Simplify Access Control with Smartphones

09/01/2017 | By Janelle Penny

How one simple app could replace keys, cards, fobs and badges

How much time and money do you spend re-keying, changing locks and issuing new ID cards every year? For a fraction of the cost, you may be able to replace nearly all of your physical access credentials with secure digital ones that require only a smartphone to use. See if smartphone access control credentials could work for your facility.

How It Works

Most smartphone-based access credentials share a few key attributes, namely that users download an app through which permissions are assigned and then gain access through readers posted at entrances, similar to how a badge or contactless card works. The details of implementation are where smartphone credentials stand out from each other. As you peruse the options on the market, you’ll likely notice differences in these areas.

Communications protocols: Near Field Communications (NFC) and Bluetooth are two of the more popular short-range communication standards used in smartphone credential products. Both use radio waves to transmit. NFC generally consumes less power than Bluetooth and requires a much closer proximity to the reader. The latter can be a positive or a negative, as it prevents interference from other devices trying to communicate from farther away. Bluetooth offers a longer range for communications, and most smartphone owners are familiar with it from wirelessly connecting earpieces or speakers.

Where credentials are stored: Depending on the manufacturer, users’ permissions and credentials may be stored in the cloud or another secure location. They should never be stored on the phone itself – to learn why, see “How to Avoid Potential Pitfalls."

Physical token options: Smartphones may seem ubiquitous, but not everyone has one yet. To accommodate every person in your facility, you’ll need to be able to supply alternative credentials to people who don’t own smartphones. These can take the form of the traditional cards, fobs or badges. “Think about an analogy from the physical world like credit cards. Even if you have Apple Pay, you still own a physical credit card and you might even pay in cash,” explains Bernhard Mehl, Co-Founder of Kisi, a smartphone-enabled keyless entry system. “You might as well have both the mobile app and the card available.”

How people are prompted to sign up: There are a few small differences in how manufacturers onboard users and assign permissions, and none are necessarily better than the others. Typically, either a user will request access or someone at your company will set up a meeting with them and then send over download and installation information. From there, the user will download the app, make an account and receive a key that they can hold up to the reader when they visit.

For guests, create temporary keys that only work on a certain day over a certain time period, suggests Paul Bodell, President and CEO of smartphone access control manufacturer VIZpin. “If I know you’re coming to visit me, I’ll send you a key that’s good for next Tuesday from noon to 6 and within seconds you’ll have that key on your phone, but it won’t work until next Tuesday when you’re at my facility,” Bodell explains.

How It Can Help

By its very nature, smartphone credentials are harder to lose, Bodell explains. “People don’t really take ownership of a card or a fob, and they’re likely to share those. If you go to a large office building and someone has to leave the conference room to use the restroom, somebody will say, ‘Here, just take my card and use it to come back in.’ There’s no way someone will just give you their phone because people value their phones much more than a credential, so they’re much more likely to take care of it.”

Most phones also incorporate multi-factor identification, a security system that requires users to authenticate their identity with more than one method, Bodell asks. With mobile devices, this often takes the form of something the user knows (like a password or PIN) plus something the user has (the physical phone and its unique device identifiers). “If you have a smartphone access credential, you’d have to unlock your phone to use it,” Bodell adds. “That means nobody can grab your phone, unlock a door, and put it back before you notice, whereas with a traditional card or fob you could easily do that. RFID technology for cards and fobs is also very easy to hack, but smartphones have other security layers built into it to prevent you from doing that.”

Implementing smartphone-based credentials also sharply reduces the amount of time you’ll spend issuing and replacing cards or other keys across your portfolio, even though you’ll likely still have to issue some physical credentials for people who don’t have smartphones. Bodell describes one customer who spent about 15 minutes per person per year replacing cards for roughly 1,000 employees – meaning that over 250 hours were wasted just issuing new cards. Most FMs can think of quite a few things they can get done with an extra 250 hours. Being able to issue credentials remotely also allows FMs to issue access permission from a central location rather than having to travel to buildings throughout a portfolio, Mehl adds.

“A smartphone credential can move from phone to phone without calling up HR or the security manager or receptionist and saying, ‘Hey, I lost my card. Can you issue me a new one?’” Bodell says. “If someone loses their phone, they can get their keys securely transferred to their new devices without having to go remove a card and add a new one. You don’t have to worry about someone using the old phone to get into the building because you have to log into your phone. Smartphone credentials are also a fraction of the cost of an RFID card.”

What to Look For

Start by determining why you’re considering adding smartphone credentials to your facilities in the first place, Mehl suggests. Common reasons include a desire to build on a brand vision by incorporating innovative technology in the workplace, streamlining operations at a fast-growing company and boosting security to become compliant with requirements or respond to an incident. Then determine what specific objectives you need this new component of the access control system to accomplish.

“Write down everything you’d need before you even talk to anyone about a new system,” Bodell says. “For example, I need to be able to grant access with scheduling, and I need to be able to easily revoke access when I need to. Separate them into a list of needs vs. wants. The probability that you’ll get a good system is much higher than if you just brought someone in and said, ‘Hey, we need access control. Can you give me a quote?’”

Depending on your current setup, you may need to look for a system that can both offer smartphone credentials and integrate with older legacy systems. Migrating to a modern access control infrastructure while keeping the current system running during the transition is a common FM hurdle, Mehl explains. Some systems require additional cabling, network access and the IT department to add smartphone credentials to existing access control, while other packages are available in a standalone form that uses the cloud to send a signal from the credential reader to the unlocking mechanism. Weigh the merits of each and determine how well each access control offering matches your needs, then look at testing the system that matches the closest.

 “Build a pilot project in one facility – say, three doors for three months – and prove that users will accept the technology and unlock the doors with their phones like they would with the card,” Mehl says.

“Prove that you have a lot less work and better security with the technology installed, then replicate that model across your facilities. That’s how you reduce risk. If you ask a vendor what a pilot would entail and they have no good answer to that, their system is probably too inflexible.”

How to Avoid Potential Pitfalls

As you compare the various ways to incorporate smartphone technology into your access control system, make sure the system you ultimately choose isn’t setting you up for failure. Knowing how the associated app manages users’ keys is crucial, for example, because an app that’s not secure enough can pose major problems. The keys should be more difficult to get to than a simple username and password, which aren’t specific to the phone itself and can often be guessed.

“You want to make sure it has the appropriate levels of security and encryption in the Bluetooth communication so that some high school kid can’t listen to your Bluetooth signal, replay it and get in the building. Some of the new pop-up apps don’t have that security on them,” Bodell says. “One of the great advantages of Bluetooth is that it’s a long-range technology. The signal can travel 30 to 50 feet away sometimes, but that’s a double-edged sword. The app has to be smart enough to know which doors are closest to you and which ones you have access to. In no case do you want it to be a hands-free environment because you could accidentally activate the reader when you’re not alongside the door. Ideally, you should be able to walk up with the door-opening app, have it see the door closest to you and say, ‘Is this the door you want to go through?’ and you would give it that confirmation.”

The app also shouldn’t use the device’s memory to store keys because if the device is stolen or copied, so is the key, Bodell adds. Even the most basic smartphone-enabled access control packages should store the credentials themselves in a secure location, like the cloud. “Keep the device dumb and don’t provide people with a way to get your data easily,” Bodell says.
Make the switch easier on yourself by looping in your IT department from day one. They can review potential purchases to make sure that everything will integrate seamlessly with the existing IT infrastructure. “Many of the security problems other companies have had in the past arise from the wrong setup, like connecting an internet cable that provides unprotected access to the network,” Mehl says. “The IT department would definitely have a problem with that, so have someone from IT looking at everything on the hardware side.”

5 Tips for Extra Security

Don’t settle for just meeting the minimum requirements where security is concerned. Put occupants’ minds (and your own) at ease by implementing any of these security measures.

1) Protect credential readers from vandals and hackers. Bodell suggests mounting the readers on the secure side of the door to foil unwanted visitors from tampering with the reader or installing their own technology to skim users’ credentials.

This also has the side benefit of protecting the readers from the elements. Set the activation range at a sensible distance so that no one accidentally unlocks the door from the inside just by walking down a nearby corridor.

2) Prepare for dead phones. Inevitably, someone’s phone will run out of power before they manage to open the door. Instead of manually letting people in, consider installing an outlet near the main entrance where people can plug in just long enough to unlock the door.

3) Create a paper trail. The access control system that phones link to should keep access records so that if someone does get into an area they shouldn’t be in, you can consult your records and narrow down who might have let that person piggyback. “It should create tracked events that say this person unlocked the door at this time,” Mehl says. “When the system tracks events, it should also be transparent to the user when they consciously unlock the door.”

4) Tie employee access rights into a central database. When someone leaves an organization, things like their company email accounts are disabled. Tie access credentials directly into a company directory or other central repository of employee data so that when someone is removed from the directory, they also lose access to the building, even if they forget to delete the app from their phone. This removes the possibility of manual error, Mehl explains – specifically, forgetting to remove someone’s access privileges after they part ways with the company.

5) Ensure secure communication between the phone and the reader. “There can’t be a way for someone else to socially engineer and hack your system,” Bodell says. “With a Bluetooth system specifically, make sure your system is completely immune to a replay attack. Most Bluetooth devices will just broadcast an ID, and a hacker doesn’t even have to understand what the message is, they just have to record it and replay it just like an RFID card. Every time you unlock the door or activate the reader, a secure system should constantly change the messaging. In our case, it changes several times a second.”

Janelle Penny janelle.penny@buildings.com is Senior Editor of BUILDINGS.


Related Coverage