The replacement of corporate door-access keycards is picking up pace as ever-smarter Internet of Things (IoT) authorisation systems are fed a growing volume of contextual information, a leading access-control executive has said while acknowledging the challenges of securing user access while retaining user convenience.
Reaching those goals is a continual process of improvement that was being informed by early moves by more than 700 “very large enterprises”, Serra Luck, vice president of HID Global’s End User and Consultant Business, told CSO Australia. Every day, 34,000 doors are opened using smartphones across 58 countries.
“We are farther ahead than proof of concept now,” she continued. “That doesn’t mean cards will go away soon, but our customers say they see the co-existence of these two trusted entities going for some time.”
Mobile access was proving particularly useful because its associated back-end infrastructure – which maintains access credentials and enforces policies centrally – allowed more flexibility for companies to do things like grant door-specific access, time-limited access or access to particular parts of the company for contractors whose credentials can be granted just for specific times across a set number of days.
Removal of the need to issue standalone access cards offered more flexibility in high-volume environments and situations where contractors were working in far-flung locations where physical access cards weren’t necessarily available to be issued.
Smartphones also offer the opportunity to combine other forms of information and biometrics, enabling the enforcement of access-control policies based on other factors such as the location from which a person is trying to access a site.
“It’s about how we put together all the information about an identity to make it a trusted identity,” Luck said. “You can see who does what, when, according to the rules they have around that. And your identity is not transferrable;
Such methods are also being explored across non-access control situations as vendors and service provider pursue new ways of doing away with password-based authentication.
By 2020, Gartner has predicted, 20 percent of organisations will be using smartphones instead of traditional physical access cards.
“Replacing traditional physical access cards with smartphones enables widely sought-after cost reductions and UX benefits," said Gartner research director David Anthony Mahdi in a statement. "We recommend that security and risk managers work closely with physical security teams to carefully evaluate the UX and total cost of ownership benefits of using access credentials on smartphones to replace existing physical cards."
As a subsidiary of door-lock giant Assa Abloy, HID Global has the corporate backing to deliver technology that is both robust and easy to use – a core consideration for mass-market applications that require user intervention.
“People want to be secure but they don’t want to know they are being secure,” Luck said. “If there are no plastic cards, and we can do the provisioning of a trusted identity to you over the air, you can have it on your phone and it will function like a card.”
Greater adoption of smartphone-based access control will also provide a gateway to broader consumer adoption of smartphone-based identities: the company’s HID goID platform, for one, enables smartphones to link up with smart building systems, IoT networks, and to act as secure repositories for drivers licenses, social-benefits cards, and more.
Government authorities have been pushing towards digital credentials from their end, with the NSW state government allocating $12.3m to a digital license program that has so far seen Service NSW offer fishing, Responsible Service of Alcohol, Responsible Conduct of Gambling Competency Cards, boat driving licenses and vessel registrations through its Service NSW mobile app.
Driver’s licenses are next off the rank, with pilot tests of digital drivers’ licenses expected by the end of this year as part of the state’s digital-identity project.
Broader support for HID goID and its ilk would allow for more general-purpose digital-license platforms supporting credentials from a range of sources – and secured using centrally managed policies of the sort that corporate users are already adopting.
“There are a lot of benefits that we see coming from this optimisation,” Luck said, noting that the benefits had to be balanced with a careful security-enforcement practice including regular penetration testing and layered security measures.
“We care a lot about compliance and security. There is demand for an ecosystem for a better user experience – and with a lot more players in the space, everyone is bringing their own value to the security value chain.”