Mobile Access: but when?

Actually, we've already gotten used to it: we grant ourselves access. The concert ticket booked online gives us access to a specific service during a predefined time at a predefined location. While "print at home" and e-tickets rely on a barcode being scanned on site, the app now goes one step further: actually opening the door. The application is particularly popular for hotels. Here, too, we have already become accustomed to entering our customer data ourselves for the booking, and the payment process is also carried out manually.

Here, too, we have thus acquired the "authorization" to gain access at a specific location during a specific time. The automatic transfer of this authorization to an app is only the next logical step. There have long been practical examples where the hotel guest opens his room door directly with the app without having visited a check-in beforehand. Of course, if booked, other accesses such as the parking garage, spa, lounge or even the opening of the minibar can also be activated. All this is done automatically and without the need for hotel staff.

Mobile Access in Trend?

The associated technology has been available for smartphones for around ten years. The prerequisite for its use is an NFC- and BLE-enabled device, and the right app. Here, too, we have already become accustomed to it. Payment transactions, e-banking and patient apps for lab reports or the Swiss Covid app: we use one or more apps for many sensitive applications.

So why not for access as well? Of course, the infrastructure, i.e., the opening mechanism of the door, must also be ready for the application: BLE- or NFC-enabled reading of the signal and integration (onboarding) of mobile access control into the system are the basic prerequisites for the desired door opening via smartphone.

Wide range of applications

Temporary activation of access points has been known for a long time, particularly in the case of electronic access controls. It has also been common practice for some time that accesses are recorded electronically and can therefore be traced. However, with conventional systems, authorization was linked to a locking medium or an identification marker (IMT).

With mobile access, these tasks are performed by the smartphone or the (manufacturer-specific) app. This results in a wide range of possible applications. For example, variably deployed personnel can be authorized directly for the respective assignment or for opening the relevant doors. This could be, for example, for jumpers in the gas station store or the service technician in the data center.

So everything under control?

Today, the (location-independent) activation of authorizations is done on a vendor-specific basis. Proprietary (cloud) solutions are often used. Individual solution providers are in the process of offering vendor-independent solutions or integrating different providers via interfaces. The general principle here is: the more interfaces, the higher the number of possible security gaps. Physical security on the door is therefore also dependent on the IT security of the overall system. It should also be noted that in the case of the Springer in the service station store mentioned above, it cannot necessarily be assumed that a company-owned smartphone is available. Is it therefore permissible that the employee is forced to install apps used for business purposes on his smartphone? And conversely, is it desirable from the employer's point of view that security-relevant processes are handled on a private smartphone? And to include the service technician: Does it really make sense to enable access to the IT rack in the data center via app?

The need for safety is decisive

Not all rooms or their contents/uses have the same security requirements. While the term protection needs analysis is often used in IT, the objective is also identical for physical security: to define the security requirements. This often results in requirements for access organization and the technical tools used. It is no coincidence that the market penetration of mobile access in the "consumer" segment is increasing. Hotel applications, meeting rooms and generally areas with low security requirements are predestined for such applications. However, the more the security requirements increase, the more caution is called for. If necessary, an additional identification feature can be used to meet the increased security requirements. However, mobile access is not (yet) suitable for applications in high-security areas such as data centers, safes, prisons or ammunition depots.

What generally applies

The access concept is part of security planning, and the general rule here is that it is not the user-friendliness of an app that is decisive, but the (protection) requirements. So before the access control technology is selected, its requirements should be defined as part of a security concept. It is quite common that not all the rooms concerned have the same security requirements.

It is also typical that not all users are authorized for access to all rooms. And this brings us to the not new, but still valid principles of the access concept.

Access organization begins with zoning

Each use is assigned to a safety zone and each zone is given a color. This creates a colored safety plan that shows which zone transitions require special attention. Traffic areas are often mixed uses, some with a semi-public character. If a semi-public area borders directly on a high-security area, the security requirements for the zone transition automatically increase. For a door, this classically means increased requirements for burglary resistance, the so-called Resistance Class (RC), which can also have an influence on the choice of locking technology, monitoring and thus, under certain circumstances, on the choice of locking medium. A popular mobile-access solution for retrofits is the installation of a corresponding electronic locking cylinder, a digital cylinder. It is now necessary to check whether the desired RC requirements can be met in this way. It should be noted that today's mobile access solutions are not yet consistently tested with resistant doors (RC class).

Has the key had its day?

Mechanical locking is still the most common form of access organization. The risk of losing a key, which is the biggest disadvantage of this solution, increases with the distribution of large numbers of keys. Although management and authorization management with mechanical locks are not very flexible, there are still applications in the high-security sector where the desired security standard can be achieved with key changers or key safes and secure issuance with two-factor identification.

Mechatronic locks combine the advantages of a robust, mechanical lock and the benefit that lost keys can be blocked electronically, thus preventing the costly replacement of the lock. The key here is therefore also an identification feature carrier (IMT). An IMT is also a prerequisite for all other electronic solutions: from digital cylinders and hardware readers to the well-known offline and online access control systems and radio-networked solutions. In addition to the best-known IMT, the badge, the market offers a wide range of colors and shapes. With Mobile Access, there are now also solutions that no longer necessarily require the physical handover of the IMT.

So when Mobile Access?

As already mentioned, the selection of the right access control also depends on the security and protection requirements. Possible (cyber) risks must be taken into account here just as much as the physical security requirements of the door. However, if one assumes applications without increased security requirements, there are definitely advantages with mobile access. The fast and flexible assignment of authorizations, the traceability of access and, last but not least, the tendency toward increasing user acceptance have the potential for the solution to become more widespread. From a business point of view, it is particularly interesting if the user registers himself and the authorization is transferred automatically - if, for example, the room and the booked additional services are activated directly with the payment process on the app. Hoteliers are thus relieved and can use the free capacity differently. Perhaps simply to be a good and relaxed host in direct customer contact.