Access Control Systems Past, Present and Future

Podcast: Play in new window | Download | Embed

Subscribe: Apple Podcasts | Spotify | Email | RSS | More

Transcript Episode 2 Introduction:

Tom Carnevale

I am so excited to have a friend of mine in the industry, he is one of those guys I have just admired. He has done some incredible things in the space in the industry for a very long time. He’s also one of those friends that we can just talk between the two of us about technical things for hours on end when it would bore and put other people to sleep. But for me and him, it’s something that excites us. And we like dreaming about certain things, we enjoy exposing things. And what I really also love is that Michael and I have sat down and he had sent me pictures of different wiring configurations over the years and quizzes me and says, here’s this picture. Tell me what’s wrong. I don’t have any other friend in my life that will send me a wiring diagram of an access control panel and quiz me. And if you don’t have a friend like that, you need to get one so I am so pleased to introduce Michael Glasser.

He is the founder of Glasser security. He is certified in CISSP, CPP, PSP, PCI, CSPM, CEH has two decades of experience providing security design, strategic planning, implementation oversight, auditing and penetration testing for major corporations, universities, museums, executive residences and governments across five continents. He is happily married, the proud father of three young children and one lonely motorcycle. He has been responsible for securing hospitals, critical infrastructure, from universities, museums, fortune 500 corporations, and he is just a really wonderful gift to the physical security industry. Please welcome everybody my friend and guest, Michael Glasser. Michael, thank you so much for being on the show for me.

Michael Glasser

Morning, Tom, very welcome. Thanks for having me on.

Tom Carnevale

Wonderful.  So today we’re going to start class with a little bit of a movie. This was a movie that came out in 1991. Which doesn’t seem like it’s that long ago, but it certainly is by the math, Terminator Two hit theaters in July of 1991. And in it is this short clip of Mr. John Connor hacking an access control door inside the Cyberdyne system. So enjoy this…

Tom Carnevale

Okay, this is obviously Hollywood and they’re making it look fancy with the countdown and the pin number extraction. But the Weigand protocol and access control haven’t really changed in over 40 years. And I think you know, regardless of how it’s done, or how it’s done incorrectly for Hollywood, I think the point is still the same. You think this can happen whether you use a BLEKey, or you use another type of device, the Weigand protocol, and unfortunately, the majority of proximity card readers can still be infiltrated hand to hand, what is your perspective on the state of access, control, and Weigan and how easy it is still in 2019 for access control systems to be infiltrated.

Michael Glasser

Around 2003 I spoke at the Black Hat conference, which is a fairly well-known hacker conference. And one of my topics was hacking access control systems. And they didn’t build any tools or any real proof of concept. They just went through the vulnerabilities that by design were inherent to the systems at the time. Things like the ability to clone magnetic stripe cards, clone proximity cards, use men in the middle and other types of attacks against the Weigand protocol, data extract from unsecured databases behind the access control systems and things of that nature. 

 Fast forward for approximately 15 years. And the industry has provided solutions for every one of the challenges that I identified. However, the industry hasn’t implemented those solutions on most projects. The majority of the work that’s out there has been out there for a while you walk into a building, and it’s pretty rare that it has a brand new access control system unless it’s a brand new building, or they just had a refresh of some type. So the industry as a whole is still very much accessible to the same attacks as before. Now, do we blame the end-users? They bought a perfectly good product in their mind that when they swipe the card, the door opens. 15 years later, someone says Hey, did you know that an attacker can clone your card? And they go What do you mean? And then they say, Well, certainly even an attacker now you can go out to your local convenience store, which they have one of these in my hometown. And you can get a copy of your key made. And on the more advanced ones, they’ll even copy your proximity card. This isn’t an attack method, this isn’t a hacker, this is a service, copy my key like a copy from my front door, copy my proximity card, like I want a copy for my front door. That’s the state of the technology there.

 Behind the scenes, there are also issues like database security. Now even back then there was a security database more than just having it out there. But currently, people are getting more vigilant about putting in place controls, sometimes even encryption, certainly on the enterprise-scale, these controls and encryption, and whatnot are just a standard policy. But more often than not, if you go to a typical building in a typical city, and you look at the typical system that’s been installed, all the same vulnerabilities are still there, proximity cards, maybe smart cards that are not using any kind of customized encryption key. So they’re still countable. Probably Weigand communication, even though there are solutions out there, probably sitting in some computer, in the building matters office that if ever is locked, they’re lucky and probably does not have hard disk encryption on probably does not have the database encrypted, and probably has a database still to default username and password. And all of these things are absolutely correct, are correctable by the industry. The industry has made strides in that I’m happy that somebody industry organizations, some, some of the industry associations have made efforts to put a correction in place and establish standards to help correct these things. But as you noted, a lot of it is still out there. And even the things are being put in brand new today, a lot of it is not taking advantage of any of those improvements that the industry has provided.

Tom Carnevale

It really continues to frustrate me. And you know, because you and I both know that the technology is very much readily available. There’s been the OSDP protocol, which has been introduced for some time, it’s just never taken flight. Really, for all intents and purposes, it hasn’t really come into its own. There’s even edge device Power over Ethernet POV readers that are available, but only with somewhat proprietary software configuration there isn’t like the video surveillance industry where you have your VMS community and then have Onvif capable brands of camera that can integrate into it. It’s a much more narrow playing field. 

So I guess my next question is twofold. Is this maybe a manufacturer conspiracy? Or is it a lack of care? Or is it just a money thing? The last part, I somewhat have a hard time justifying in my own head because I’ve really thought through it because you look at the demand of video surveillance, they could have easily said, Oh, well, analog is everywhere, so let’s just keep building analog devices all around it. And so we’re compatible with the core infrastructure, no one’s going to change it. So I guess we’ll stay analog. That didn’t happen. I mean, yes, it took maybe bookend to bookend, 10 years of tripping and falling and encoders and HD over Coax new devices. And then finally years to get Onvif profile S corrected. But with access control, you would still think, we’re not going to just rest on our laurels and say Weigand is the legacy install base. So we’re not going to create innovation, and the more secure devices, because we don’t want to rip out a cable or we don’t want to change out a panel. The logic of it just only being a money thing doesn’t necessarily make 100% of this the case for me, because that can still happen. You look at video surveillance, maybe it’s a bigger industry, they were able to do it. What do you think?

Is the OSDP Protocol here to Stay?

Michael Glasser

I have to have to sort of chunk that a little bit. Starting with OSDP never taking flight. I don’t agree with that. I’d say that there are a lot of OSDP jobs going on across main enterprises, or major enterprises, major large customers, I’d say most going with OSDP. But if they have 100,000 readers that are already Weigand, they’re not going to be OSDP tomorrow. It takes time for the transition. I believe that the industry as a whole is at the tipping point where OSDP will become for any higher-end project the default standard. It certainly for most of the consultants that I know, it is what they specify on every job at this point. There are very, very few projects that I see from educated consultants that are still specifying Weigand and are not specifying OSDP. And when they are, for the most part, it’s because they’re going into a legacy environment. And they don’t want to have one device that’s the exception to the rule. Thousand readers that are on Weigand and a thousand panels that are on Weigand, and now two that OSDP. It’s not good business to mess with someone’s maintenance program that way, with the exception of a proof of concept or similar. 

So OSDP is very similar in my mind right now to how on Onvif initially seemed like it would be great, it seemed like everyone would just use Onvif for everything and all direct integrations would be gone. And 10 years in, that’s not the case, there are still direct integrations. But as we look at the state of video technology, and you look at simply pulling an RTSP stream, most of the higher-end video systems, I can just pull an RTSP stream, I don’t need Onvif, I don’t need integration. But if you want to start having any more advanced features, being able to push settings to cameras, being able to do edge-based recording, being able to do motion detection on the camera and sending alarm events and event information back and forth, then we need that integration.

 I believe Onvif is a wonderful standard and a wonderful approach to video. I think that as we move forward, as I’ve said, For many years, I think we’ll get more and more projects and will become more of a standard and allow for fewer integrations. But it’s not there today. Let me let me clarify. I’m not saying that Onvif isn’t there today, I’m saying the industry as a whole isn’t using it to that way, in that way today. And when you talk about OSDP and similar technologies, I feel it’s pretty much similar. OSDP can do everything that we can do and more. With very, very few exceptions. Some things, for example, that are very common in large buildings would be to have a Weigand splitter. So you’d have one reader of proximity cards on the front of a turnstile. It’s a low-security reader with a low-security protocol. And when any number of clients all of which had their own proximity cards, but different numbers, swipe the net reader, a Weigand splitter would then choose based the bid pattern, it would choose where to spit out the string. So if you had three tenants, four tenants, five tenants in the building, it could then send that Weigand string only to the appropriate tenant based on their bid pattern, the card range, and that tenants access control system could decide whether to let the person in or not. That way, if they didn’t have any integrated back end, which most systems didn’t, all the access and terminations were managed by the tenants themselves as opposed to the base building. That’s a very common application. Today, OSDP doesn’t have any provisions for being split. It’s an end to end protocol. It’s not meant to be a single point, the multi-point protocol. I’m working with a couple of different vendors requesting that they build a splitter device so that we add that feature back in for similar customers. 

But with all that said, Why isn’t OSDP used more? Just like anything else, it’s new, it shiny, people are scared. The integrators and other people that are have been doing this for 20 years know it’s safe. If I do what I did yesterday, I’m not gonna have surprises, whether it’s concrete, or it’s washing windows, or it’s cooking food, if I do what I did yesterday, I’m not gonna have a surprise, I know what I’m getting. And it’s scary to try something new. But those that are in the know, and those that are are looking to move forward, I believe were absolutely using OSDP. And interestingly, OSDP right now is over RS 45. But there also are provisions for OSDP over IP, so that you can end up with IP attached readers, which are certainly out there today. And those can also take advantage of the standardized protocol of OSDP as opposed to having to write custom integrations. So there are some very interesting things about OSDP, and the changes in the industry. One note I would like to add, though, is about encryption. OSDP included the option of encryption, it doesn’t inherently include encryption. And this is something that I’ve gotten to a bit of an argument with people about Weigand there’s an unencrypted published protocol. It’s a parallel protocol.

Encrypting the OSDP Protocol

Tom Carnevale

Right. If you know the Weigand protocol, you can infiltrate it, basically.

Michael Glasser

Absolutely. And you can find on the internet, it’s published at standard and unencrypted parallel protocol that’s been fully published. OSDP is an unencrypted serial protocol over RS 45. That’s been fully published. And understanding there’s an IP version that is no more secure.

Tom Carnevale

It is limited to 128 bit AES Encryption though correct?

Michael Glasser

Well, let’s clarify. Most of the time, it’s unencrypted, not encrypted, unencrypted OSDP. You have the option through STiD to add encryption. But most of the implementations I see people doing are still unencrypted, meaning you’re going from an unencrypted parallel protocol that’s published to an unencrypted serial protocol that’s published. It has some features, but it’s not adding security, you have to add the encryption, the SCP to add any level of security. The only additional level security right now is there’s less tooling available for doing bypasses and OSDP. But other than that, now, that’ll certainly be over soon. Other than that, if you’re not turning on the encryption, there’s no point.

What is the real cost of Installation for OSDP vs. Weigan?

Tom Carnevale

That’s a really good point and a good bridge to this because you do have to add that layer of encryption. So it is another step it is another piece of work that needs to be done. And some other inherent differences between Weigand versus OSDP is you know, cable length limitation Weigand is 150 meters whereas, OSDP can go up to 500. You know bi-directional comms OSDP does have it Weigand does not, we’ve already talked about encryption, but there’s also cabling, with Weigand it’s typically copper. OSDP can be a UDP serial or even TCP IP. The tamper is included with OSDP and it’s bi-directional support, whereas Weigand is only unidirectional. The reality, though still is, it is more from a wiring perspective and configuration perspective. There is a quote, unquote, more cost involved in OSDP vs. Weigand, which, you know, for right now in this phase one, phase two, I’m not sure what we’re in and it’s an adoption, it makes it more complicated. That is just the reality is it’s more complex wiring. It has multiple profiles, like we’ve indicated, which, you know, add complications and complexities to the installation. What else would you add to that, about the complications in the cost of OSDP?

Michael Glasser

Respectfully, I have to disagree with you about the increased cost of OSDP. The wiring is less money. The wiring can typically be a, a less expensive cable, which is standard RS 45 cable, which is typically being used for other things on the project anyway. As opposed to Weigand cable, it’s typically fewer conductors than Weigand would require since it’s using data to control things like the beeper and the LED controls. So the cabling is less, the equipment from most major manufacturers includes both functionalities at no difference in price, some do have a difference in price. But most of them I’m seeing out there, Mercury is by far the leader. I see when it comes to access control hardware that’s available from multiple vendors. But there are plenty of other vendors out there. Mercury’s boards will take Weigand or OSDP. So once you have the board, it’s just a choice of which protocol does it communicate on several readers are doing the same thing. 

So when it comes to hardware and cabling, I find it OSDP is a reduction in costs, not an increase in cost. The only time I see an increase in cost is when the integrators are scared, because they’re doing something new, there is some additional labor to add the encryption key. But that is incredibly minimal. The first time it takes you an hour the second time, it takes you a couple of minutes. Like most things in life. The encryption key management is just a minor piece, assuming you even put on the encryption key if you don’t, it just works out of the box. There certainly have been some learning curve things about terminating resistors, which are part of the RS 45 standard to manage reflections. But in my opinion, it is less costly if planned properly. Nothing’s worse than getting out on the job having OSDP readers, running OSDP cable getting to a control panel and finding out Oh, this control panel doesn’t support OSDP. I didn’t do my homework all the way through, that is unpleasant. And then you’re going to deal with cost of return and labor and everything else. But it’s my opinion, respectfully, that oh OSDP, when implemented and designed properly, should be less costly than Weigand, not more.

Training and Security System Integration Companies

Tom Carnevale

I mean, that’s nothing but a good thing. I’m glad you brought that up. I think that there is inherently a lack of education and training on this issue. And I also think that manufacturers in some cases need to do a better job of training. What are you seeing in regards to training for the security installers of the world for access control with this value proposition of OSDP?

Michael Glasser

That’s a great question. And there’s a couple of different approaches that the industry is taking. The security industry association has, I believe, run their second OSDP boot camp, targeting integrators to teach them about OSDP, which I think is a terrific thing. For the most part, I have not seen manufacturers pushing it with the exception of manufacturers that are financially incentivized to, for example, Cyprus, who makes OSDP devices, they have been speaking at trade shows, and similar about the benefits OSDP. Most of the major manufacturers of access control systems, I have not seen really pushing it. Now I’m sure that as soon as I say that every manufacturer will point to a link on their website, or a blog post or a post on LinkedIn. But when I walk around the trade show, I don’t hear people barking OSDP at me, except a very limited set of directions, like Cyprus and some of the specialist groups. 

With that said, in the 1950s, my grandfather drove a Cadillac. And in that Cadillac, there were no seatbelts. And he bought used seatbelts from an airplane and installed them in the backseat of his Cadillac so that his children would have seatbelts. He took the initiative to do what he thought was right, even though the industry in the manufacturers didn’t provide it. Parallel that today’s market and there are companies out there, like Spiders Security Products, that are building these bridge devices, they have a device they call the Spider Blocker, which is effectively a relay disconnect module that if someone were to pull a reader off the wall, like a Weigand reader, though it technically would work with OSDP as well. It physically cuts the wires to the reader until reset from the system to help alleviate some of the risks with Weigand and with physically attacking protocols communication buses. So these Band-Aid type devices exist, while the industry is training up on OSDP and more secure protocols. And I don’t think anyone will really push it unless there’s a financial incentive to and that financial incentive is only going to be driven by the integration, the end-users, manufacturers will sell what sells, certainly they will innovate and come out with a new product. 

But from my experience, that new product has to give them a competitive advantage and allow them to make money. Plenty of people come out with products that don’t make money. But no one wants to come out with a product that doesn’t make money unless it’s going to somehow really bring that business in that visibility. So considering that most of the major manufacturers now do have OSDP compliant hardware. Most of the major card reader manufacturers do have OSDP compatible card readers and combined card readers. At this point now it’s just up to the industry to accept this as the new norm. We no longer have to have converter modules at every door, we no longer have to have converter modules and every panel, no longer have to pull our hair out wondering, will this take off and will manufacturers accept that? It’s here, it’s now, it’s the right thing to do for the customer. Let me go back to the seatbelt example. Now I’m too young to remember some of the things that my grandfather told me about. But I questioned in advertising for manufacturers ever advertised seat belts, if they ever advertised airbags probably can search the internet and find that they did a bit. But until there were regulation and real push from industry, I questioned how strong of an issue that was. For my grandfather, those seat belts were important. Probably partly why I’m here. If those seat belts weren’t there I don’t know if my parents would have survived. For the industry, I’m hoping that now that the majority of manufacturers have OSDP support, and the education is available out there, that the integrators and end-users simply say yes, of course, I’m going to wear my seatbelt, of course, we’re going to use OSDP, why wouldn’t we?

Security System Consultants and Specifiers

Tom Carnevale

Well, yeah, I mean, it’s like anything else, that’s a great example of your grandfather, knowing the risks and taking the initiative to put security first for his family. And that’s what I think the security managers of the world, IT directors, security consulting and specifiers need to really do. The reality still is the majority of security system integrators go with what they know. I mean, you said it before. And this is a problem in any space and any transition in any technology. Oh, well, it worked yesterday, why change it? And like you said, the learning curve is not day and night, it takes a little bit of preparation but ultimately can deliver a more cost-effective, more secure solution. 

You know, in my career I started introducing a new technology where it wasn’t supported by any software platform or any existing system, and built a grassroots campaign door by door manufacturer  VMS by VMS, and had to get it integrated one by one and you have to start with the end-user demand and pull it through to the training and education of the system integrators and to ultimately benefit the technology ecosystem. So I think there’s a lot of opportunity with this. And I’m glad I learned more about it from you just sitting right here. I think maybe we could probably have a whole podcast on OSDP. But I want to also bring up the benefits of video surveillance, integration with access control systems and what your experience is with that, and maybe some examples of how you’ve seen it done really wrong, and in how it should be configured and optimized for an end-user.

Michael Glasser

Tom, I’d love to answer that question. But I feel I’d be negligent if I didn’t just cover one more thing on door security as a whole. A lot of focus is given to the card reader technology right now, because there’s a lot of YouTube videos and over the years, from when Zac Franken put out the gecko in 2008, to do man in the middle attacks on Weigand to more recently BLE keys and USB keys and all those things. A lot of people are forgetting about the rest of the door. It’s something that you really need to be aware of, that technology isn’t the only thing. If I can bypass the door with a coat hanger without setting off alarms, there’s not much concern about me attacking the reader. It really is the weakest link. So I’ll close out the OSDP conversation by saying that I’m glad we’re fixing one portion of the industry. But until we understand the entirety of what we’re securing, and all the different attack methods, including things as simple as tailgating and social engineering, all of it, we need to look at the opening on what is our goal? What are we trying to offer to the industry? What are we trying to offer to our customers? And really plan it accordingly. There’s nothing that makes a customer more frustrated than spending all this money to put an encrypted smart card with OSDP. And all these other wonderful things and somebody can walk up with a coat hanger and an inside lever. And it’s the racks on the left, the men without setting off a single alarm. 

On that note, I’m happy to move to your video question. If you use that same example, and someone comes up with a coat hanger and hits that inside lever, the video surveillance will not have an alarm, it will not have an event triggered. So we have to look at the entirety of it. Integrating access and video has been done for many years, well over a decade, probably over two decades. When I was first starting in it, it was done through relay logic. And some people were able to do on the really advanced systems and RS 232 connection or a serial connection. And some of the old Pelco Matrix sees the big boxes in the rack, you’d hook them up via serial, and it would automatically pop up your video on alarms, which is really cool. Fast forward today and access and video are integrated on most decent systems so that you can quickly have an alarm pop up, or you can look an alarm event in the audit trail and have the associated video. The same is true now with burglar alarms, and even people’s houses. A lot of the burglar alarms and cameras on people’s houses and now have it integrated. And just the default it’s a must-have the ability to quickly verify a live video of what’s going on is just an absolute must anyone not doing it, I feel is really remiss. And I’m happy to provide more insight into it for you if you have any targeted questions.

Tom Carnevale

Have you seen any specific vertical markets adopt access control and video surveillance integration more than others in your experiences? I know if you have access control, not integrating a camera with it is probably you know, if budgets were endless, of course. What vertical markets do you see it being the most effective with?

Michael Glasser

Any market that has an alarm response. When you categorize that into verticals if you go into multi-tenant buildings, multi-tenant commercial buildings, even some multi-tenant residential buildings, a lot of times they’re not watching alarms. After the fact if someone complains, oh, someone was in the mechanical room or we caught someone here or there, they may go and pull an audit trail. But as far as live response, having a little security command center or reception desk or someone watching for those alarms and actively responding. That’s the key difference I’ve seen on who absorbed or who accepts it and really uses it. 

Coming from a biased position though, that the customers I work with are typically interested in doing things right there. There are plenty of customers out there who don’t work with consultants, plenty of customers out there who want whatever’s cheapest and fastest, and I just don’t have much experience with them. The last time I dealt with those types of customers was many years ago. So I have a skewed viewpoint when it comes to this particular question. Because I’m only exposed to those that want to do a good job and want to do this right. I only have one customer over the last decade that said no. And they said no for a very valid reason, which is that the two disparate systems are their access control, and their video system they were using, they had tried integrating in the past, and they had consistent issues with version control. And because of the amount of stress they had over version control, they decided it was a worthwhile risk for them not to have the integrated system, and to manually pull up video just to eliminate the stress and system instability caused by version control. And while I didn’t agree in theory, in practicality, when they explain the amount to pain it gone through with trying to get this manufacturer and that manufacturer to play nice and keep the versions aligned, I understood why they went and made that decision. It wasn’t a bad decision. I didn’t agree with it. And I’m still not sure I agree with it today.

Working with a Physical Security Systems Consultant 

Tom Carnevale

It sounds like they might have also had the manpower and the capabilities to execute that consistently. So they said, but that’s still relying upon human nature and process to fall in line. The physical security industry has a lot of different value chains that the end-user can benefit from. And like you said, not all end users enlist, a physical security consultant for advice or for vulnerabilities. I’d really love for you to kind of tell me what type of end-user and why an end-user would need physical security consultant? And what are some of the benefits and insights and value that you would be getting?

Michael Glasser

Oh, that’s a bit of a heavy question. Because there are a lot of different types of consultants and a lot of different different types of services. The most common by far and that I see is the architectural support. An end-user is building a space, changing a space, building a new office, leasing out a new office, and their real estate team is hiring an architect. Most end users don’t work with architects every day aren’t used to putting together CAD files or rabbit files, drawing packages don’t know the CSS standard processes. So trying to get through a project themselves is sort of like marking up drones with a crayon and asking someone else to make sure it’s installed right. That’s not always a great approach. Sometimes it works. But it’s not always a great approach. So a lot of venues will hire a security consulting firm. And although in this role, I typically will call them a security engineering firm, because what they really are is very similar to an MEP engineer, mechanical electrical plumbing engineer, where they are taking the end-user requirements, translating it into an architectural standard package CSI compliant package, and integrating with the architectural process, the AIA process in America. And that’s one of the key services. Some end users don’t see the benefit in that and they rely on their integrators to mark up drawings and work through it. And historically, I found a much higher success rate and happiness, if that’s a measurable result from end-users who do use a consultant to take that stress off of their back and to bring in an expert who’s good at that work along the architectural process. 

The next type of service that is very common is for an end-user to reach out to your expertise. This is where I call them a security consultant as opposed to a security engineer. This is less about can you draw the camera on the drawing and make sure the details correct. More about why do I need a camera? What type of camera do I need? What are the performance requirements for the camera? What problem am I trying to solve? Is a camera the right solution for that problem? To really look at overall their culture, their environment, their goals, their risks, their threats, their business requirements, and their business requirements are certainly a big one and make a good solid recommendations on how they can improve their security while still being fully aligned with the business while still enabling the business to be successful. And whether that business is a financial firm that has regulatory requirements to meet or that businesses are a pharmaceutical firm that has very strict compliance requirements, where that business is a grocery store, and they’re worried about slip and fall lawsuits. All of these are business requirements, not necessarily security requirements, that security helps enable the business to be successful around.

 A proper security consultant takes the end user who should be a good security director and is very knowledgeable about security. But they’re dealing with one customer and a security consultant deals with many customers. And it’s the security consultants business to be a subject matter expert on not only the technology but also the state of the industry. The end-user is dealing with the day to day issues, managing events, managing people getting fired, people quitting, workplace violence, constant changes, there was an accident over here, there’s a storm over there, worrying about people. Where the security consultant is brought in as that real subject matter expert to help them make good solid decisions right away. And what a lot of people don’t like to talk about is it also helps justify budget, when you bring in an industry expert that looks at many customers, and gives good solid recommendations, it helps to justify that the budget you’re requesting isn’t just something where you’re trying to make it up. This is a consulting firm that specializes in this and they’re giving good solid recommendations for your business.

Access Control System Mobile Credentials and Facial Recognition for Secured Entry

Tom Carnevale

That’s amazing. So in closing, Mike, there is a big push towards mobile credentials, you know, for so many different reasons, the compounding reality of people losing their cards or key fobs all the time, to the security portion, which we’ve indirectly discussed. What do you think the future of mobile credentials for access control is?

Michael Glasser

That’s a great question. The answer is twofold. I do think mobile credentials will be a very prominent solution for the near future. And I’m expecting a bit of a peak valley and peak approach, I think mobile credentials are going to take off quickly. And I think they’re going to drop off quickly as facial recognition takes off. And you no longer even need to have a mobile device. Now you’re going to have your faces device. I would expect that based on some of the trends I’m seeing around legal regulations and some of the facial recognition will become outlawed or will become so heavily regulated, that it’s no longer practical, at which point I expect mobile to come back up hot again. And I think some people are going to be proactive and avoid facial because they’re worried about regulation and privacy. I think some people are going to take the plunge down the facial route, and avoid mobile. But both I believe will become prominent in the fairly near future they already are, but even more prominent in the future. 

One challenge that I have not solved yet, and I’ve seen a couple of people trying to solve but haven’t seen a great solution yet, is the way to identify who’s authorized once they’re in a space for other people to know. So historically, it’s pretty traditional that if you’re in a corporate environment, there’s a badge hanging around your neck. And if you see someone that doesn’t have a badge around their neck, they’re probably supposed to have a visitor sticker on or a visitor badge. And if they had neither, in most corporate environments to people are trained, you’re supposed to say hi, can I help you? Are you here for a reason? Why are you here? As we go to mobile credentials, enabling every person in the business to be a force multiplier for the security team, by clearly identifying who’s supposed to be there who’s not. And of course, you can make a fake badge and all of those types of things. But most of the time, when someone’s being nosy, they’re not that proactive. Some people have targeted attackers, sure. But when the random person walks in off the street, whether they’re psychologically challenged, or a typical criminal, most of the time, they just sneak in through a door that’s open anyway, they’re usually not wearing a fake badge, they’re usually not wearing a fake visitor badge. And I feel that’s going to hurt when we go to full mobile when we go to full facial. I think that’s going to hurt our security culture and our force multiplier culture. And whether we supplement that with technology or other controls. I don’t know. That’s a fear I have right now.

Tom Carnevale

I never thought about it that way that could definitely change the culture and the customer service provisioning for customers for security. You know, I’ve always really understood that if you’re training people the right way, you’re training them with a culture of security, with empathy, with kindness. And you do that consistently over time and that culture yields so many incredible returns for an organization that sometimes I know we’re in the tech business, but sometimes the tech doesn’t matter if you can execute on that. This has been a really great conversation. And man, I feel like we could do this for a few more hours. So maybe next time we dive in more about future hypothesis of electronic access control systems. And because I think the tail end of what we just discussed we can expand on a lot more. Michael, thank you for being my second guest on Security and Focus. I’m very grateful for you, my friend. Thank you.

Michael Glasser

Very welcome, Tom. And thanks so much for inviting me. My pleasure.

Tom Carnevale

Thanks, everybody.