Dispelling the Myths of Mobile Access

Brought to you by FMJ, the Official Magazine Partner of Facilities Show.

Author: Jaroslav Barton – Product Marketing Director, Physical Access Control Solutions, EMEA.

Physical access control is a key component of many organisations and can be used for anything, from opening doors to car parks, buildings, secure rooms or even accessing computer files. Much of the technology and systems have remained the same over the past twenty years, but as technology is developing, security providers are increasingly turning to mobile devices for a range of security devices. Replacing traditional security cards or fobs with a mobile app are becoming increasingly popular, but there is still hesitance within the end-user space about the merits of mobile access. The below comments try to dispel some of the common myths associated with mobile access devices.

If it isn’t broke, don’t fix it. Right?

There is the commonly held assumption that to change or upgrade an organisations physical access control system, it will have to rip out the existing framework and start from scratch. The hesitance by senior management to spend money on areas that aren’t traditionally seen as a key priority, or those that don’t demand immediate attention, like security, often leads to the view that if the system isn’t broke, why change it. On further inspection, however, the replacement of legacy physical access control systems is very straightforward. Most security systems can actually be installed onto existing infrastructure, with everything from cables, panels and even readers being re-used, helping to significantly reduce the overall costs of an upgrade, as well as disruption to building occupants. Some suppliers’ even design their products as backwards-compatible, enabling them to easily integrate into existing infrastructures. Even users mobile devices are virtually unchanged. Mobile access security does not require specialised mobiles or new microSD’s fitted to existing versions. The only alteration to the mobile is downloading the corresponding application.

Facilities managers are understandably hesitant to limit the disruption to their site, especially for a retrofit that isn’t deemed a high priority. While there will be some disruption to systems, if a reliable supplier is chosen then their products will be simple and easy to install into the existing systems, keeping disruption to a minimum.

Smartphone failure = lock out

What happens when the smartphone drops coverage? There are some spots in a building where the network coverage is too low to get a signal. Will the user be locked in or out if the network coverage drops? Communication between a physical access control reader and a mobile phone is an offline communication so there is no need to be concerned about signal ‘dead spots’ within a facility.

Smartphones notoriously have a short battery life and the misconception is that if Bluetooth is activated, it will reduce this even further. Mobile access is typically designed with Near Field Communication (NFC) or Bluetooth Low Energy (BLE), which are both low battery consumption so the battery reduction should be negligible.

The smartphone is not secure

Surely it is much easier to gain access to a piece of technology that can be hacked remotely, rather than a card that is kept on its user at all times? If anything, mobile ID’s are actually more secure than legacy systems, owing to the use of encryption data with high-end security and data privacy features, all of which are very difficult to add to an ID card.

What about if the users mobile phone is stolen? Similar to security cards, a credential can be revoked once the theft has been reported. The difference between cards, however, is that this revocation is immediate and the mobile ID ceases to provide access. Additionally, mobile devices have the ability to dynamically update their security payload whilst changing data on cards takes more time and involves additional costs. After a user downloads their app, they will have to validate it through their internal system when they will be provided with a confirmation code. Only after the registration code has been authenticated can the device be eligible for use as a mobile ID. 

Big Brother

For employees, installing their security pass on their mobile is just another way for the IT department and the senior leadership team to monitor, not just their movements but their mobile habits as well. This view, whilst understandable, is simply not true. An organisation cannot access an employee’s personal information apart from the ID app on their private smartphone. Most mobile access control providers will only store limited information that is necessary for the app to function, like mobile device push ID and operating software version, similar to many commercial apps. Location data should not be stored but it is important to check the Privacy Policy when installing the app, as some vendors may vary.

Many security apps will use a sandboxing technique – isolating programs so that malicious or intrusive programs can’t damage a users phone or steal their information – to ensure users data is protected. Sandboxing the mobile access app and providing it with little permission keeps the rest of the contents on a phone kept safe. If an individual attempts to access information outside the scope of an app’s permission settings, such as the user's location, the permission can easily be denied. This stops both external hackers and internal team members from accessing the phone users information.

Operating system incompatibility

iOS or Android? Android or iOS? Thankfully this is a debate that most providers don’t have to settle and will provide the same compatibility for mobile access ID’s to all mobile operating systems. Thanks to Android’s host-based card emulation (HCE) Android applications can emulate a contactless card without the need of a secure element, thereby eliminating dependency on the mobile network operator. This allows Android apps to communicate directly with NFC readers and terminals, eliminating any mobile operator incompatibility.

Conclusion

When considering an update to physical access control systems, there are many other considerations to take into account other than the financial implications. While it can be seen that many mobile ID providers solutions can easily be incorporated into existing physical access infrastructures, there are also a host of other benefits that are not available to traditional card or fob users. The added encryption data offered by mobile devices ensures that the security identification of the individual is kept safer than it would be on a traditional device.

Ultimately it is down to the security provider to ensure that end-users concerns are understood and put to rest. Traditional physical access control systems still have a place in security and facility protection, but with the increasing use of mobile’s in everyday life, how long it takes before traditional devices become obsolete is up for debate.

Facilities Management