Exclusive: When is a credential more than just a key?

January 19, 2022


Steve Wintle, Head of Critical Infrastructure, Abloy UK discusses the role mobile credentials play in controlling access at important sites.

When we talk about access rights and “credentials”, it can mean a number of things. A credential could come in the form of a key, a fob, a card or, as is increasingly being requested, a smartphone. Forecaster IHS Markit predicts that more than 120 million mobile credentials will be downloaded in 2023. This is a huge rate of growth in comparison to the 4.1 million downloads recorded in 2018.

There are a number of reasons for the increased demand for mobile credentials, including a need for flexibility and convenience and an easier way to manage access rights with instant delivery. In addition, mobile credentials are a sustainable option and are seen as a more secure way to manage access, particularly as people are less likely to lose a mobile phone in comparison to other credentials.

17.3% of card or fob users lose at least one card or fob annually, thus compromising security and creating a cost for the organisation to replace. So, what are the pros and cons when it comes to mobile credentials? Moreover, where do their strengths and weaknesses lie?

Identity verification

Identity verification has become commonplace, especially in the realm of online shopping. A mobile credential can verify the identity of an individual, something seen as a great advantage over a physical key, fob or card credential.

Consumers are familiar with having to enter a verification code when using a shopping app to confirm their identity, offering peace of mind that their details are secure. Passwords are no longer enough in the cyber world as they can be shared, stolen and copied, just like some keys. The only way to overcome this issue is to verify the identity of the individual attempting to gain access – something which a mobile credential does very effectively.

Furthermore, if a key or fob goes missing, it can easily be used by any person that has it in their possession. In contrast, if a smartphone goes missing, the level of security on the device means that it will be incredibly difficult for someone to access it, let alone get far enough to utilise the credential. People are more likely to notice if they have lost a mobile than if they misplace a key or fob. This means the organisation can be quickly alerted to the missing smartphone so that they can revoke access instantly using the credential’s management software.

Managing the credential

With all these advantages, it’s easy to forget there is still a management requirement for a mobile key. Mobile credentials can be convenient and flexible and in some cases practical for external applications, but it’s not the credential that’s providing the actual security. The credential provides confirmation that the holder can access site or open a lock – and that’s where the practicality issues come into question.

The credential is seen as the answer to no physical keys, which has been a challenge for most businesses to manage. The reality is that a mobile credential still needs to be managed and this seems to be a factor that’s not clearly understood. Without question, the integration of mobile technologies with Permit To Work ticketing and individuals’ training and competencies systems can make the management of controlling access easier and at the same time enforce compliance.

Ultimately, automation will allow the process to happen routinely, providing a seamless and efficient operation and enabling the exceptions to be scrutinised. However, beyond the credential, little thought is often applied to what it could operate.

Lock vulnerability and battery concerns

Mobile credentials require a lock that has an inbuilt reader, a power source and something to operate it; turning the lock is a function traditionally performed by a key. At present, a large thumb turn is usually provided on the outside, acting as the reader and a means of operating the lock. This design leaves the lock vulnerable for a vandal or organised criminal to attack and disable, causing disruption and potential easy access for the perpetrator. This in turn also causes an issue for the authorised engineer or contractor needing to gain access.

If it’s a high security door, then how do you protect the thumb turn with a high security shroud against hammer or drilling attacks simulated by the LPS standards? In this instance, a key is a more practical means of securing and controlling access to critical assets.

Amongst other concerns raised by integrators around the implementation of mobile credentials for access control, phone battery life was listed as a potential issue. A phone with no battery charge means no access can be granted by the user which can impact a business in terms of lost working hours. This is where unpowered fobs or cards, as well as physical keys, are seen as a more reliable source of credential.

Effective use of mobile credentials

Keyless solutions aren’t perfect for every application and keys are still a very practical solution, especially for legacy estates with traditional locking mechanisms. The practicality of keyless solutions working in harsh remote conditions is completely different from warm dry office applications. In addition, there will be certain environments where mobile phone usage is simply not permitted.

Although there can be barriers to success with mobile credentials, there are instances where the technology can thrive and come into its own. For example, a credential carried or sent to a mobile phone is ideal for shared site access. This is perfect for a visitor needing to access once, rather than on a regular basis.

ABLOY BEAT is a prime example for this type of scenario, offering the ability to use a phone to grant access to a padlock. The padlock is physically secure and access is managed via an app controlled by the same piece of mapping software as PROTEC2 CLIQ. Both solutions provide controlled access by tethering with a mobile phone.

CIPE Manager

CIPE Manager from Abloy UK brings together a keyless solution, an electromechanical key solution and a mechanical key solution that can secure all applications with easy management – with all three elements working together.

CIPE Manager is tailored to give a comprehensive situational overview and increase operational efficiency in critical infrastructure access management. The solution allows organisations to manage all their keys, locks and access rights from any location, with a user friendly, cloud-based management system. CIPE Manager connects with every locking solution in Abloy’s digital portfolio, including Abloy BEAT the keyless Bluetooth padlock, the electromechanical PROTEC2 CLIQ as well as Abloy’s high security mechanical master key systems.

This range of traditional and digital access solutions can be combined in a variety of ways to meet virtually any requirements, providing flexible, scalable and compliant security whilst helping to control the movement of people in a wide range of industries, building types and applications. CIPE Manager is designed for day-to-day operational use by security, operations and facility management who control and manage access rights to their organisations’ critical infrastructure sites and facilities. Typical sectors include energy, water, telecom, oil, gas, rail, ports and airports.

CIPE Manager includes a highly visual map-based user interface that provides a clear overview on the variety of locking points. With CIPE Manager, the user can connect the organisation’s mechanical, electromechanical and keyless locking solutions into the same system. This allows extensive situational awareness and efficient access and key management. The user interface is also browser-based, allowing the management of keys, locks and access rights remotely from any location with most mobile devices or desktop computers.

With the world adopting and becoming more reliant on technology, it’s clear to see why mobile credentials are fast becoming an attractive option when it comes to managing access control.

However, the pros and cons raised prove that there is a place for this kind of technology but with the requirement for alternative solutions in certain environments. Ultimately, the key is still a very practical credential and shouldn’t be written off as a less robust access solution. By choosing a solution such as CIPE Manager, critical infrastructure organisations can get the best of both worlds and adapt their credentials for different applications in relation to their requirements.

For further information, visit: www.abloy.co.uk, call 01902 364 500 or email [email protected]

This article was originally published in the January 2022 edition of Security Journal UK. To read your FREE digital copy, click here.

Read Next