Industry advancements that enable smartphones to carry credentials offer the opportunity for students, faculty and staff at university campuses to use a ubiquitous device to open doors and perform other tasks that require presentation of a secure credential. University administrators know that cell phones seem to be permanently in their students’ hands, making their use for access convenient and quite natural.
An Ideal Vehicle for Secure Credentials
In addition to improving convenience, mobile access enables universities to reap the benefit of cost savings on credentials. Plus, students lose their cell phones less often than they lose their cards so, ultimately, the cost for replacement credentials is reduced.
University employees also benefit from carrying credentials on their phones. They aren’t required to wear their ID cards, so they may arrive at a facility without one and have trouble gaining access. But since most carry their cell phone everywhere, the ability to gain access is a given if these phones also carry their credentials.
In addition, the latest solutions enable universities to implement mobile access on a variety of smartphones without the need for any hardware add-ons or attachments, such as having to insert a handset into a sleeve or slide if it does not support certain features. Institutions that have piloted our mobile access solution say that this improves user convenience while also giving the university a greater degree of flexibility in offering students, faculty and staff the ability to use their smartphone as their credential without incurring additional expense.
Pilot Findings
Pilot deployments have shown that a big requirement for mobile access adoption is the ability to use a broad range of phones without a sleeve, slide or other add-on accessory. University administrators have seen NFC pilots in the past but prefer a solution that doesn’t require additional hardware to work on a wide range of handsets. And when they can build on their existing infrastructure, it makes for a natural progression.
Universities are also using pilots to see if solutions are as easy to use as they sound in theory. Unless the alternative to using an existing card is as easy and convenient as mobile access, few administrators see people actually using it. They also need to be sure that the solution is secure and easy to administer.
Early areas of investigation have included questions about what happens to the system if the power goes out. When door access is with fail-over generators, users can still enter buildings during a power failure. Pilot participants also realize that, when using a smartphone for mobile access, the device itself must have battery power in order to start the communication between the smartphone and the reader.
Reactions from pilot participants have been very positive. According to one university administrator, “they love the convenience – rather than having to dig out their ID cards they just use their phones, which in most cases are already in their hands.”
Pilot participants have tested a variety of security options from within the mobile app. At one university, wireless network users are required to employ a PIN/passcode to lock the device so this also increases security. There are many layers of security to consider. Two such examples include:
- Mobile IDs are stored in an area of the device which has been designed for the storage of sensitive information. In addition, we are not storing the credential directly but rather SIOs (Secure Identity Objects). These are NIST Suite B encrypted and are tying the diversified key (no master key) to the device, so that it will not work on another device.
- The transaction between phone and reader is not dependent on NFC or Bluetooth Smart security. The system encrypts the data on top and also employs tamper detection, so that we know if sniffing attempts are being made. In addition, the device can be set up with a passcode, so that if lost, it cannot be used to enter the building.
Pilot participants have also cited a number of potential future applications for mobile access. Office suites and meeting spaces are ideal especially as many universities don’t require staff to display their ID cards, and yet know they rarely go anywhere without their phones. Beyond physical access control, one pilot participant said they would love to see readers available for vending, time and attendance management, point of sale, laundry access and use – in fact anywhere there is currently a card reader.