Colin Depree, Sales Strategy, North America Leader, Salto explores why the era of static security is over.
Security and convenience have long been viewed as opposing forces in access control.
The assumption is that hardening a facility creates friction, while removing barriers inevitably invites risk.
This dichotomy is rapidly becoming obsolete.
What we are seeing today in access control is not just a product upgrade, but a structural shift in how identity itself is managed, from legacy tokens (cards, fobs, etc.) to mobile credentials and from static hardware to what can be described as “living” identities.
For decades, the industry standard for physical access control was the 125 kHz Prox credential.
These cards are inexpensive and compatible with most systems, but they represent a significant liability. From a cybersecurity perspective, they are “static”.
Once issued, they cannot easily receive updates or patch vulnerabilities without significant administrative burden.
Worse, their widespread use has exposed a dangerous vulnerability in access control: ease of cloning.
With minimal technical knowledge and cheap tools, legacy credentials can be duplicated, compromising the security of the entire system.
Even early generations of smart cards – such as MIFARE Classic – have since been shown to be vulnerable to well-documented attacks and unauthorized duplication.
Twenty-five years ago, Salto Systems designed a solution to this access control stagnation with its Data-on-Card technology.
By transforming the card itself into a data transporter, the system allowed users to update access control rights across the entire system simply by scanning a wall reader or interacting with a lock, eliminating the need to update every lock.
Access permissions, audit data and system updates could propagate organically as users moved through a facility.
Today, mobile credentials build on this foundation, accelerating the transition from periodic updates to continuous, real-time security.
While Data-on-Card turned the physical badge into a smart courier, mobile credentials transform the user’s device into an always-connected update access control point.
“We have to be honest about the limitations of legacy hardware,” said Colin DePree, Sales Strategy Leader for North America at Salto.
“Outmoded prox cards are stagnant. A mobile credential, on the other hand, operates like the ultimate evolution of Salto’s SVN Data-on-Card technology.
“It lives, evolves and protects itself in real time. It transforms security from a hardware management task into a frictionless access experience.”
Because mobile credentials leverage the smartphone’s connectivity, they no longer rely on fixed update points.
Credential permissions, revocations and security policies can be updated remotely and immediately.
If a credential is compromised, access can be revoked or patched over the air, dramatically reducing response time and exposure.
Mobile also bridges a long-standing access control authentication gap. A plastic card cannot verify who is holding it.
Mobile credentials, however, leverage the native security features of modern smartphones – such as biometrics and secure elements – to add an additional layer of identity verification.
The authentication layer is no longer just the reader on the wall; it is partially embedded in the user’s device, utilizing Face ID, fingerprint recognition or other device-level authentication to help ensure the person unlocking the door is the authorized user.
The smartphone is not merely a digital key; it is a powerful data conduit.
The Data-on-Card model established the concept of storing access control rights and audit information directly on the credential.
As the industry transitions to mobile, this capability expands into Data-on-Mobile.
In this ecosystem, data is exchanged between locks, readers and the user’s device.
This effectively turns the credential holder into an active node in the building’s access management network.
As a resident or employee moves through a facility, their device can synchronize permissions, transmit audit data and even report lock or battery status for offline devices.
Traditional access control has long been built around issuance events: create a credential, assign permissions and react if something goes wrong.
Living credentials fundamentally change that model. Access becomes a lifecycle, not a moment in time.
For facility or security teams, this shift reduces dependence on manual processes that introduce risk.
Lost or stolen credentials no longer require rekeying doors or auditing entire card populations.
Permissions can be adjusted instantly, credentials can be suspended in real time, and access policies can evolve continuously as roles, schedules or threat conditions change.
This lifecycle-based approach also aligns more closely with modern cybersecurity and identity management frameworks.
In IT environments, credentials are expected to rotate, expire and respond dynamically to policy changes.
Mobile access control brings physical security into that same operating philosophy, closing a long-standing gap between cyber and physical domains.
Living credentials also improve audit quality and regulatory compliance.
Because credentials can synchronize data continuously, access events, permission changes and system updates are captured with greater fidelity.
This supports more accurate reporting for regulated environments such as healthcare, higher education and multifamily housing.
Ultimately, the value of living credentials is not just stronger encryption or better user experience – it is resilience.
Facilities change. People change. Threats change. Security systems that assume permanence struggle to keep up.
Despite the clear advantages of mobile credentials, the real world requires flexibility.
There is no crystal ball in security and user needs vary across industries, demographics and physical environments.
Many facilities will continue to require multiple credential formats for the foreseeable future.
For example, in senior living, healthcare or specialized workforce environments, some users may prefer – or require – physical credentials.
“The goal isn’t to force mobile on everyone,” DePree explained, “but to ensure that every credential format meets the same high security standard.
“We’re seeing a move toward hybrid ecosystems – mobile-first for most users, paired with secure physical credentials where needed.”
Rather than relying on legacy prox technology, proactive facility managers and security teams are increasingly adopting modern smart cards such as MIFARE DESFire EV3, which offer strong encryption and mutual authentication.
This approach allows organizations to remain inclusive without weakening their security posture.
By adopting a hybrid approach that offers both secure physical credentials and mobile options, facilities can cater to diverse preferences while maintaining a high security standard.
Today, mobile credentials are illustrating how the use of mobile extends beyond just digital keys and individual doors – supporting smartphone-enabled QR codes for visitor management, intercom access and temporary credentials.
Future innovations are expected to push convenience and utility even further.
Emerging technologies point toward a future where locks may harvest power directly from a smartphone via BLE or NFC, potentially reducing or eliminating battery maintenance.
The broader trajectory is clear, access control is moving toward a unified system where the method of entry – whether smartphone, biometric verification or QR code – is largely invisible to the user.
This “living” security model delivers a previously unimagined experience where the credential updates itself, the lock manages itself and the building secures itself.
Secure mobile credentials are more than a step forward, they are a leap toward a future where security is seamless, there is access without friction and the user experience is front and center.
This article was originally published in the February edition of Security Journal Americas. To read your FREE digital edition, click here.