As electronics and connectivity spread across industry, the use of digital keys held on a mobile phone is growing even for physical access. Will Dalrymple opens the door to the new world of access control
While unlocking a family home or opening a bicycle padlock might work fine with a single or a few physical keys, that mechanical technology poses a number of problems when used for access control of industrial equipment for tens or hundreds of people, according to suppliers of connected locking systems.
Ulf Jonasson, UK & Ireland country manager of Finnish manufacturer iLOQ criticises physical keys. He says: “First, managing keys is painful; you have to hand a physical key to someone. Also there is no traceability of where the person who has a key has been. You don’t know who opened the door. And when you manufacture a key system, you fix that key with that lock. If you lose the keys, the only way to regain control over a lock is by changing the cylinder as well.” He also points to the ‘real risk’ posed by thieves using 3D printing technology: a high-resolution smartphone photograph of a key profile can quickly be turned into a counterfeit physical copy that opens the door.
Connected locking claims to solve all of these issues. “Key sharing is one of the biggest benefits of the app. It enables customers that have locks in equipment, whether boats, trains, aeroplanes, HVAC, datacentres or self-storage, to share access with someone remotely,” says Southco commercial product manager Mike Fahy, referring to its new Keypanion app product.
For the installer, the systems comprise relatively few modular components, albeit within systems that remain proprietary (users cannot mix and match componentry from different suppliers). On top of a standard electromechanical latch fitted with a power supply, connected locking includes several new component parts. First is an electronic reader, which receives the digital key in the form of a signal transmitted over mobile-friendly close-range wireless data communication protocols NFC or BLE (Bluetooth Low Energy), and passes on an unlock command to the latch. The mobile phone receives the encrypted key from a remote server, where an administrator adds access privileges to authorised users (whether that’s forever, or time-limited) and takes them away. The system keeps logs of who opens which lock, when.
From the user’s point of view, all of this is mediated via a mobile phone app (in all cases below, available for both Apple iOS and Google Android software). That app lists the locks to which that user has access, and as they approach, unlatching involves pressing the right icon. Security is improved by requiring users of the app to verify their email address.
An administrator manages a list of the authorised users for any particular lock. Users can be changed (added and subtracted) infinitely at essentially no cost. Access can be granted for an unlimited duration, or a very specific future date and time range.
Given all of that data, the list can become quite a dynamic proposition, and where it is stored and how it reaches locks is a key structural issue in these systems. To maintain robust security, every lock reader needs to have as up-to-date version of the list as possible. For example, administrators would not want a user that had been deleted from the system to continue to have access to a previous key. On the other hand, they want to minimise access delays caused by an old white list blocking access to a new user.
This poses interesting limitations for a particularly tricky scenario of when the lock is expected to be used in a place with no mobile phone data signal. Suppliers have come up with different ways to address this problem using offline means, such as sending digital keys in advance.
Another potential problem is how to deal with a battery-powered connected lock whose battery has died. Although they are expected to last for years, and although there is generally a provision for sending a low-battery warning, they will eventually lose power. When they do, they cannot read credentials, potentially blocking access completely. To avoid the need for brute force measures, the suppliers profiled can integrate some kind of port into the lock to connect an external power source. When connected, this device feeds power to the lock – not to open the door, which would be a security risk – but to enable it to read credentials and then grant access. Mechanical keys are another back-up option on some larger lock types, such as swing-handles.
Below, four different systems are described.
ASSA ABLOY OPENOW
Assa Abloy’s SmartAir range of digital access systems consists of four systems and multiple components, including the Openow system for mobile phones. “That’s the way that the market is going in the future; mobile credentials,” says product manager Ifazaad Liaqat.
Due to the growing requirements for mobile credentials, the company’s iMax handle is now being provided with components including the BLE module as standard. “Should a customer not require mobile credentials on initial set-up of their system, then this module will not be charged for or activated. When they decide in the future to have mobile credentials, all they have to do is pay to get it activated. It’s more of a software task and a reinitialization” than a hardware upgrade, he adds.
With Openow, he is referring to the company’s five-year-old mobile phone credential system, a special firmware add-on to its TS1000 management software, which transfers keys over mobile data to a phone app from a dedicated server in San Sebastian, Spain. Like the Keypanion app, within range of only available locks is the ‘unlock’ command in the app clickable. It also picks up lock activity and updates the log record on TS1000 via mobile data.
Openow works alongside three other RFID card-based access systems.
Wall readers are powered by 12/24V power through a relay board controlling electromechanical devices such as automatic doors, gates, barriers and bollards. The iVolution and iMinimum access products are battery-operated devices supplied with a lock case. Other products include the iGate padlock, rated to IP68 protection, and iMax integrated escutcheon.
ABLOY KEYLESS ACCESS
Two years ago, Abloy Oy launched connected padlocks under the Abloy Beat branding for critical infrastructure; since then it has added the Abloy Cumulus product range. Both Beat and Cumulus are sold and marketed independently of SmartAir. Product group manager Eetu Kulo says: “Cumulus is not an electronic access control platform (EAC) but rather something we would call an access management system. By using top of the line asymmetric encryption and public key infrastructure (PKI) the Cumulus devices themselves do not contain any shared secrets or details about the user accesses. This allows easy lock commissioning and change of access rights – no such information is stored on the lock, thus no one has to update the locks’ memory when access rights are changed.”
The range also includes a controller for gates or e-locks which work with other brands’ equipment. As with the other systems, a mobile app controls the locks and acts as a keyring, and all the locks an individual has access to are visible. It connects to hardware using BLE. Software updates and firmware updates are also pushed by app.
ILOQ
Finnish lock maker iLOQ launched a cloud-based key management system last year, two years after it entered the UK market (through a network of 45 resellers). A unique selling point is that key access points, manual or electronic, are unpowered, preventing a hundred tonnes of battery waste every year, it estimates. In the digital system, the mobile phone’s NFC signal generates the energy to actuate the lock in its S50 mobile app.
Its other system, S5, uses a physical key blank that can be endlessly coded and recoded. The key blanks used are toothless but contain an electromagnetic strip on their bottom surface as well as an online reader in the handle. They require programming by distributors before they can be used.
In a building, they interact with a hotspot at a building’s entry and individual locks. via mains-powered hotspot that communicates with the cloud server. Hardware includes door readers, locks and padlocks, which come in three shackle sizes: 25, 60 and 125mm; in the UK these have been BRE-rated; the largest has won the SL3 certification.
SOUTHCO KEYPANION
Launching this month is Southco’s Keypanion app, one of the simpler systems on the market, which consists of two new parts: a 12V battery- or mains-powered BLE reader and an app for users and management (the system is launching without a web management portal, but it’s on the list for later roll-out).
To register a lock, users must be physically next to it, where the phone can pick up the unique MAC address from the Bluetooth chip inside the reader, and connect to it. Doing so adds the lock to the user screen, where other admin information and notes can also be added.
Users know when the phone is in range when the specified lock’s icon turns blue. In online mode, that initiates an authentication check before the lock opens. If the lock is located in an area outside of reception, it still works, but with reduced functionality.
On the app, admins can manage access privileges remotely. The app also shows the last 14 days’ history for each lock.
Via live chat in the app, Southco has set up 24/7/365 customer technical support, which is new for the company, having previously only offered business-hours support.
BOX: LOOKING BEYOND INDUSTRY
While some suppliers profiled focus on residential and hospitality applications (hotels), others are more interested in industry. Outside of these, though, other applications are emerging. “We are heading into an uncertain changing world that is more open, where there is more temporary access and a shared economy. Everything is happening quicker and more smoothly, but it still needs to be as secure as it used to be,” says product group manager Eetu Kulo of Abloy Oy, Finland.
Kulo reports that applications for connected locking continue to emerge. “While we were on the journey, we discovered new opportunities as well: book-pay-use. The convenience segments are also lifting their heads, such as self-storage. Or for example Padel courts, which have been popular in Finland. You can utilise an online booking system, hand over your credit card details, pay, get a digital key into the smartphone, and utilise that for a specific slot. You wouldn’t have to collect or return a physical key or credentials. It brings convenience to the process.”