mobile phone on picnic table

Mobile Access Misconceptions (1): Stolen Phone

One of the most recent, and relevant, advancements within access control was the introduction of mobile access functionality — a feature that piggybacks on the general mobility trend to enhance the user experience with physical access control. Let’s go back to the basics and discuss what this technology is and how it works.

What is mobile access and how does it work?

Mobile access allows your employees to enter physical and digital places by using a mobile device as an access control credential. The smartphone or wearable device contains a digital copy of a valid physical access control card, and in the case of HID Global, both the physical and the digital cards are protected by extremely secure encryption that blocks any cloning attempt.

How does it work? It uses the NFC or BLE capabilities of the device to communicate with a reader, using (in the case of HID Global) Seos® technology to securely authenticate the credential (i.e., the identity). The system then allows access to the physical or digital place, thing, or system, based on the rules defined by its administrators.

As mobile access adoption has grown and physical security started mixing with consumer electronics (smartphones and wearables), new issues began to appear, mostly for the end-users of the technology (your employees).

This article is part of a series in which I’ll address some concerns that potential users in emerging markets have expressed regarding the use of mobile access and how — as a security manager — you can approach them by providing accurate information.

In this blog, specifically, I hope to diminish some of the misunderstandings people may have if their smartphone is lost or stolen and ease the anxiety that comes with suddenly finding yourself without control of the information on your mobile phone.

Comparing Mobile Access to Traditional Locking System and RFID Credentials

For most people, their mobile phone is their daily lifeline to their jobs, family, and personal information. Regardless of the reason, when a situation arises that separates a person from their phone or device, there is an immediate concern about the personal information on the device. And naturally, if an access credential is loaded to the device the concern extends to the potential for someone unauthorized to use the mobile access system to which it is associated.

In today’s business world, many global companies have chosen smartphones as the access tool of choice versus brass keys or RFID card credentials to provide secure and highly convenient access to company locations.

Many companies are using mobile access installed on smartphones to give their employees access to their workplace or parking facilities. Companies have realized that mobile access offers them secure system management, simplicity, and financial benefits versus brass keys or RFID cards.

Brass keys issued to the entire workforce are not a cost-effective way to manage building access because a lost key means potentially re-keying the whole building (a very costly and complicated process!). Besides, the continuous monitoring and issuing of keys for individuals can be a security management nightmare.

RFID cards offer an advantage over brass keys but still have multiple challenges as the single-source access system for your building. Lost access cards can, and should, be rendered inoperable by having access rights deleted in the system and a new card quickly issued to the individual.

However, a lost RFID card may not be recognized as lost or stolen until the owner needs to use the card to access a building. It may take days for the card owner to realize their RFID card is not in their possession.

This is not true when a person loses their smartphone because the panic is nearly always immediate!

As mentioned earlier, because the mobile phone is a critical piece of everyone’s daily life, a missing phone quickly causes significant concern. However, it is important to establish that a lost or stolen phone does not automatically allow unauthorized individuals to use the mobile access system inside of that phone or to access company or personal information.

What actually happens to the mobile access if a mobile phone is stolen or lost?

It’s proven through industry research that people are much more diligent about protecting their mobile phone at all times versus an RFID card or brass key. Think for a moment how someone uses a mobile phone and how it is never very far from the owner at any moment of the day. If the mobile phone is missing, most people know it quickly.

When a person realizes that their mobile phone has been stolen or lost. What do they do? First of all, there is no need to panic as the mobile access and personal information is not accessible to the person who may now possess the phone.

The owner may be concerned that an unauthorized person can now use their phone to access their company’s buildings. The first thing to do is contact the system administrator, who will immediately suspend the mobile access credential.

Additionally, most users protect their phones with passwords, PINs, or biometrics that can protect the credential on the phone from being used by a thief or opportunist. Even with BYOD (Bring Your Own Device) phones, the administrator can control whether a mobile credential can be used when the phone is locked or unlocked.

By revoking the access credential even if the person has an unlocked phone, the suspended credential will not be recognized as valid by the access control solution. The suspension of the mobile access credential on the mobile phone is immediate and much faster than managing an RFID card or brass key.

Once the person replaces the lost smartphone with a new smartphone, the mobile access app can easily be downloaded and the company’s system administrator can immediately re-issue a credential.

And though a mobile phone may not be with you for accessing a building, in many cases, companies install a backup solution for employees to gain building access. Regardless of the credential solution, the back-up system may include a complementary credential (an RFID card, master key, or admin password) or even a physical person, such as a security guard.

Another common strategy and one that aligns nicely with mobile access is the use of a Personal Identity Number (PIN). The PIN can be used as an additional alternative solution to access the building. So, if a mobile phone is lost, stolen or the phone battery dies, company employees can use the alternate method, if authorized, to access. The mobile phone is really no different from a key or an RFID card in this respect.

Though users are generally passionate about maintaining the charge in their devices, this type of back-up solution is definitely something to consider. I also recommend that companies adopt a strategy of requiring phones to be unlocked for mobile access to work. This reduces convenience, as the app must be opened for it to work, but it increases security. The decision will be governed by the risk of unauthorized access balanced against the likelihood of phones being lost or stolen.

It’s important to emphasize that companies and individuals should generally have a backup procedure for accessing the building, for example with traditional mechanical lock and key, keypad (PIN) or RFID card. This is good practice regardless of the primary method of access control.

Losing the Smartphone Isn’t the End of Mobile Access

As you read earlier, losing the smartphone or having it stolen does not mean the user won’t be able to access a company building or control the information on the smartphone.

If the company and employees follow a few simple rules for managing mobile access on the smartphones, the pain of losing the smartphone will be minimized. Users won’t be giving the “bad guys” full access to their company’s buildings or their personal information contained in the smartphone.

Installing a mobile access system that balances security, privacy, and convenience, while offering important options and choices such as multi-factor authentication and enterprise-wide credential rules are vital to maintaining a mobile access control system that remains secure, easy to manage and that is sustainable.

In our next blog, we will talk about the operational procedures mobile access companies install to ensure that an individual’s private information is totally protected and eliminate concerns about protecting personal information on the smartphone. Until next time.

Are you ready to learn more about HID Mobile Access?

Related articles: Mobile Access Misconceptions (2):  Personal Data

Mobile Access Misconceptions (3): Reduced Performance

Luc Merredew has over twenty years of experience working for OEMs in the fire and security space, and in his current role for HID Global, Director of PACS Product Marketing he covers LATAM, USA and Canada. Luc is based in Huntington Beach, CA and has been with Austin, Texas headquartered HID Global for five years.