“They are fully compliable with the requirements for fast and highly secure data transmission, flexible memory organization and provide interoperability with existing infrastructures.”
cess system. In fact, such a system can reach beyond the facility into their homes, their automobiles or at the gym.
Commonly referred to as mobile, soft or virtual, smartphone- based access control credentials are another version of identifica- tion media, joining traditional proximity and smartcard credentials to support a user as she moves about a secured facility. Soft mobile access credentials provide several advantages over hard credentials. They are more convenient, less expensive and more secure. Adding multiple credentials is easy on a single smartphone.
They are more convenient because the user always has his cre- dentials and already carries it with him wherever he goes. Creden- tials are delivered to the end user in either paper or electronic form, such as via email or text. The dealer has nothing to inventory and nothing to ship. Likewise, the user sponsor has nothing to store, nothing to lose and faces no physical replacement hassles. Costs are lowered as nobody must ship “onesie - twosie” replacement orders.
As always, there were the typical drawbacks with the new tech- nology. Before they switched to virtual credentials, the next wave of users requested smartphone solutions that eliminated many of the frustrations that they discovered with their original smart- phone apps and hardware, the main one being complicated imple- mentation practices. The newer solutions provide an easier way to distribute credentials with features that allow the user to register only once and need no other portal accounts or activation fea- tures. By removing these additional information disclosures, ven- dors eliminated privacy concerns that have been slowing down acceptance of systems making us of mobile access credentials.
Just like traditional hard credentials, today’s soft credentials can support the 26-bit Wiegand format along with custom Wie- gand, ABA Track II magnetic stripe and serial data formats, such as OSDP. They can be ordered with specific facility codes and ID numbers, and delivered in the exact number sequence ordered with no gaps and no under- or over-runs.
SECURE!
Many companies still perceive that they are safer with a card but if done correctly, the mobile can be a far more secure option with many more leveraged features. Modern handsets deliver biomet- ric capture and comparison as well as an array of communication capabilities from cellular and Wi-Fi to Bluetooth LE and NFC.
Bottom line - both mobile Bluetooth and NFC credentials are safer than hard credentials. Read range difference yields a very practical result from a security aspect. Installation of a Bluetooth reader on the secure side of the door will allow NFC mounting on the unsecured side.
As far as security goes, the soft credential, by definition, is already a multi-factor solution. Mobile credentials remain pro- tected behind a smartphone’s security parameters, such as bio- metrics and PINs. Once a biometric, PIN or password is entered to access the phone, the user automatically has set up 2-factor access control verification - what you know and what you have or
26
what you have and a second form of what you have.
Once installed, the mobile credential cannot be installed on another smartphone. Think of it as a soft credential being se- curely linked to a smartphone. If a smartphone is lost, damaged or stolen, the process should be the same as with a traditional physical access credential. It should be deactivated immediately in the access control management software - with a new creden-
tial issued as a replacement.
To emphasize, one cannot have access to the credential with-
out having access to the phone. If the phone does not work, the credential will not work either. The credential works just like any other app on the phone. The phone must be “on.”
Leading readers additionally use AES encryption when trans- ferring data. Since the Certified Common Criteria EAS5+ Com- puter Interface Standard provides increased hardware cyberse- curity, these readers resist skimming, eavesdropping and replay attacks. With the Federal Trade Commission (FTC), among oth- ers, now holding the business community responsible for imple- menting good cybersecurity practices, such security has become an increasingly important consideration.
Likewise, check if the new soft system requires the disclosure of any sensitive end-user personal data. All that is needed to acti- vate newer systems is the phone number of the smartphone.
Smartphone credentials are sold in the same manner as tradi- tional 13.56-MHz contactless smart cards - from the existing OEM to the dealer to the end users. For the dealer, smartphone creden- tials will be more convenient, less expensive and more secure, and can be delivered in person or electronically. They are quicker to bill with nothing to inventory or to be stolen. In most cases, soft credentials can be integrated into an existing access control system.
MAKE SURE YOUR NEW SYSTEM IS SMART
A final bonus - If your new system leverages the Security Industry Association’s (SIA) Open Supervised Device Protocol (OSDP), it also will interface easily with control panels or other security management systems, fostering interoperability among security devices, whether using mobile or a card.
With OSDP, security is an integral part of the overall solution. OSDP is not in the same ballpark with Wiegand; it is in a differ- ent sport and country. Simply check the origin of OSDP. Not only can integrators deliver the OSDP solution that a customer wants, but using a the OSDP Verified product lists, integrators can also validate that a product has been tested within lab condi- tions that handle all of the required messages, minimizing any mishaps at a customer site.
Today, there are more than 25 devices from seven different vendors listed as OSDP verified. Although that does not seem like a lot, it really is. Many of these vendors are OEMs, having among their customers’ scores of private-labeled units. Among them are component, device, solution and system providers. Several feature multiple brands. Thus, even with this presently seemingly narrow list, there are a wide choice
of security access control products. Integrators will find it easy to select products that they can integrate simply.
Scott Lindley is the general manager at Farpointe Data.
JANUARY/FEBRUARY 2022 | SECURITY TODAY
SMARTCARDS