How secure is mobile access?
Today’s employees are increasingly carrying smartphones or wearables with them at all times. In fact, Gartner recently predicted that worldwide mobile phone shipments could exceed 2.5 billion units by 2016, and UK communications regulator Ofcom has observed that 66 per cent of adults in the UK now own a smartphone.
The physical access control industry has witnessed some major technological developments in recent years, with a shift from being product-centric to developing comprehensive solutions for end users. In the light of increased interest in cloud-based solutions and mobile-enabled platforms, more and more security managers are considering the possibilities that a mobile access system can provide for their physical security. Rarely misplaced and consistently in hand, the mobile device has become the most valued technology we own.
However, as a recent trend report by IFSEC Global revealed, almost 80% of security managers surveyed feared that integrating mobile access solutions into their physical access control architecture might actually increase system vulnerability.
So what are the major concerns for security managers? There are multiple aspects for them to consider, such as, is the digital credential as safe as a physical badge? Can it be copied easily or could an employee manipulate the data on their private phone within a BYOD strategy? How secure is the wireless transmission of the keys? Can the communication path between a phone and reader be captured and used for fraudulent purposes? Security managers rightfully ask these questions, as they would like to know how protected their buildings and on-site premises will be if they opt for mobile access? The overarching question is whether we are sacrificing security for convenience?
This article addresses these questions, demonstrating that mobile access systems are more often than not more secure than legacy building access cards, so concerns over whether mobile access is secure are unfounded.
Mobile credentials are based on the latest technology advancements
It is paramount that encryption methods have met stringent security criteria. A secure mobile access system will typically have security protocols that are certified by credible independent institutions. For example, Suite B Cryptography algorithms, Advanced Encryption Standards (AES), namely, AES-128 and Secure Hash Algorithm (SHA) by the National Institute of Science and Technology (NIST). A mobile access system that is standards-based and complies with these rigid security protocols, incorporating secure messaging and a strong authentication, will result in providing peace of mind to security managers that their employees’ data will remain confidential.
Mobile IDs cannot be manipulated
Mobile identities must be signed and encrypted to prevent manipulation. All mobile identities and user information should therefore be protected in a secure vault provided by hardware security modules, where all encryption keys are stored and used in cryptographic operations. Looking at mobile IDs, they are stored in the app operating sandbox, an area within the device, which has been designed for the storage of sensitive information. The information that is stored is encrypted, so it cannot be cloned or stolen via unauthorised access to the phone. Mobile IDs are not transferrable, but specific to the device they have been issued to. All cryptographic keys are device diversified so no master keys are stored on device. Each Mobile ID is unique per device.
Transmission between a mobile device and the access control reader
When access is granted to an employee to enter a building or an on-site premises the transaction between the mobile app on the mobile device and the access control reader is independent of the communication protocol in use. Transmission over-the-air via NFC or Bluetooth Smart to issue the key is protected by the latest technology and cannot be stolen when authorising access over-the-air. The device and reader both use high-security cryptographic communication techniques to prove to the other that it is trustworthy. Furthermore, no Bluetooth pairing is required between reader and device, as only eligible devices can interact. Each slot in the vault is protected by an authentication key and none of the slots rely on NFC or Bluetooth Smart security. In fact, the mobile access app can be configured so that the Mobile ID is only active when the screen is unlocked to prevent relay attacks.
Mobile access control systems also create a culture of security even if your employees do not realise it. With a card or token access to buildings and on-site premises, staff are effectively burdened with the responsibility of constantly carrying an additional item, one they would not carry normally. As such, if their card is lost or stolen they are less likely to notice it and hence slower to report it. This leaves your physical infrastructure vulnerable, with a valid card potentially falling into the wrong hands. Conversely, an employee instantly feels more attached to their mobile devices, so if a phone is lost or stolen, it is reported right away and the mobile ID can be immediately revoked, thus preventing unauthorised access.
Mobile architectural access technologies have significant scope for development and expansion. One such advantage of mobile devices is the ability to dynamically update the security software, whereas updating data on cards takes more time and involves additional costs. As a consequence, the mobile environment allows quick response to security issues.
Furthermore, mobile handset providers are increasingly offering advanced security technology such as biometrics – fingerprint recognition, facial recognition and even voice recognition, resulting in more robust security of mobile devices. Hence a stolen phone is useless for gaining unauthorised access as the application is secured via protective software on the phone, making the phone even more secure than physical credentials.
As demonstrated, while security managers are right to question the security of mobile access systems, this technology has proven itself very capable of standing up to security threats to buildings. Being able to offer multiple security layers, dynamically responding to security issues, inspiring employees to better protect physical architecture and being on the cusp of new security developments, mobile access is a secure choice for any business’s building access control system.
Jaroslav Barton
Segment Director Physical Access Control, EMEA, HID Global www.hidglobal.com