printer friendly version

Mobile credentials broaden their scope

In today’s fast-paced digital landscape, smartphones have reshaped our interactions with technology, including in the realm of access control (physical and digital). The transition from traditional access cards to mobile solutions is a growing trend, assisting companies to streamline security processes and improve user convenience. Using smartphones as access credentials eliminates the risks associated with lost or stolen cards, provides additional confidence in the identity of those entering or accessing, and delivers accurate data for improved building management operations.

SMART Security Solutions asked Walter Rautenbach, MD of neaMetrics, African distributor for Suprema, for his insights into the adoption of mobile access control in the region, and the pros and cons of mobile versus cards or biometrics.

Smart Security Solutions: What has been your experience in the market when it comes to mobile adoption for physical access control? Is there a movement to mobiles?

Rautenbach:It may not be common, but I place mobile access solutions in the same category as cards. That is something we own or have, but offering more benefits such as something I am already loyally married to and always have on me, more cost-effective management, environment friendly and, in most cases, more secure.

The growth in mobile access solutions greatly depends on the territory. Here in Africa, we are used to and trust in biometrics and believe that if a product under consideration cannot operate securely and accurately without added modalities, then the product is not good enough. We should be able to present our finger or face, and that is it.

Questions are raised about why I need to carry and present a card, be it plastic or mobile, if my biometrics are good enough. For example, Suprema offers identification (one-to-many), securely and accurately based on regulated False Acceptance Ratios (FAR) on edge devices for up to 100 000 persons, without the need for cards, which effectively changes identification to authentication mode, where even higher security levels can be implemented.

This is not the case when looking, for example, at Europe or GDPR-regulated regions where the use of biometrics is not as widespread; where users prefer not to have their data on central systems, and where these system owners are rightfully paranoid about being responsible for such data, especially when considering GDPR fines.

Different needs exist, independent of where you are, and all end users are not the same. For this reason, all current generations of Suprema access devices support mobile access via Bluetooth or NFC where the need exists; Suprema also fully supports mixed modality authentication. Suprema has taken this further by adding Template-on-Card (ToC). In this configuration, the only place where the user biometric template exists is on their mobile. This is a big selling point for GRPR and POPIA, where system owners or users do not want to risk storing biometrics centrally.

Smart Security Solutions: Some users may have issues with ‘company software’ on their phones. Have you experienced any backlash from users?

Rautenbach: I think not wanting ‘company software’ on my device is slowly dying off, and in some way, might be due to generational changes. My daughter is not interested in using an app not on her device or carrying more than one device. Living in a new ‘app society’, we want the convenience that these apps offer. The change that COVID brought with remote work and the methodology of bring-your-own-device also positively affected this previous negative view.

With biometrics, access control, and, in particular, T&A, we must never forget that you will find ‘that difficult person’ looking for reasons to circumvent the benefits it brings to employers. Chancers or not, we must remember that not all situations are the same, that there still are people with very low-end phones or people that prefer to take a cheap ‘burner’ to work rather than taking their Apple device when reporting for hard labour in a mine, if mobile phones are even allowed. For this reason, options such as cards or pins should still be available as additional modalities to deal with the array of issues that arise and where one person is excluded from electronic access creates as much weakness as shared passwords.

Smart Security Solutions: Can/are mobile access apps usable in the digital and physical access worlds?

Rautenbach: Mobile credentials are a good candidate for bridging the logical and physical gap. This is vendor-dependent since logical access, specifically corporate implementations, requires central user repositories and control, as provided by solutions like Active Directory.

Smart Security Solutions: Are organisations using mobile as a 2FA mechanism since users keep their biometrics on the device?

Rautenbach: When discussing biometrics on mobile devices for accessing mobile credentials, it provides an extra layer of security. This security is independent of whether the biometrics are linked to the credential itself or, as is often the case, solely associated with the mobile phone owner. Many vendors support mobile credentials as an additional layer of security. However, some vendors market their solution by highlighting that the mobile credential can remain active in the background. This means users do not have to take their device out of their pocket or perform authentication, which adds a level of convenience.

While this feature can be beneficial, it may pose risks in the event of theft or hijacking, especially if not used alongside biometric authentication. On the other hand, it eliminates the hassle of putting someone on hold while entering a door. Consider what your vendor is offering and the implications of the different configurations when implementing this.

QR codes remain a convenient option, as they are easy to generate and communicate (sent by WhatsApp/SMS) and are mostly easy to use. When used independently, consider dynamic QR codes, which generally work with a shared link and, therefore, require connectivity and get updated every few minutes or even more frequently. This prevents sharing a screen capture or message, and sharing this for incorrect reasons will be difficult as it keeps changing.

Some key cloud-based, workspace-sharing, and ticketing implementations using Suprema’s CLUe use dynamic QR codes, which are presented to the reader and communicated directly to the cloud for authentication. Each use case needs to be evaluated and thought through logically, as no ‘one shoe fits all’ solution exists.

Smart Security Solutions: There may be benefits to using a user’s smartphone for access control, but they are also subject to personal use. Is this not a security threat, as someone may become infected with malware or info stealers, which might impact the access control app?

Rautenbach: Almost anyone can bring out technology that can be broken, but vendors of reliable applications will not have this issue. These days, mobile OS providers isolate applications and their data stores so that when accessing them from outside of the application, they are not usable, and any modification of the data will break the application data store and render the credential useless.

This does not mean there is not someone with too much time on their hands to achieve this, but it is challenging. Keep in mind that modification on the device is just one side of the story, as mobile credentials have two parties, one being the mobile and another being the device that performs the authentication. Vendors typically pair up mobile device details (say, in simple terms, serial numbers, although this is not that simple) with user information. If I load my mobile credential on two phones, the authentication data will differ. If a ‘hacker’ can modify my user details or card number on the device, the pair is broken, and authentication will fail. Other methods of preventing such instances include hashing information, usually generated by a vendor certificate. The hash will not be valid if someone tampers with some of the data.

I am explaining this straightforwardly; some will consider it unsophisticated. The question of whether your vendor is implementing such protections is a different story, and here, it is best to refer to their compliance with ISO standards relating to Information Security Management System (ISMS). I mention ISMS specifically, as some users will ask for ISO certificates and be provided with irrelevant production or process-related ISO certificates.

Smart Security Solutions: What has your company offered in the past year regarding mobile access solutions, and what are you looking at in the year ahead?

Rautenbach: Suprema provides a comprehensive mobile credential suite through its dedicated subsidiary, Airfob, which focuses specifically on mobile access. What began a few years ago with an emphasis on environmental sustainability – aiming to reduce plastic usage – has evolved into a key suite of solutions that offer users both convenience and enhanced security.

Suprema Airfob provides a dedicated portal for credential management, directly integrated into BioStar 2, its access and T&A; suite, or can be used standalone for integration into any third-party offering that wants to use Suprema mobile credentials. The portal is structured so that resellers can easily purchase and sell mobile credentials to their clients. Being fully API-driven, resellers and solution providers can easily build custom solutions.

2024 has seen the expansion of this solution to offer biometric ToC for its fusion facial terminals, allowing users to be custodians of their own biometric templates. This functionality ensures that no biometric data is stored centrally, while securely and conveniently allowing biometric access. Suprema generally securely manages biometrics centrally, but this option gives resellers the edge where GDPR/POPIA criteria are strict, or where corporates and users generally prefer not to take responsibility for biometric data.

2025 will see further expansion of ToC, with more devices offering support and additional functionality. We will also see the expansion of mobile technology use through cloud solutions, which are rapidly growing to support various custom solutions, such as membership-based systems, solutions for shared office space, ticket issuance and many other key solutions.

Q-Vision Pro wins Best of Innovation Award

Suprema AI, a specialised provider of on-device AI solutions based on video analysis, announced that it has won the Best of Innovation Award in the Embedded Technology category at CES 2025.

The CES Innovation Awards are presented to companies that showcase innovative products and technologies in the global IT and consumer electronics industries. Among them, the Best of Innovation Award honours products that receive the highest overall ratings in technology, design, and innovation.

Suprema AI’s Q-Vision Pro is the world’s first on-device AI module designed to predict and prevent financial crimes around standalone devices like ATMs.

By combining AI-based facial recognition technology with behaviour analysis, Q-Vision Pro can forecast potential financial crimes and block illegal transactions, safeguarding the assets of both customers and banks. Notably, it operates independently of a network, supporting up to 50 000 users, while incorporating robust multi-layer data encryption to ensure secure functionality in standalone environments.

The product is offered in two hardware form factors: an embedded type for new ATMs and an add-on type that can be easily installed on existing ATMs, providing customised solutions tailored to client needs.

Suprema AI is a wholly owned subsidiary of Suprema, established in October 2021, it is set to be absorbed and merged into Suprema through a simplified merger process, with the merger date on February 20, 2025.

Share this article:

Further reading: