Features
Calling all access control users: mobile access control is the next frontier

For decades, key cards have been a pivotal piece of access control in public spheres, but increasingly, more offices, educational institutions, condominiums, hotels and other organizations are making this part of their security system digital, with access control through mobile phones.

Research firm IHS Markit found nearly 20% of sales of access control readers sold in North America in 2018 were designed to be able to accept mobile credentials, and the global market size for mobile-capable access control readers is expected grow from approximately 700,000 annual unit shipments in 2018 to nearly 2.5 million shipments by 2023. Also, by 2023, more than 10% of new security credentials issued worldwide will be mobile credentials.

Bryan Montany, analyst with IHS Markit, says industries with a high proportion of Millennials and Generation Z workers, such as IT, web services and marketing, represent strong markets for mobile credentials, as do other types of corporate offices, higher education and hospitality.

Montany continues, “Another strong market for mobile credentials are commercial buildings that employ a significant percentage of temporary workers, such as contractors.” He says managing credentials for temporary workers is much easier through mobile than with cards or badges.

The security technology industry’s heavy hitters are investing in this technology in a big way.

HID Global, for example, has 2,500 organizations using its Mobile Access solution, first launched in 2014. This is according to Brandon Arcement, senior director, Strategic Partnerships at HID Global.

So why is using a phone as a key becoming so popular, and why is this technology more appealing than a plastic card?

Arcement lays out three value propositions:

1. Greater user convenience

“For users, some of the benefits are clear: you have fewer items to carry, you don’t have to worry about a lost or forgotten card,” Arcement says. Also, “you don’t have to go to a specific location or wait for a shipment in the mail to get a credential — it’s delivered in milliseconds over the air.”

2. Greater operational efficiency for the security department itself

“Think about a large global organization operating in several countries. Today they are managing pieces of plastic with RFID chips in them that they are shipping and printing and distributing and managing around the world,” he says.

“With mobile access, they can convert that process of managing those physical pieces of plastic into digital, online and automated processes.” Acrement also notes that overnight shipping an access card to a new employee can cost $40-$50 a piece.

3. Higher security

“The vast majority of cards that are used today have significant security vulnerabilities,” Arcement says. “HID Mobile Access uses very secure technology to encrypt the data being exchanged between the reader and the phone. It cannot be forged or cloned or spoofed the way many prox cards, magnetic stripe and legacy smart cards can be.”

Arcement says managing lost credentials is also easier with mobile.

“We did a study some years ago that showed the average lost card took three days to be reported lost or stolen,” Arcement says. “If you compare that against the fact that the average person checks his or her phone 70 times a day, it’s far less likely that a mobile device is lost, forgotten or stolen, and if it is, you can revoke the credential over the air — it’s noticed immediately and wiped within the hour.”

According to Arcement, another element boosting security for mobile credentials is the presence of phone authentication via biometrics, such as facial recognition or touch ID. Whereas, if someone get a hold of a card, they immediately have access to whatever it opens. Montany agrees that phone-based biometrics are a major selling feature of mobile credentials, as they “offer increased security to end users at a much cheaper price than the average cost of installing biometric readers on-site.”

Lastly, mobile credentials provide flexibility. “With cards, any time there’s a vulnerability it’s required to replace all cards. With mobile applications, security updates are addressed in the middle of the night in a few seconds while everyone sleeps,” Arcement says.

How does it work?

Providing mobile credentials is done through two different types of communication technology, Bluetooth and near field communication (NFC), and debate swirls over which is superior.

NFC only works at close range and mimics contact with an access card. “In terms of emulating the traditional card experience, NFC does that best,” says Arcement. “Whenever you’re trying to disrupt an industry or change an industry, a lot of times the best thing to do is just emulate what the user had before. So NFC is more consistent, more reliable and more familiar to someone who’s conditioned to using a smart card.”

The downside is that NFC’s read range is limited to 10 cm, and it’s also open on Android, but it has limited availability on iOS.

Montany says “For all iPhones version 7 and later, NFC tag compatibility with third-party apps is possible, but it remains challenging for third-party vendors to actually work with to implement. For that matter, a large portion of the current iOS userbase is still using iPhone 6/6s models and NFC tag reading with third-party apps is closed there.”

On the other hand, Bluetooth is available cross-platform with no conditions. The other value is its long range, up to 100 m.

“What it (Bluetooth) lacks in speed and throughput and familiarity in a conditioned user, it makes up for by innovative ways to open up a door. For instance, triggering a door as you walk up to it by tapping something on your device, so by the time you get there it’s already opened,” says Arcement.

Bluetooth is also ideal for parking garages, because users don’t have to roll down their car window to access the premises. It can also be programmed to work within close proximity to door readers, like cards, in addition to being used from a distance.

Arcement argues that HID’s solution provides the best of both worlds by supporting both NFC and Bluetooth.

“That combination of both makes it a more seamless access experience, because there are some circumstances where NFC is preferred and there are some very good cases for the use of Bluetooth,” Arcement says.

For HID’s mobile credential solution, an organization’s physical access control system is largely preserved: wiring, cabling, panels, power supplies, software. The only hardware upgrade that is potentially necessary is HID readers compatible with the firm’s solution. “Those will support your existing card population alongside mobile credentials that can reside on either Android or iOS operating systems,” says Arcement. “If you’ve purchased something in the last few years, chances are very good that it will work with the solution,” he continues. “But obviously there is a lot of legacy infrastructure out there from HID, sister organizations, as well as the competition that would not be compatible and would need to be upgraded.”

The cost of upgrading readers, despite the fact that they accommodate card credentials as well, can be a barrier for some firms.

Rolling out the welcome mat

One method to bring down the cost of implementation, which isn’t always possible depending on the technology, is by retrofitting existing readers or locks, a solution that is appealing in the hotel industry, where the prospect of replacing every lock on a property is very expensive.

Fuel Travel Marketing, a software support and marketing firm that operates a white label app for boutique hotels, is partnering with ASSA ABLOY Hospitality to add mobile phone access control to its app’s functionality.

For hotels to integrate mobile credentials throughout their properties, they have two options, according to Stuart Butler, chief operating officer at Fuel Travel. “Either you can buy the lock with the wireless communication functionality built in or you can actually retrofit existing locks to work with this technology,” he says. “They essentially add a chip into the existing lock so you’re not having to replace the physical hardware.” Butler asserts that this can be a huge cost saver.

This system employs short range Bluetooth — users have to hold the phone right up to the lock. Butler says the close proximity reduces the risk of the data exchange between the lock and the phone being intercepted, and encryption provides an additional layer of security.

The firm’s app provides independent hotels with the ability to offer the same high-tech features available on the big chain’s apps, such as booking capabilities, tourist information, value-added promotions, and digital check-in and check-out. Mobile access control is just the latest piece of that puzzle. Butler says it helps to streamline the check-in process, allowing guests who have checked in digitally ahead of time to simply show up at the front desk at an express line with a piece of identification, and then authenticate into the mobile app — using either biometrics or a password. After this, they are given access to their mobile key.

Butler says user conveniences like mobile access control are essential to help independent hotels compete with chains, which have traditionally been early adopters of technology. “They were early upgrading their websites to be mobile friendly, they were early releasing mobile apps, so they have a tool kit and infrastructure at scale that makes it hard for independent hotels to compete… especially Marriott and Hilton primarily,” he says. Both Marriott and Hilton offer digital keys on their hotel apps.

Barriers to adoption

Despite the convenience provided to users by mobile credentials, there is still hesitation to adopt the technology.

Arcement says he sees hesitation from organizations and security professionals because of unfamiliarity. “This is new technology, where there is still some reluctance by some in order to adopt it until it’s more proven…there are still many in the security industry who wait until there are more definitive use cases and studies and follow the market.”

IHS’s Montany concurs: “Access control is a very slow market to evolve and embrace new technologies, and mobile credentials are no exception.”

He reiterates that the cost of mobile capable readers and installation is a stumbling block for some companies, “Mobile-capable readers tend to cost at least $50 more than non-capable variants.”

Montany also says fear of cybersecurity vulnerabilities is causing hesitation. Any time an organization is hosting data remotely beyond their central control, as is the case with smart phones, regardless of the encryption, there are risks, he says.

There are also some markets where adoption generally isn’t gaining much traction, he explains, such as transportation, industrial facilities, government buildings and health care, “where buildings tend to employ much more sophisticated access control systems that still require physical credentials,” says Montany.

Long-term outlook

Arcement is optimistic about the future of the technology, “It’s a once in a generation change for our industry. I think we’ll see significant growth, modest growth likely over the next few years and then a significant pivot or inflection,” he says. “Of the 2,500 customers that we have, you can probably count on one hand the number that have replaced cards.”

Montany says we are a long way off from mobile credentials replacing physical credentials completely, and instead we will see a hybrid approach, where access control readers are designed to accept either mobile or physical credentials. He explains that more mobile-capable readers are being adopted in anticipation of later implementation of mobile credentials.

Montany says, “There are a few specific markets where outright replacement of physical credentials with mobile credentials is slightly more likely — hotels, university campuses, businesses that hire younger employees — but, most access control vendors view mobile credentials as an additional feature to offer along with physical credentials, so cards and badges won’t be disappearing any time soon.”

This story appeared in the April 2019 edition of SP&T News Magazine.