there is no exchanging of access cards between people. This is   the other near the phone that is being impersonated; the
             especially beneficial for site visitors, where an access card may   reader and phone will believe they are talking to each other
             pass between many different people during the       and perform the authentication.
             course of a day.
                                                                 Choosing an intelligent access control system that uses
             Does Bluetooth technology leave you                 algorithms to detect this happening can mitigate the risk of
             vulnerable?                                         these attacks, as can requiring two-factor authentication at the
             Mobile access control utilises Bluetooth Low Energy (BLE) for   reader.
             communication to access control card readers from mobile
             phones. A mobile access control system utilising a strong   We use our access cards as staff ID. How
             authentication method will ensure the communication is secure  will we identify people on site?
             and cannot be used by anybody ‘sniffing’ the communications   A combined staff ID and access card can present security risks.
             to get access by replay attacks or other methods.   If someone were to misplace their card, it is easy for the person
             Authentication methods like a public key-based credential will   who found it to identify which organisation it belongs to and
             keep communication secure between the reader and device.   use it to gain unauthorised access to the building. Separate staff
             The reader will send a random string of data to the phone and,   ID and access credentials can mitigate this risk, with mobile
             using a private key securely stored in the phone’s key store,   credentials negating the need for staff to carry two cards.
             the phone will sign the data and send it back to the reader.   Mobile reader technology can also be used to verify whether
             The reader will use the public key to validate that the digital   someone is authorised to be in a particular area on site. Using
             signature is correct and, if so, will open the door. As a different   a mobile reader, a security operator can read an individual’s
             random string of data is sent to the phone every time, there is   credentials, verify their identity against the staff photo on file,
             no risk of unauthorised entry via replay attacks.   and confirm if they have the authority to be in a certain area.
                                                                 Not all of our staff have a suitable mobile device. Does that
             The risk of a relay attack, or man in the middle attack, can   mean they can’t get into the building?
             also be mitigated. In a relay attack, an attacker will attempt to
             impersonate a person’s credentials using two devices to ‘relay’   Moving to mobile credentials doesn’t have to be an all or
             the messages from the door and a person’s phone, using an   nothing solution. It’s not uncommon for sites operating mobile
             app they’ve written on two wirelessly connected devices, like   access technology to offer staff the choice between a mobile or
             mobile phones. One device will be held near the reader and   card credential to ensure no-one is excluded.