When it comes to ensuring the safety and security of your business, access control is one of the most important tools to be utilized. Access control systems need to be reliable, consistent, and secure themselves in order to play their role in monitoring and controlling entry into any given area.
Historically, access control systems relied mostly on plastic cards and card readers. Now, as the reach of technology expands, many businesses are turning to phone-based access control solutions (mobile credentials) instead of plastic cards. However, mobile credential technologies are not equally effective and secure. While many companies have implemented or considered an access control system based on BLE, NFC still holds the upper hand in keeping assets and personnel safe.
NFC, or Near-Field Communication, is a method of transferring data wirelessly. It’s built on a standard, ISO 14443, specific to facilitating communication between a card reader and another device. It doesn’t require internet connection, but it does require close proximity. Devices contain NFC chips that activate and communicate with one another when held a few centimeters apart. This method of communication between devices is extremely power-efficient and simple to use.
BLE, or Bluetooth Low Energy, is another means of wireless data transfer. Most devices now can read and transmit BLE data, but ranges and capabilities can differ between devices. BLE generally offers a longer range than NFC, usually upwards of five meters, but it’s sometimes used in a tap-and-go capacity as well.
Most people use BLE in some form on a daily basis. From headphones connected wirelessly to laptops, to asset tracking for businesses, this technology is used in a wide variety of daily tasks.
NFC is most predominantly used for contactless payments, with systems like Apple Pay and Google Wallet facilitating these NFC-powered transactions between a phone and a card reader.
When it comes to physical security, BLE is currently more commonly used than NFC purely because proprietary systems required for NFC to work in an access control capacity are not available on Apple devices yet. “Right now, BLE is working as a stand-in for NFC while that technology is being made widely available,” says Peter Jones, chartered security professional and access control innovator. “People are using it, but mostly because they can’t use NFC for access control yet.”
While there might be a bit more wait time before companies can effectively implement NFC-based access control, there are various benefits of NFC over BLE when it comes to physical security.
One of NFC’s main benefits in security is that, in general, security professionals understand it better than BLE. “NFC is built on technology that’s better-understood than BLE,” says Jones. “DESFire is well-understood and uses open crypto standards.” Having a deeper understanding of the technology makes the implementation more reliable and consistent.
In contrast, there are multiple moving parts and changing variables with BLE, making it a challenge to work with. “In access control implementations with BLE, it’s the wild west. There are so many different solutions out there, and each vendor has different implementation and different cybersecurity measures,” says Jones.
Since NFC is used for secure payments already, there is a more rigorous set of security standards accompanying NFC compared to BLE. “BLE is used for security-related purposes, but it’s more fragmented and inconsistent,” explains Jones. “There are a lot of different ways to implement BLE, which means there are many different cybersecurity tasks involved.” Because of this, the security implications of using BLE for access control can vary greatly - they aren’t sufficiently uniform, so they may carry more risk. “Bluetooth could be as secure as NFC, but there aren’t enough standards around its use in access control,” says Jones.
One of the most important benefits when it comes to daily life and efficient implementation across businesses is that the user experience is more consistent with NFC. “Because NFC technology is built on standards like DESFire, the user experience is more consistent when it comes to elements like distance,” says Jones. “With BLE, different manufacturers behave completely differently, so there’s a total lack of consistency.” The year and type of a cell phone, for example, generally impacts the distance required for the device to communicate with a reader. “We’re putting more and more technology into the reader to try to solve the problem of inconsistency in BLE,” says Jones, adding that this shouldn’t have to be necessary - and isn't with NFC.
NFC also offers a smoother and quicker tap-and-go experience. “With access control through BLE, you have to open your phone, open the app, and log in to pull up your credentials in order for your phone to work like a keycard would,” explains Jones. When it comes to picturing this solution in action as employees file into work in the morning, these few extra steps could conceivably slow down the entry process to the point of inconvenience.
With NFC, there’s better and smoother usability, as many people already experience when using functions like Apple Pay. NFC offers a quick communication from phone to card reader that is truly tap-and-go.
Both NFC and BLE will require a transition phase as corporations choose to integrate them as part of their security and access control protocols.
One necessary adjustment is simply the need for employees to store work-related information or applications on their personal phones. While sentiment around this necessity can vary depending on the generation in question and the company itself, some people are strongly opposed to downloading work-related applications onto their personal devices. These attitudes are likely to change as universities implement phone-based applications for both content and security purposes, but for now, it’s a hurdle that organizations will need to consider when the time comes to implement these solutions.
There are also additional security considerations inherent to moving toward mobile credentials. “Going from a very simple credential with one job to a very powerful computer which could be hacked means that you’re exposed to vulnerability from bad updates and other elements that can impact a mobile device,” Jones points out. “With a plain plastic card, there’s no information that flows from the card to the cloud.” This new element interacting with the security system means more room for error, and more possibility of breaches if not properly implemented and monitored.
Another detail the industry will need to sort out is how to distribute credentials. “It’s not as simple as handing out pre-programmed cards,” says Jones. There’s also a change in the market channels involved in distributing these credentials. “The market has to decide how to charge for this.” Because BLE is so fragmented, there are even more questions and discrepancies within the market about how to value and charge for credentials. Once NFC is available across manufacturers, NFC will likely offer a more streamlined approach to these market issues.
Right now, many companies still rely on cards as the main credentials for access control. But Jones sees that changing in the near future.
Both NFC and BLE are relatively new to corporate use, but eventually, Jones predicts that they’ll become the primary means of access control implementation, with cards as a backup.
Because Apple hasn’t released the technology to facilitate NFC for access control on iPhones, “NFC isn’t mainstream in corporate environments yet, but maybe by the end of next year,” predicts Jones. At that point, BLE may phase out of access control over time, but will still serve its purpose when it comes to longer-range needs like scanning into parking lots.
Once it’s possible to use NFC for access control purposes on Apple devices, organizations will be able to implement the switch to using smartphones for access control on a company-wide basis, with reliability from a security standpoint and a smooth user experience.
Pete Jones is the founder and managing director of Third Millennium, a leading manufacturer of access control readers. He is also the Chief Technology Officer of 3MilllID Corporation, a manufacturer of access control credentials and RFID readers.