The Future of Virtual Credential Systems


Using mobile devices for credentialing promotes increased security

Jason WrightBy Jason Wright

Jason Wright is Project Manager, Security at Guidepost Solutions in Oakland, California. He has more than 20 years of experience encompassing security, quality and safety management for tech companies.

Weigand communication is a technology that was initially developed to wirelessly count the revolutions on a vehicle’s transmission. For one reason or another, this communication protocol has served as the standard for access control system communication, card readers and access control card credentialing since the 1970s. It provides a standard means for sending and receiving information, but its limitations include a lack of robustness when attempting to provide secure communication. It can also be easily exploited. There is a need for a more secure solution for the communication and credentialing process. A logical first step is to move the communications credentialing process to a digital platform. Mobile devices are standard issue, with today’s employees staying connected via smart phones, utilizing the camera, calendar, music player, pager, phone and internet features. Using mobile devices for badging/credentialing can decrease the cost of physical badge management, while simultaneously increasing the security and efficiency of an organization.

Cost savings include more than just physical badge production and administration. They also include employees’ missed work time when a badge is lost or damaged, as well as the administrative logistics of providing replacement badges and sending badges to remote offices. Furthermore, the use of mobile devices for credentialing eliminates the need to have badging stations and printer equipment when onboarding new employees.

Using mobile devices for credentialing promotes increased security. While the current token system only requires personal possession to activate, mobile devices require the application of multiple verification factors. A keypad PIN, a security feature in widespread use for decades, can become a requirement when using a token system on a mobile device, as can biometric user verification, which uses facial and fingerprint identification. Apps to store personal information are readily available on mobile devices, which makes adding these features simple. Area access to parts of a building may require one, two, or all three methods of verification for access depending on the criticality of the space.

Changing the type of credentialing is only one step in the process. In addition to mobile device security, the entire access process must be secured. One method of doing this is two-factor authentication, which requires that security be in physical proximity of the device, or device validation from system administration. Data encryption should use SSL 256-bit encryption as a minimum, and an encryption of 1024-bit or more as recommended for RSA sites. Credentials must be secured in a digital wallet on the device. These credentials should not be able to be recovered from a data backup restore on the cloud or included in the physical device identifiers on the credential chain. To prevent interception, data manipulation and relay attacks, the encrypted credential file must be transmitted to the reader with near-field communication NFC tag encryption. A good way to reduce the risk of hackers exploiting a weak link in the chain is for the credentialing information to be encrypted and sent over the network from the reader to the access control system equipment. As mobile devices and operating systems evolve, it is best practice to employ this credentialing on current technology, with updated devices employing the most current operating systems and security patches.

The technology for this migration is currently available. Mobile technology benefits the employer because it provides more detailed information for securing areas of a facility. Currently, a single red light on the reader indicates a “denied access” confirmation as feedback to the user, but using mobile technology credentials allows the system to send a message directly to the user’s phone. This message provides additional information as to why access was denied, or whom to notify to gain access. Employing security in partnership with operations, and active mobile communication between employer and employees will improve communication and relationships, while still maintaining the value that a secure environment provides for all.

Read more from this issue of S2 Connect Magazine