Are phones winning the battle of credentials?

May 13, 2024
A new report from HID explores drivers and barriers for increased adoption of mobile credentials.

By Paul Ragusa

For the longest time, security professionals have been coming up with new ways to do what the key has been doing for centuries – locking or unlocking a door.

But now, in addition to allowing or denying access, they are providing more convenience, enhanced features and control around the door, whether it is an audit trail, video verification, adding or removing a credential, or allowing electronic access control management from an on-premises operations center or cloud-based analytics platform that can be accessed remotely.

The ubiquity of mobile devices makes them a natural fit for extended identity applications, and the incremental adoption of mobile ID continues -- with 72% of respondents calling out mobile identity as a top 3 trend, according the latest findings from the HID 2024 State of the Security Industry Report.

The report gathered responses from 2,600 partners, end users and security and IT personnel worldwide across a range of job titles and organization sizes representing more than 11 industries.

Looking closer, two-thirds of organizations (64%) reported some level of mobile ID deployment, with that number expected to increase to 79% within the next five years. In addition, the survey found that industry partners are optimistic in their outlook, stating that 94% of their customers will have deployed mobile IDs in the next five years.

While phones have made an incredible strides in the past few years in providing keyless-access options, there are still barriers to widespread adoption as the technology moves from the home -- where it is firmly rooted -- into small businesses and enterprise-size corporations that have begun a digital transformation.

This cloud- and mobile-first mentality is sending a seismic change to the way end users look at access control.

While mobile ID adoption is on the rise, there is still a perceived need for physical identity cards in some sectors, with 46% of end users saying they need a visible image on their ID badge, and 59% of industry partners reporting their customers also have this requirement, according to the report.

But, as researchers note, this tends to be industry-specific: For example, high numbers of end user respondents in government (25%), healthcare (27%), transportation (29%) and hospitality (26%) say the need for their ID to remain visible at all times impacts their use of mobile IDs.

Breaking Down Barriers

Despite some of the barriers mentioned above, mobile ID continues to gain traction in many industries, with 59% of respondents saying it’s more convenient for users, 45% lauding its added security and 35% saying it’s more convenient for administrators.

Diving deeper, companies with more than 50% mobile credential deployments will see significant growth over the next 5 years. Looking at what percentage of their physical access control (PAC) credentials are mobile IDs, the rate will go from 4% currently to 18% in 5 years. And for companies with more than 70% mobile credential deployments, those numbers will go from 10% currently to 21% in five years.

Bevan Hayes, business strategy director, mobile, HID Physical Access Control Solutions (PACS), says momentum continues to build around the use of these devices in support of identity.

“For example, in North America, we are going to see an increase from 4% to 18% in the next five years and that's because we've been able to, and the market in general has been able to address some of the challenges, such as inconsistency, and emergence of the digital wallet comes to mind,” notes Hayes.

“To be able to use the same modality as you do for payment brings that trust. It's also the fact that as a user I have control because it's in my digital wallet versus potentially a Big Brother app, so that starts to help build that trust as well. And then because we work directly with the mobile phone providers, we get access to capabilities that you wouldn't have otherwise.”

Hayes points out that power reserve mode or low battery mode in these wallets also help with the conundrum that existed in the past when someone’s phone battery died and they could not get into a building or their dorm room, for example. “In the past that could have been a scary situation,” he explains. “But now you can still gain access for about 5 hours, so you can have a blank screen and still use the phone.”

Another inconsistency that has been addressed is the use of NFC technology by both Apple and Google, so the user experience is the same and frictionless across the board. “So, it’s that same tap-use case that you would have for a transit, tickets, payment, or entry for example,” he notes.

Aiding in mobile’s rise within security is the ability to add or remove credentials as needed, providing greater flexibility and control for end users.

“In the new ecosystem where we have a wallet deployed, one can log into their iCloud account, for example, and actually say I lost my phone, and it goes and decommissions or pulls the credential from the access control system,” Hayes explains. “So, you can instantaneously shut down access versus the world of a physical card where have your picture on it and potentially your company name, and there's this potential big delay and security vulnerability.”

Moreover, the report confirms what HID has been tracking for some time now as many SMB and enterprise-level companies look to simplify access control. “Over the next few years, it is going to accelerate because we’ve gone past the pure-play early adopters,” says Hayes.

“We've had a lot of people test it and now we're seeing a significant amount of expansion in accounts and it's not just the tech companies. We're seeing big expansion in corporate real estate and big expansion and rollouts in higher education – even banks and other types of entities that were risk adverse in the past.”

He continues, “We’re seeing success in the more complicated environments like corporate real estate or entities that have more than one location, as well as traction from the global 2000 or Fortune 100 organizations that would typically be pretty risk adverse because of their scale and scope of operations but are now going through a sort of digital transformation.”

Researchers point out that organizations are steadily upgrading legacy hardware in favor of multi-tech readers that can handle both plastic and mobile device-based credentials. Moreover, mobile devices are increasingly used to support multi-factor authentication (MFA) and other use cases across the network security landscape.

“Mobile ID authentication can identify a mobile phone user, reliably and securely, through a greatly simplified user experience, reducing friction for the user without compromising security,” the Mobile Technology Alliance notes in the HID report. “Applications in payments, government identity, and access control are likely just the beginning of a long list of services to be securely simplified via mobile identity authentication.”

Three key takeaways to increased adoption from the report:

  • End users appreciate the convenience that comes with authenticating themselves via a device they already carry.
  • Administrators find it easier to manage identity and valuable data via smart devices and software.
  • Mobile devices are less likely to be lost or stolen, and their built-in security safeguards mean that even if they are misplaced, one’s identity likely won’t be compromised.

Securing and Leveraging Data

As the phone continues to gain trust around its security, Hayes says this could be the final piece – to go with the convenience factor – that helps mobile solutions gain even more traction within security.

“The phone is really secure to the point where if we look at it from that initial use case of losing the phone versus losing a physical card – there's a value that we can put around the reduction of risk,” he points out.

“But then we also look at encryption and horsepower on the phone, which can do several things around confirming that a person's where they say they are or who they say they are, because we can enforce rules like multi-factor authentication to unlock your phone before you enter a certain part of the building.

“And for another part of the building, it may use what we refer to as express mode, for example, where it's the simple tap on a locked screen, which could then prompt face ID. What's great about mobile is we put together a set of tools that our partners can go and innovate with and drive these great experiences.”

There is also a case that can be made for leveraging the data the phone is producing to provide benefits in areas such as business intelligence, operational efficiencies and better overall management of facilities, personnel, and resources.

“The companies that are really innovating in this space are the ones that are getting the traction,” says Hayes, noting that it goes beyond just effortlessly locking and unlocking a door. “They may want to turn it into a tenant experience in one setting or create a visitor-type Disney experience in another building, or make sure that a building is super smart, efficient and valuable to the owner and those who are occupying it so that it turns into a higher net operating income for the building owner.”

In the real estate and multifamily worlds, this translates into higher retention rates, higher leases, and a better overall experience for owners and tenants, he adds.

Digital Natives and Interoperability

Another factor that is driving Increased adoption of mobile solutions is the changing workforce, with Gen Z starting to replace millennials as the big decision makers.

“Gen Z is going to be 27% of the workforce by next year and these are the folks that are digital natives,” Hayes explains. “We’re not talking millennials anymore – we're talking digital natives, and there's a certain increased demand now for a mobile-first approach to things. There's also a heightened expectation around ‘doing good,’ which is where the sustainability piece comes into play as that continues to rank high in our survey.”

The interoperability piece may be the one that really pushes increased adoption, especially with continued widespread support of Matter (formerly the Consumer Standard Alliance), a new standard for interoperability that the industry is getting behind, notes Hayes.

“It’s something that's already happened at home, and in the next few years we'll see the emergence of some of these standards in multifamily and SMB and then potentially in the enterprise space. And I think we'll also see others that were fearful of that change to mobile finally transition to mobile and be pushed because of the interoperability, or the promise of interoperability,” he says.

The aforementioned workforce change combined with progress in the areas of trust, consistency, and interoperability, is going to create “a snowball effect around use cases and seamless experiences in the workplace, making sure that that workplace is as efficient as possible,” Hayes asserts. “And we in the access control space have the ability to influence that in a number of ways, because you're going through certain challenges from the front door, through the elevator, through the physical space each day. As we incrementally improve on that experience, I think that adoption will continue to accelerate there as well.”