Mobile Credentials Promised a Seamless Future, So Why Are We Still Tapping Plastic Cards?

The mobile phone is now ubiquitous, serving as a tool for many daily interactions among users. It has revolutionized our lives for better or worse. Purchases, reservations, ticketing, access passes, loyalty and rewards programs, identification and countless other interactions can now be consolidated into a mobile phone’s wallet. Some have taken to calling it a non-substitutable infrastructure, something that users hold so firmly that they won’t replace it. The user now has a device in their possession that is always connected and can be updated with new capabilities and permissions in real-time. 

The NFC capability of the mobile phone allows transactions to be fast and secure and not require the user’s engagement or selection of the credentials, as is typically required by Bluetooth or BLE-based apps. The NFC wallet also allows multiple actions to be combined, like payment and access, or identity verification and access. This delivers efficiencies previously unattainable to users and enterprises trying to deploy BLE app-based credential products and solutions. The mobile device wallet enables the convergence of physical and logical access solutions with digital identity Multifactor Authentication (MFA) to finally be delivered as they have been promised for so long by the security, access control and IT industries. Physical Identity Access Management (PIAM) should become common parlance for us in the security and access control space as our products and solutions converge with the IT world of our end-user customers.

End Users Driving the Migration, but Technology Hurdles Persist 

Seamless operational workflows are really end-user employee experiences that businesses and enterprises have invested heavily in over the last decade to achieve. The more the company can remove friction, the easier it makes it for its employees and stakeholders to be operationally compliant with the various conditions set by the business. However, they have struggled to realize the promised efficiencies of technology fully. The “last mile” is often the most challenging, as they say, especially in technology deployments. The obstacles up to this point have been at the endpoints where users interact and in the back end, where disparate systems were unable to communicate effectively or efficiently. Apple, Google and Samsung giving the access control credential manufacturers access to the NFC capabilities inside their phones created the path we are on today. 

The major obstacle to end users having a positive access experience was removed when Apple opened Wallet for NFC access-control applications on the iPhone. With Apple's dominant market position in the mobile phone market, they were, in fact, the “gatekeeper” to things. The NFC phone wallets could now engage the endpoints (wall readers and locks). The rise of cloud-based Access Control as a Service (ACaaS) software solutions, with API integrations with other platforms, has also helped resolve connectivity issues arising from disparate back-end systems. MFA is now achievable at the point of interaction when you leverage mobile devices and have an integrated cloud infrastructure. 

However, Apple, Google, and Samsung all use different implementation architectures for their wallet services. This has driven further complexity, and new software layers have emerged, such as Credential Managers (CMs), Access Service Providers, and similar PIAM platforms, which explicitly address the gaps between physical identity, access control platforms, and various wallet implementations. Complexity continues to rise right now, even though the primary desire by everyone is for simplicity. 

This complexity currently stalls out the revolution promised by mobile credentials. The connected lock and mobile credential reader market today is still mostly comprised of BLE app-based solutions. Bluetooth apps have brought the industry close to a mobile solution. Still, the lack of focus on the end-user experience and the absence of scenarios for the seamless sale and distribution of credentials are among the most significant barriers to widespread adoption. The third major blocker is the lack of a clear transformation path from legacy physical credentials, such as Prox, to either mobile BLE or NFC.  

For most organizations, it is not practical to transition directly from legacy Prox cards to mobile BLE or NFC credentials in one step. Various factors drive this fact today. They include credential cost, high employee turnover and legacy installed reader hardware issues. While virtually all major wall reader manufacturers now offer both BLE and NFC-based solutions, the vast majority of connected door locks on the market still use traditional RFID credential solutions, such as Prox, to address the legacy installed base. Lock manufacturers need to pivot their product portfolios away from a focus on Prox and BLE and toward secure, wallet-focused NFC solutions, something that is easier said than done. 

It takes time to revise the tech stacks within products and develop the requisite firmware to interact with the wallet credentials. End customers want to upgrade their entire physical security ecosystem and not just pieces of it. The industry has emphasized the importance and value of connected lock products. Still, it has yet to deliver to the market locks designed explicitly for mobile-based credential offerings that fit this new paradigm. End users want assurance that the next generation of lock devices they buy will support their transition to mobile-based solutions across their physical infrastructure. Lastly, they want to be able to procure mobile credentials in a manner that is familiar and simple to administer, whether BLE or NFC. They know how and where to buy physical RFID credentials, as well as how to manage them; however, with mobile, it has never been as clear.

Digital Credentials and Their Challenges 

As credentials also move from door access applications to logical access, things get more complicated. Cybersecurity and identity have become increasingly critical to business operations. Historically, the industry has relied on card-based systems without robust identity verification. For decades, we issued plastic cards with numbers to everyone, with no tangible way to verify users' identities. We declared the plastic cards secure if they had encryption that communicated with the readers. We sold a disingenuous narrative, one we covered up with technical jargon and printing people’s faces on their cards to make ourselves feel better. As an industry, we started championing mobile credentials because we knew people shared their RFID cards, but they wouldn’t share their phones. As phones added biometrics like fingerprint and facial recognition for device-based MFA, we started taking identity more seriously. Biometrics on mobile devices made it more relatable to end users, and tech giants are using that to build more trust with consumers.

End users are frequently part of enterprise organizations, however, and are not individual consumers that the large tech companies like Apple, Google, and Samsung are used to serving directly. The enterprise environment is, in many ways, foreign to these big tech companies’ mobile offerings. Enterprises have added needs, especially in the identity and logical access arena, that physical security providers are currently not focused on or inclined to address. This is a significant opportunity for our industry right now. Mobile credentials can bridge the gaps between the physical and logical access worlds, as well as identity (MFA), to fully deliver on their value proposition for enterprises. 

The pandemic accelerated enterprises' interest in adopting mobile solutions, as those few years forced the development and deployment of new user behaviors and operational models. Flexible schedules, remote work, and co-working— these new patterns have made mobile-based solutions more valuable to enterprises, especially those that can be updated in real-time and on demand. The world is more dynamic than ever after being locked down. While Return to Office (RTO) mandates are sending employees back to the office, the disconnect in distributing and managing mobile credentials persists. Our industry has not learned enough from the past to bridge these gaps. 

Selling Mobile Credentials

The sales and distribution of mobile credentials are still very immature and have been approached, from the wrong perspective, based on the market adoption seen. The credential providers have not been directly connected to the actual consumers of the digital credentials, who can realize their benefits and value. The extra layers currently existing in the sales and delivery channel add cost and don’t add value to many organizations seeking to transform into mobile solutions. This has slowed the adoption by the majority of the market. 

A new business model for the sales and distribution of mobile credentials is needed that removes these barriers and alleviates the market's challenges. For enterprises to buy and deploy mobile credentials in wallets or otherwise, they need to trust that there is a clear path before them for transformation. Who will sell these mobile credentials that enable both physical and logical access to enterprises? The PACS? Reader companies? IT companies? The new category of Credential Manager companies? The traditional RFID card providers? And are enterprises going to buy their logical access credentials from their physical access providers? And what about the small and medium-sized business category? They tend to be less focused on identity, even though they are just as vulnerable as the big enterprises. MFA on mobile devices can be a very economical way to address these vulnerabilities.

Companies that successfully connect enterprise back-end systems via APIs and integrate with access endpoints will be best positioned to thrive in the mobile-connected future. They also need to make buying, managing, and distributing mobile credentials as easy and familiar as traditional RFID cards. The good news is that a few players are already on this journey. They have started from the user experience perspective and worked backward through the complexity to solve the problems in this complex space. They have connected to the identity and SSO platforms and to the access control platforms, along with a host of other systems like CRM and ERP, payroll, and HR. They connect to Microsoft and SAP, and in some cases, even payment platforms. Enterprises view the deployment of these mobile solutions as less human capital-intensive and resource-draining for their organizations. 

Looking Forward

Today, it takes a lot of physical resources to actually create, print, and ship or hand out badges. If managed correctly, mobile solutions can be deployed in a future-proof model and with high identity assurance, lowering the overall risk for the enterprise. Finally, for enterprises, all the efficiencies they have sought for their workflows are within reach. The sales opportunities here are enormous, as the largest enterprises have much to gain from adopting mobile credentials and wallets.

For the SMB market, a simpler and more streamlined approach that possibly borrows heavily from the traditional physical credential buying journey is likely more in order. Today, several physical card companies are on this journey, and we may see new sales models emerge in the next few years. After all, they are the current trusted credential providers for these businesses, and they have the trust required to succeed. The question is, can they evolve on the technology side? For now, the mobile credential revolution remains stalled. But I predict not for long, and soon enough, we will finally enter the mobile-first promised land first envisioned for our industry.