printer friendly version

Physical ­access via ­mobile

One of the areas of the access and identity management market that everyone is excited about is the use of mobile technology to replace traditional cards and other authenti­cation methods. Using smartphones for a variety of non-telecommunications purposes is the norm today and it is becoming the new normal in this market as well.

To gain an understanding of what is on offer from the various players in the market, Hi-Tech Security Solutions asked a few of them to tell us about mobility in the access market. The people who responded to our request were:

• Hilary Dredge from Controlsoft,

• Maeson Maherry from Lawtrust, and

• Wouter du Toit from SALTO Systems.

Hi-Tech Security Solutions: Why are vendors transferring access and identity to the smartphone? What benefits are there to creating yet another app, or use for the phone?

Hilary Dredge: Firstly, let us consider the undeniable fact that our cellphones are used for almost every aspect of our lives, from business to entertainment to communication. Therefore, one tends to always ensure their cellphone is constantly with them and, just like your wallet, you would hardly ever loan it to anybody else. Compare this to owning an access card which has no value in your life, the idea of forgetting your means of accessing a building are minimised.

Secondly, the idea of using a smartphone as an access credential opens up possibilities for greater advances in access control. Imagine leaving home with nothing but a wristband such as a smart watch that links with your phone. The mobile access solution embedded on this device will allow for access control to buildings, purchases and possibly holding valuable personal data such as physical conditions and medical history, which can easily be scanned by emergency personal in an unfortunate event.

Thirdly, having the mobile access credentials stored directly on your phone greatly reduces the risk of losing that credential. And in the event that more than one credential is needed, there is no need to carry multiple access cards as they are all stored on one device.

Maeson Maherry.

Maeson Maherry: The major reason that vendors are transferring security functions to the mobile phone lies in the fact that people love their phones and mostly have them with them for every waking moment of the day. It therefore makes for a much better user experience if security can be tied into the mobile that the user wants to use, instead of providing another gadget to carry around. The mobile security credential does in fact not have to be another standalone app, but rather can be a function built into an existing app that you already use, like a banking app.

Wouter du Toit: It’s all about convenience for the end user and improving their experience. It’s basically an extension of the one-card solution brought to your smartphone. Of course, not everyone wants to do everything with their smartphone, but there is an important segment of users who see value in using the smartphone as a credential.

Hi-Tech Security Solutions: We hear a lot about the risks of mobile computing, are mobile credentials subject to the same risks?

Hilary Dredge: We do everything on our cellphones; they contain personal information, banking information, emails, contacts and more, all of which we would certainly want to keep away from prying hands. Smartphones come with various options on securing your data using passwords, patterns, fingerprints and password-protected data encryption. If these are not enough, apps are developed constantly to protect our phones.

Maeson Maherry: Mobile credentials are definitely exposed to the same risks and vendors have to defend against attack as well as the possibility that the user has removed their own security protections for some reason, like jailbreaking a phone as an example. The answer to this lies in secure coding practices and also providing a laboratory tested security application or library which can secure the sensitive keys used for security independently from the phone.

Wouter du Toit: SALTO incorporates state-of-the-art security measures into all our mobile technologies and we review and update these constantly to stay secure and ahead of the market. For instance, our smartphone authentication technology uses a variety of methods for verifying a mobile user’s identity, including PIN and fingerprint identification.

Encrypted data transfer between phone and lock also means authentication is secure and fast. This, together with highly secure data transmission and anti-cloning technology means our mobile access security is protected and robust. With our cloud-based solution, the RFID technology we use is the same as that employed in many governmental and military applications and uses an encrypted algorithm and randomly generated Clay Codes to provide secure credential protection.

Hi-Tech Security Solutions: How does mobile access work? How are credentials provisioned and controlled? What changes need to be made to readers, or do companies need to purchase new readers?

Hilary Dredge: The technology for mobile access to function exists entirely in the readers designed for this mode of access control. These would be the only hardware requirements the company would have to consider, no matter what their existing access control system is.

From a secure web-based application, generally maintained by the vendor, mobile credentials are dispatched via email to the expected credential holder with simple instructions on how to implement them. This credential can already be enrolled on the existing access control system without the holder being present, saving time and queues. Training on the use of this mobile credential is simply learning a gesture which activates the credential at the mobile ready access control reader.

Maeson Maherry: Usage experiences will vary due to the business design requirements, but a typical usage would be where the mobile is used as the authenticator for a website that you are accessing on your laptop. The website would ask for your username, but no password anymore. Your mobile phone would be sent a push notification to alert you to a security event. On clicking this, the app would open up and show you what the event is (request to authenticate to a website) and you would then be able to push a button to confirm or decline this event. If you confirm then you will be seamlessly authenticated and allowed access to the website. All provisioning is done over the air (OTA) and no readers are needed at all.

Wouter du Toit: There are different solutions that permit mobile access and the different solutions use different types of technology. Here are a few that stand out in the market and find good traction with mobile users: NFC, Bluetooth Low Energy (BLE)-based technology, mobile applications enabling remote access control to cloud-based ­solutions. So finding the best solution in mobile access technologies is like finding the best solutions in any other access technology – it all starts with an end-user’s needs in terms of security and convenience.

Depending on the choice of technology and your current hardware installation, you might need to replace some readers or it could be just a firmware upgrade to existing readers. Provisioning and control is done through the same access control platform with breakout to the cloud to be able to send these credentials to smartphones.

Hi-Tech Security Solutions: What are the cost benefits of mobile credentials as opposed to traditional cards etc.?

Hilary Dredge: Mobile credentials are relatively no more expensive than physical smart access cards, and given that they are less likely to be lost as regularly as the physical version, replacement cost are negated.

Wouter du Toit: Although for some users, such as hotels, that spend important resources on replacing lost or stolen credentials, our initial feedback from the market is that the consideration and incorporation of mobile technologies for access credentials is being more driven by end-user experience and convenience and less by cost savings.

Hi-Tech Security Solutions: Is integration to other systems as well as into the virtual world easier with mobile credentials?

Hilary Dredge: Since the technology for mobile access to work exists entirely in the mobile ready readers themselves, this allows easy installation into any other access control system provided this system supports Wiegand. No changes to the existing system are required, and ­therefore no risks of interfering with the functionality of that system.

Maeson Maherry: Our approach has been to add mobile authentication and transaction verification into our existing authentication platform, thereby extending its spectrum of authenticators offered. This means that integration remains by established protocols or web services, making it extremely easy to incorporate in standard products as well as bespoke systems.

Wouter du Toit: As explained above, there are quite a variety of new products on the market using mobile technologies for access, so the question about how easy it may be to combine these products with other systems is very much dependent on the specific technology involved.

Hi-Tech Security Solutions: Can you describe the mobile systems you offer the market?

Hilary Dredge: Our solutions extend beyond the comprehensive range of mobile ready readers. By partnering with Assa Abloy we also provide mobile ready wireless door handle sets from Aperio, excellent for use in the hotel industry or high-end corporations. Coming soon to our family of mobile ready devices, is the already acclaimed Sigma Biometric terminal.

Maeson Maherry: We have a broad spectrum of solutions for ­various scenarios of mobile use. This includes mobile app authenticators, QR code authentication, transaction verification, smart credentials to authenticate and digitally sign with Advanced Electronic Signatures on the phone. Probably the most exciting area is in the use of phone cameras for fingerprinting and face recognition to authentication or to confirm a transaction.

Wouter du Toit: JustIN Mobile: The intuitive JustIN Mobile app communicates securely via the cloud and permits users to receive their keys online, anytime and anywhere to their BLE-enabled smartphone. JustIN Mobile means the end to lost key hassles, expense and waste. This flexible solution gives users the option to choose to receive their key on their phone or to continue using a traditionally-issued smartcard credential. The user decides.

JustIN mSVN: JustIN mSVN (mobile SALTO Virtual Network) is an innovative technology developed by SALTO to update a person’s access rights over the air (OTA) using SALTO’s mSVN app for NFC-enabled phones. Direct, real-time communication between the mobile device and the user’s credential increases productivity and flexibility without sacrificing security by enabling updates to happen when and where they are needed, without a user having to pass by a wired update point. This technology makes it ideal for field workers who require access to remote locations where little or no network connectivity is available from the HQ.

Clay: Clay is a secure, cloud-based wireless electronic locking solution designed to allow small and medium sized businesses to manage access to their property. With a mobile app and a desktop dashboard, businesses are able to easily and, if required, remotely manage user access rights with an overview of user and door activity. No cabling is required, no software to install, no encoders. It simply works.

For more information contact:

Controlsoft South Africa, +27 (0)11 792 2778, [email protected]

Lawtrust, +27 (0)12 676 9240, [email protected], www.lawtrust.co.za

SALTO Systems, +27 (0)11 534 8489, [email protected], www.saltosystems.com

Share this article:

Further reading: