Using mobile phones or smartphones for access control is not a new idea. Well before Android smartphones and iPhones gained their current popularity, manufacturers of access control systems have tested scenarios in which phones were used to open a door.
Nedap was one of the first to use a GSM receiver to collect incoming calls and use the phone number as an identifier. The development particularly raised an interest at trade shows but was never widely adopted. Other initiatives in the industry centered around using first versions of Bluetooth. The phone would be paired with a receiver and the unique ID of the phone would serve as an identifier. Technologies like these were never widely adopted for obvious reasons. Besides familiarity with the technology and the, back then, somewhat conservative nature of the security industry, these reasons were mainly practical. Enrollment was sometimes a hassle. Pairing phones with multiple readers in buildings was not ideal. Configuring readers to support the right reading distance was sometimes tricky and this generation of Bluetooth readers did not support perceived industry standards for interfacing with common electronic access control systems.
Modern platforms that enable the use of smartphones as identifier in access control systems make use of Near Frequency Communication (NFC) and/or Bluetooth Low Energy (BLE). In a previous insight we talked about the pros and cons of using smartphones in access control. We believe that it is inevitable that there is a future for smartphones in access control. Even well-established research firms like Gartner predict that the market for mobile credentials will grow significantly.
Based on today’s technology we also believe that there are some factors to consider to optimize chances for successful use of systems like MACE. Let’s look at a few of those.
Determine objectives and prepare implementation
Technology is never deployed without reason. This also applies to the use of smartphones in access control. Mobile access control has advantages and disadvantages, like any technology that can be used to identify people. The biggest advantage of platforms like MACE is that they take away the physical element of access control cards. There is no technical need for users to be physically present to enroll them in the access control system. There are no cards that require physical distribution. And people do not have to carry an extra physical card just to get access to the building.
So when you set up a new access control system for a building or parking, smartphones are one identifying technology you can use. When you plan to deploy it, make sure you are clear about what you want to get out of it. Expect technology that can bring benefits, but also will come with some rules of application. Investigate if the technology is able to meet your requirements and also investigate if you are able to meet the requirements to use the technology successfully. Then plan the implementation carefully and make sure to include the instruction of your use case. Of course, good technology should be self-explanatory, but it never hurts to make sure all of your users will use the technology according to your ideas and policies. Do not expect them to be able to read your mind.
Support the transition phase by mixing technology
Most people by now will believe that smartphones will have a place in the realm of access control devices. Most people believe that the sales figures of conventional access cards will drop in the years ahead of us. But most industry representatives also expect that cards will remain to exist. Thankfully, modern platforms that support mobile security credentials will incorporate multi-technology readers that allow you to have a mixed population of identifying credentials. This enables you to keep using your existing access cards and gradually increase the use of mobile credentials on smartphones.
And even the technology used on smartphones can be mixed: Nedap MACE, for example, allows smartphones to present cards using BLE, NFC and even as QR-codes. This means that almost every smartphone can be used in the system.
Matching number format
When using a mix of conventional and virtual (mobile) credentials, it might make sense to think about the programming of the mobile credentials. If the number on these credentials use the same format as the existing physical cards, it makes it easier for the access control system to deal with these two technologies at the same time. It requires less effort in configuring the system and performing administrative security tasks.
Make sure that the mobile access control system you use will support the tag format with the number range that you desire.
Segment users and access zones
Access control system implementation requires careful planning. Buildings are divided into zones. Entrances to zones are equipped with door readers and other security devices and per zone desired security levels are determined. Per user (group) it is decided who gets access to what part of the building. And for high security zones usually more than one factor is used to authenticate the identity of the person that wishes to enter (like combining RFID with biometrics or a PIN-code).
This approach does not suddenly change when smartphones are considered to be used. Mobile credentials may be an eligible solution for one user group and may be less suitable for other users. Smartphone access control may be the right solution for some entrances and may not be fit for purpose in other zones.
Weighing access control technologies against each other does not only involve the intrinsic security level of the technology. We would advise to also look at other factors, like the convenience level or the robustness of the solution. Nedap MACE is using modern encryption standards in the communication triangle of cloud service, app and reader. Access control is all about seeking the optimal security level per entrance and balancing security against convenience. Segmenting user groups and entrances enables partial implementation of smartphone access control.
Cloud based integration
Sending mobile credentials to the supporting app on smartphones is usually done by a cloud based service. This makes absolute sense since it removes the physical element of distributing access credentials. Opening your system up to communicate with the cloud may sound terrifying to some security managers. Modern platforms for mobile access control will allow you to manage your credentials on an admin portal. The portal is used to allocate and revoke mobile credentials: manually or batch wise. Mobile credentials usually do not contain access rights. They are used to identify the person. The well secured access control system contains the access rights of the person and basically decides whether this person should get access or not. Platforms like Nedap MACE also support the ability to revoke credentials. And in the unlikely event that a mobile credential is ‘lost’, the access control system can easily allocate a new credential and remove the rights related to the compromised credential.
Using a portal requires additional administrative tasks to be performed. A full integration of the access control system with the cloud based server of the mobile access control system would mean that mobile credentials can be assigned to users with the user interface of the access control system. This would mean that the access control system needs to open up to the cloud. Many access control systems already are (private) cloud based to support centrally managed access control installations across multiple sites in multiple locations. Current technology offers sufficient means to connect to the cloud in a secure way.
Smartphone access control systems like MACE often use BLE to support the communication between the smartphone (app) and the reader. BLE supports long read ranges. But often, the read range should not be too long to prevent unwanted remote reads. The read range of the BLE readers can be limited in the configuration program that comes with the reader. Nedap MACE readerssupport read range profiles proximity (a few cm), short (1-2 meter), medium (approx. 4 meter) and long (approx. 15 meter). When commissioning the readers, make sure that the appropriate read range profile is selected. Also be aware of potential ‘back reads’. Most BLE devices that are small, are omnidirectional: readers may be approached from all sides.
Mobile access control readers are often multi-technology readers. Which means they can read multiple types of cards, tags and mobile credentials. Make sure that only the ones you need are activated and configured properly.
Prepare for variation
When using a variety of phones and technologies, it is inevitable that you will run into more performance variation than you were used to before. One type of smartphone may have a longer read range when using BLE than another phone that looks almost the same. One user may be much more confident to use the smartphone as an identifier than another person in the same team. Supporting BYOD (Bring Your Own Device) scenario’s will make this even worse: more variation in the smartphones with more variation in the way these phones are configured.
Variation also relates to time. Software stacks may change. Technology standards may evolve. Make sure to select a vendor that will keep readers and apps running smoothly even when the underpinning technology is evolving. And make sure to regularly update reader firmware and mobile apps to make most of the latest innovations.
Mobile access control – test drive the technology
Smartphone access control is an exciting addition to the portfolio of technologies that are used in access control and building security. It may offer new functional possibilities and it may enhance the perceived convenience level of your security system.
But we advise you to approach your projects practical. Start with a small roll out and familiarize yourself with the technology.
To test drive Nedap MACE you only need to obtain a MACE reader and ask your test group of users to download the free MACE App from the App Store or the Play Store. A free mobile credential will be available for testing purposes right away. Enjoy the test drive and please contact your Nedap representative for further information.