Access Control
that of a proximity card, eliminating any pos- sibilities of simply leaving the smartphone in the pocket or purse and still get reads.
Secure!
Many companies still perceive that they are safer with a card, Gartner’s Mahdi notes, but if done correctly, the mobile can be a far more secure option with many more features to be leveraged. Handsets deliver biometric capture and comparison as well as an array of communication capabilities from cellular and Wi-Fi to Bluetooth LE and NFC, he said.
The bottom line is both Bluetooth and NFC credentials are safer than hard cre- dentials. Read range difference yields a very practical result from a security aspect. A Bluetooth reader can be installed on the secure side of the door while NFC must be mounted on the unsecured side.
As far as security goes, the soft credential, by definition, is already a multi-factor solu- tion. Mobile credentials remain protected behind a smartphone’s security parameters, such as biometrics and PINs. Once a biomet- ric, PIN or password is entered to access the phone, the user automatically has set up two- factor access control verification—what you know and what you have or what you have and a second form of what you have.
To emphasize, one cannot have access to the credential without having access to the phone. If the phone doesn’t work, the cre- dential doesn’t work. The credential works just like any other app on the phone. The phone must be “on.”
Leading readers additionally use AES en- cryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hard- ware cybersecurity, these readers resist skim- ming, eavesdropping and replay attacks. With the Federal Trade Commission (FTC), among others, now holding the business community responsible for implementing good cyberse- curity practices, such security has become an increasingly important consideration.
If the new system leverages the Security Industry Association’s (SIA) Open Super- vised Device Protocol (OSDP), it also will interface easily with control panels or other security management systems, fostering in- teroperability among security devices.
Likewise, check if the new soft system requires the disclosure of any sensitive end- user personal data. All that should be needed to activate newer systems is the phone num-
ber of the smartphone.
Lastly, once a mobile credential is in-
stalled on a smartphone, it cannot be re- installed on another smartphone. Think of a soft credential as being securely linked to a smartphone. If a smartphone is lost, damaged or stolen, the process should be the same as with a traditional physical access credential. It should be immediately deactivated in the access control management software—with a new credential issued as a replacement.
Soft Credentials Are Easier
Smartphone credentials are sold in the same manner as traditional 125-kHz proximity or 13.56-MHz smart cards—from the existing OEM to the dealer to the end users. For the dealer, smartphone credentials will be more convenient, less expensive and more secure. They can be delivered in person or electroni- cally. They are quicker to bill with nothing to inventory or to be stolen. Also, in most cases, soft credentials can be integrated into an exist- ing access control system. Distribution can also be via independent access control software.
There are two types of software. First is the Wallet Application, a free software that is downloadable from the Apple App Store or the Google Play Store. Its purpose is to hold the access control credentials. Typically, the Mobile Wallet App will store as many cre- dentials as you will want, all at one time.
The Mobile Access Credentials are the individual credentials needed to gain access. Each credential can be programmed to work with a specific access control system. This means that, yes, a single smartphone, hold- ing multiple access credentials, can be used to gain access on multiple access systems. No longer will users be required to carry in-
dividual multiple hard credentials. The em- ployee just carries her smartphone which has them all within it.
Smartphone credentials deploy so much faster than hard credentials. To install a mo- bile credential, a user needs to first have the Wallet App installed on a supported smart- phone. Next, you launch the App and select the “Add” button, indicating that you would like to load a new credential. A Registration Key Certificate is provided for each creden- tial ordered. Now, enter the unique 16-char- acter Key from the Certificate and tap “Sub- mit.” Once successfully registered, the new mobile credential will appear in the Wallet App ready for use. From that point on, the user simply holds their smartphone up to reader when they approach it.
Why Multiple Credentials Are
Emphasized with Smartphone
Access Control
The simple reason is that this is the future. Already, we’ve discussed access control at the front door, the parking gate and for the data system. But, at lunch, soft credential would also be available at the cafeteria or the vending machines. Building planning employees could check out schematics while machinists select the tools they need. They become a photo ID at a crime scene. All are separate applications with their own access control systems.
Thus, a Mobile Wallet App will normally store many credentials on a smartphone at one time. The actual quantity is dynamic and is related to the memory specifications and internal storage space available on each indi- vidual smartphone.
And, more opportunities are on the way. How about using your smartphone as an intelligent key for the agency car? Want to know where your employee is driving, how fast or if he added gas or oil? Forget all those other tags and cards. Your smartphone will become the passport to all aspects of your work life. At a fraction of the investment you have in hard credentials, secure soft, digital credentials are all you need.
The Hard Fact
Soft, mobile, smartphone-based access control credentials are inevitable. Every governmental security professional needs to get on board.
Scott Lindley is the general manager of Farpointe Data.
GS6
GOVERNMENT SECURITY MAY 2018