad solutions portfolio all matter when it comes to mobile access deployment. Whether you are a small regional commercial real estate company or a large university, you need partners who understand your needs, provide customer-driven solutions, and make the transition as seamless and cost-efficient as possible.

Lakin: Wholesale system replacement is an absolute worst-case scenario for many businesses and will lead to many sleepless nights for the team responsible for its implementation.

With this in mind, STid has ensured that its Architect and Spectre range of readers are 100% compatible with existing access control platforms. This ensures that any technology upgrade can start and end at the reader level if required.

All readers can be supplied Bluetooth-ready, allowing the client to change readers and then gradually transition to virtual credentials as circumstances change and their landscape develops. The entire process is conducted in consultation with the customer, utilising the STid partner network and/or the STid team in the country to ensure a smooth transition and a successful implementation.

Rautenbach: All Suprema’s devices released in the past three years support mobile credentials, cards, and PIN (devices with PIN pad), independent of whether it is a biometric or non-biometric device. Our clients, therefore, have the option to use any or any combination thereof should multi-factor security be considered. Suprema’s mobile credentials are managed on a secure portal, which includes mobile credential reseller functionality (stock management and transfer to clients) and secure APIs for easy integration into external systems, or otherwise is fully integrated with Suprema’s BioStar 2 access control platform.

No rip-and-replace is required with Suprema. Should older non-compliant devices be used, then Suprema’s Airfob is a super thin, energy-harvesting and affordable peripheral that can be applied to any Mifare terminal, converting it into a Suprema mobile credential reader.

For more information, contact:

• Vikki Vink, HID Global, +27 31 717 0700, [email protected], www.hidglobal.com

• neaMetrics, +27 11 784 3952, [email protected], www.neaMetrics.com

• John Lakin, STid, +27 79 891 1912, [email protected], www.stid-security.com

• Suprema, +27 11 784 3952, [email protected], www.Suprema.co.za

Share this article:

Further reading: