Full Steam Ahead for Mobile Credentials?

Mobile credentials have been a much touted and talked about technology in recent years — from the first unsettled times when no one knew if NFC or Bluetooth would be the preferred platform, to more recently as prominent manufacturers and their partners have introduced a host of solutions to the security marketplace. The question is where do we go from here? Will mobile credentials be the smart card of the 21^st century, always “just around the corner” but taking many years to become mainstream? Or will it be the next IP video that transforms the industry in a matter of a few short years?

“Within the enterprise marketplace, mobile credentials are starting to pick up a little bit of steam,” says Art Perez, senior applications engineer, Honeywell, Melville, N.Y. “Some of that trend to use mobile credentials is coming from hotels that offer mobile check-in and credentials.”

Another hot spot for mobile credentials is college campuses, where today’s students have grown up with a smartphone at their fingertips. “Everyone carries their phone with them,” Perez says. “Colleges and universities started talking about it a few years ago, but now they are taking a deeper dive into it.”

Perhaps a less obvious fit for mobile credentialing are some enterprise markets that require compliance reporting such as NERC-CIP and other regulation-dependent industries. Many of these facilities that have been hanging on to older technology such as first generation smart cards or even proximity — which is now well known to be unsecure and easy to clone — are now looking at switching out their credentials and readers. “Mobile becomes a piece of that,” Perez explains. “We have a couple of large, global customers that are switching over to our platform, which features readers that are mobile-ready. Even though they may not deploy [mobile credentials] right away, they are putting the infrastructure in place to do it down the road.”

Perez adds that he has seen quite an uptick in this type of preparation. “It has gone from maybe five to 10 percent of customers two or three years ago to 30 to 40 percent of customers today looking to update their readers to be mobile-ready for the future. That trend is continuing to go up.”

One reason is that mobile allows for both ease-of-use, and high security, he says. “When I go to a customer site and talk about secure credentials … we discuss how to continue future proofing a system and part of that discussion is the fact that mobile credentials are secure. The same way you have encryption on a smart card you can have it on a mobile phone.” In fact, with passwords and biometric options on smartphones today, it is even possible to have dual (or more) authentication, all from the mobile device.

But there are still a few sticking points keeping mobile credentials at the early adoption and preparation phase. One of these is the concept of bring your own device (BYOD). While some organizations embrace this idea, others are not on board.

“I think that piece is still in the investigative state,” Perez says. “We have some customers with union or contract employees that don’t want to issue an employee a company device, nor do those employees in a lot of cases want to have anything that is work-related on their personal phone. I have had a little pushback on that. But we have other situations such as college campus environments or the friendlier tech companies that love BYOD. They see it as being productive. There are still two schools of thought.”

Another issue with BYOD is that while mobile credentials can be inherently as secure as a card, policing a personal device can be a sticky issue. “If I am allowing you to come into my network on a personal device that I am not managing there is a potential for loss of data; so some companies are anti-BYOD,” Perez explains.

Delivery and pricing is another area that is still being worked out. While the industry has pretty much standardized on Bluetooth as the technology of choice (after Apple’s reluctance to open its Near Field Communications up to other applications), the method of delivery and how it is priced can vary widely. Considering the average person changes phones at least once every two years, things can get complicated.

“There are some grumblings about that pricing model, Perez says. “Manufacturers are still trying to work out how exactly to make it a little more attractive. Instead of reissuing at the cost of a brand new credential, maybe they charge a change or move fee. But with the push to everything becoming as open and flexible as possible some will say there is a one-time fee and if you move or change devices we will move with you,” Perez says. “Others will require back-end software development and a fee to make that change.”

One of the objections naysayers of mobile often point to is the desire on the part of many companies to have their employees and visitor wear visible badges, which have traditionally been married to some sort of access control technology. But Perez doesn’t see this as much of an issue.

“If they are already using a piece of PVC plastic that has technology and printing ID badges, they already have the template and printer. You can print on a [cheaper] piece of plastic that doesn’t have the technology and use the phone for the security portion.”

Overall, while Perez doesn’t see mobile credentials “hockey sticking” any time soon, he does see adoption coming much more quickly than some of the other long-promised access control technologies in the past — particularly biometrics.

“I think mobile will get adopted quicker and become more mainstream than biometrics,” he says. “I see mobile eventually being ubiquitous and just as common as the plastic access card, especially as younger generations enter the workforce.

“The younger generation would rather use that than an access card. As some of these people start to become a larger population in the workplace, the trend will have to match.”

While it may be more “slow and steady wins the race” than overnight success, Perez sees the future as bright for mobile credentials. “It will be faster than some other technologies. At the rate we are going, maybe within the next three to five years most companies that have a sense of really wanting to protect their physical environments will start updating and upgrading readers. As they become mobile ready, they will switch over.”

Join security leaders and practitioners across every industry and sector to gain the knowledge and capabilities you need to translate thought leadership into action. A world-class lineup of sessions and speakers will uncover the topics and tactics you need to know to stay vigilant today and as security’s landscape evolves.