21-23 Aug 2024
ICC, Sydney

The Role Of Bluetooth In Mobile Access Control

Sep 21, 2018

Using smartphones in access control systems is the new buzz in discussing readers and credentials. Electronic access control manufacturers are promoting the various ways that mobile technology, soft or virtual credentials can be used to replace cards. It is not surprising that all are trying to get on board.

According to Gartner Research, 95-plus percent of all adults aged 18–44 years own smartphones. That is not all – 69 percent of the entire population already uses smartphones. That is babies through seniors. Gartner suggests that, by 2020, 20 percent of organisations will use mobile credentials for physical access in place of traditional ID cards. To rephrase that last sentence: in less than 18 months, one-fifth of all organisations will use the smartphone as the focal point of their electronic access control systems. Not proximity. Not smart cards. Phones!

Besides the fact that just about everyone has one, what are other reasons? To arrive at that answer, let us review the basics of access control. Access control authenticates a person by following three things:

  • recognises something he has (RFID tag/card/key)
  • recognises something he knows (PIN)
  • recognises something he is (biometrics)

Smartphones have all three authentication parameters. This soft credential, by definition, is already a multi-factor solution. Mobile credentials remain protected behind a smartphone’s security parameters, such as biometrics and personal identification numbers (PINs). Once a biometric, PIN or password is entered to access the phone, the user automatically has set up 2-factor access control verification – what he knows and what he has or what he has and a second form of what he has.

To emphasize, one cannot have access to the credential without having access to the phone. If the phone does not work, the credential does not work. The credential works just like any other app on the phone. The phone must be on and unlocked.

These two factors – availability and built-in multi-factor verification – are why organisations want to use smartphones in their upcoming access control implementations.

Why Bluetooth has become the Popular Communications Protocol

Bluetooth and Near Field Communications (NFC) are the most popular short-range radio wave communication standards used in smartphone credential systems. When implementing mobile access, there are a few things to consider before deciding on the type of reader to invest in. The installed base of mobile devices can affect the technology choice, as iPhones 5s and earlier do not support NFC. In organisations with a large base of iPhones and Androids, Bluetooth is the only option.

Bluetooth technology is quite popular and anyone who has ever tried to sync smartphones, computers and/or headphones has probably used it. Bluetooth readers are less expensive because almost every smartphone already has Bluetooth. Not even 50 percent of all smartphones yet have NFC.

In most instances, NFC uses less power. As a result, this means that the smartphone needs to come into much closer nearness to the reader, like a proximity card versus a longer range transmitter. The good news is that such closer proximity prevents interference from other devices communicating from farther away. The negative is that the reader can seem more finicky.

There are other advantages to a closer read range. NFC eliminates any chances of having the smartphone unknowingly being read, such as can happen with a longer read range. There are also those applications where multiple access readers are installed very near to one another due to many doors being close together. One reader could open multiple doors simultaneously. The shorter read range or tap of an NFC-enabled device would stop such problems. However, in defense of NFC, it must also be understood that Bluetooth-enabled readers can provide various read ranges of no longer than a tap as well.

This leads to a major advantage for Bluetooth. Read range can be from an inch to over 15 feet. Installers can provide adjustable read ranges and differ them for various applications. For instance, they could choose a reader requiring presentation at the computer server room. Three feet may be the preferred range at the front door. When entering the facility gate, a still longer read range, perhaps six feet, can be provided so users do not have to open their car window to reach the reader. At 15 feet, the reader can open parking garage doors or gates that allow entrance to the facility, such as at gated communities.

There is yet another advantage to a longer reader range. Since NFC readers have such a short and limited read range, they must be mounted on the unsecure side of the door and encounter all the problems such exposure can breed. Bluetooth readers mount on the secure sides of doors and can be kept protected out of sight.

Other Information about Bluetooth

The Bluetooth technology used in access control is called Bluetooth Low Energy (BLE). It is very efficient; a single cell battery could operate for months on end. For those technically inclined, it operates with a maximum speed of 1Mbps with actual throughput of 10 ~ 35 Kbps. Thus, access control using Bluetooth BLE technology with today’s smartphone offers the promise of lowering the cost of hardware.

To make the system work, there needs to be a direct connection between the Bluetooth-enabled device and the Internet. This is done very simply through the cellular data network or a secure Wi-Fi connection. To install a mobile credential, a user needs to first have the Wallet app installed on a supported smartphone. Next, the user launches the app and selects the ‘+’ button, indicating that he would like to load a new credential. A registration key certificate is provided for each credential ordered. He then enters the unique 16-character key from the certificate and taps ‘submit’.

Once successfully registered, the new mobile credential will appear in the Wallet app ready for use. From that point on, the user simply presents his smartphone to the BLE-enabled reader. Forget having to enter a PIN or password to authenticate identity (as with a card). Henceforward, a person’s smartphone is his identity. Once the phone is operational, so too is the credential!

A Couple of Caveats

As when implementing any new technology, become familiar with it. What are the benefits? Where are the potential pitfalls? Organisations should make sure the manufacturer not only understands Bluetooth, but knows how to coach them through the initial installations.

Do not forget about cybersecurity responsibilities. For instance, some older Bluetooth-enabled systems force users to register themselves and their integrators for every application. Door access – register. Parking access – register again. Data access – register again. And so on.

Newer solutions provide an easier way to distribute credentials with features that allow the user to register only once and need no other portal accounts or activation features. By removing these additional information disclosures, vendors have eliminated privacy concerns that have been slowing down acceptance of mobile access systems.

Organisations do not want hackers listening to their Bluetooth transmissions, replaying them and getting into their buildings, so they should make very sure that the system is immunized against such replays. That is simple to do. The manufacturer will advise which system will be best for each application.

Research shows that Bluetooth-enabled smartphones are continuing to expand in use to the point where those not having them are already the exceptions. They are unquestionably going to be a major component in physical and logical access control. If they are going to constitute 20 percent of all card-based access control within the next 18 months, it can be expected that the numbers will be much higher by the end of 2020.


Credit: Scott Lindley, Security Solutions Media

  • Bring your security needs into focus
  • Register
Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now