What is a Mobile Credential? Phone-as-Badge for Door Access

Mobile Credential

A mobile credential is an access-control credential stored on a smartphone instead of a plastic badge. The phone transmits the credential to a reader via Bluetooth Low Energy (BLE), NFC, or a vendor-specific app, and the reader passes it to the controller for authorization. Mobile credentials reduce lost-card replacement costs, simplify onboarding and offboarding, support remote provisioning, and pair with phone biometrics (Face ID, Touch ID) for two-factor authentication. Top providers: HID Mobile Access, Brivo Mobile Pass, Avigilon Alta, Genetec Synergis, Apple Wallet (since iOS 15).

The short definition

A mobile credential is a digital token, cryptographically signed and tied to a user, stored in the phone's secure element. When the user approaches a reader, the phone wakes the credential (typically after a Face ID or Touch ID check) and transmits it. The reader hands it to the controller, the controller checks its rules, and the door unlocks if the credential is valid for that door at that time.

The credential replaces the prox card or smart card; the reader, controller, and software stack stay the same. That's the upgrade path: deploy mobile-capable readers (BLE plus NFC plus legacy prox), keep the existing controllers and software, and migrate users from cards to phones over 12 to 18 months.

BLE vs NFC: the transport choice

Two transport protocols handle most mobile credential traffic.

BLE (Bluetooth Low Energy). Reads at 1 to 10 meter range. User can hold phone in pocket. Convenient at high-throughput entrances. Risk: tailgating becomes easier because the reader unlocks before the user reaches the door. Mitigated with reader-tuning to short range or "tap mode" requiring intentional proximity.
NFC. Reads at 4cm range. User taps phone to reader, mimicking the badge experience. Lower convenience but no tailgating-by-distance issue. Apple Wallet uses NFC exclusively on iPhone.

Most enterprise mobile-credential readers (HID Signo, Schlage Mobile, Avigilon Alta readers) support BLE, NFC, and legacy prox simultaneously. The user picks the experience; the door allows all three.

The vendor landscape

HID Mobile Access. Largest deployed base. Pairs with HID Signo readers. Apple Wallet integration (since 2022). Common in enterprise office, healthcare, and multi-tenant.
Brivo Mobile Pass. Cloud-native, BLE-first. Strong in coworking and multi-tenant office.
Avigilon Alta (formerly Openpath). Mobile-credential-first platform with patented "wave to unlock" gesture. Apple Wallet integration.
Genetec Synergis Mobile. Adds mobile credentials to enterprise on-prem PACS.
Verkada Access. Cloud-native, mobile-credential-included. Single-vendor camera plus access stack.
Apple Wallet (employee badges). Multiple PACS partners. The Wallet integration is the user experience the next generation of office workers expects.
Allegion Schlage Mobile and HID origo. Lock-vendor mobile credentials for residential and multifamily.

Migration from prox cards

Standard pattern at commercial sites with existing prox card systems:

Phase 1: dual-credential readers. Replace existing prox-only readers with BLE-plus-NFC-plus-prox readers. No user change yet. Both card and phone work at every door.
Phase 2: opt-in enrollment. Users download the credential app, enroll, and start using their phone. Cards still work. New hires receive only mobile credentials.
Phase 3: deprecate cards. 12 to 18 months in, when most users are on phones, set a sunset date for cards. Issue temporary cards on request only.

The reader replacement is the capital-cost step; everything after is software and rollout.

Security considerations

Two real attack surfaces.

Compromised phone. Stolen, unlocked phone with the credential app open. Defense: phone biometric required before the credential transmits, plus fast platform-side revocation when the user reports loss. Sub-5-second revocation is the spec.
Relay attack. Attacker uses a BLE relay to forward signals from a victim's phone (in their pocket on the train) to a reader at the office. Real attack class against early BLE implementations. Mitigated with distance bounding (the credential measures BLE round-trip time and refuses to authenticate beyond a few meters). Modern HID and Avigilon Alta implementations handle this; older platforms may not.

When to ask Tec-Tel about mobile credentials

Mobile credentials are a 5-to-10-year decision because of the reader replacement cost. We'll scope the right reader hardware, validate the PACS platform, plan the migration phases, and budget for the dead-phone fallback workflow.

Frequent buyer questions

What's the difference between BLE and NFC mobile credentials?

Range and behavior. BLE (Bluetooth Low Energy) reads at distances up to 10 meters; users can hold the phone in pocket or bag. NFC reads only at touch range (within 4cm); user taps phone to reader. BLE is more convenient but raises tailgating concerns (the door reads the phone before the user reaches it). NFC is closer to a traditional badge experience. Most enterprise mobile-credential platforms support both, with the user choosing per door.

Why replace prox cards with mobile credentials?

Five reasons. (1) Replacement cost: a lost prox card costs $5 to $20; a lost phone credential is reissued in seconds via the cloud platform. (2) Remote provisioning: new hires receive credentials before their first day, no badge office visit. (3) Faster offboarding: HR triggers credential revocation; no badge to physically collect. (4) Two-factor for free: phone biometric authenticates the user before the credential transmits. (5) Brand experience: phone-as-badge feels modern, especially in office and multi-tenant.

Does Apple Wallet support mobile credentials?

Yes, since iOS 15 (2021). HID, Allegion, and several lock vendors integrate with Apple Wallet for employee badges. The credential lives in Wallet, transmits via NFC at the reader, and authenticates with Face ID or Touch ID before transmission. Google Wallet has similar support on Android. Adoption is fastest in office, university, and hospitality. Enterprise PACS platforms increasingly support both Wallet integrations alongside their own apps.

What if an employee's phone dies?

Standard fallback patterns. (1) Issue a temporary plastic badge from a kiosk. (2) Use a PIN backup at the reader. (3) Tailgate authorized through the door (which is a security gap; not recommended). Enterprise platforms (HID Mobile Access, Brivo, Avigilon Alta) handle the temporary badge workflow inside the cloud platform with audit trail. Plan the dead-phone scenario before rollout.

Are mobile credentials secure?

Generally yes. The credential is stored in the phone's secure element (iOS Secure Enclave, Android StrongBox or TEE), encrypted at rest, and transmitted over an encrypted Bluetooth or NFC channel. Phone biometric (Face ID, Touch ID) gates the credential before it transmits, adding a second factor. The main risk vector is a compromised phone with unlocked credentials, which is why platform-side revocation must be fast. Most platforms revoke under 5 seconds.

Start with a free consultation.

Tell us what you're protecting and what's already in place. The Tec-Tel team reviews it and comes back with a written plan.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Book a free consultation 855-577-0400