Why organisations adopt mobile access
For facilities teams, the big wins are onboarding speed (issue to the phone, no print runs), offboarding certainty (revoke remotely), and lower plastic/print logistics. For users, it reduces forgotten cards—most people don’t forget their phone—and enables touch-free journeys at busy doors. From a governance perspective, binding access to a device that already requires a screen lock and supports hardware-backed keys can raise the assurance of “who is holding the credential” compared with basic cards. The National Cyber Security Centre (NCSC) encourages organisations to take device security and secure administration seriously; mobile credentials benefit when those broader device controls (screen locks, updates, managed app distribution) are already in place.
BYOD, ownership and acceptable use: set the ground rules first
The biggest design decision is whose device you will trust. Many programmes allow bring-your-own-device (BYOD), provided basics are met: a device lock (PIN/biometric), current OS, and the ability to revoke the credential instantly. NCSC’s BYOD guidance recommends setting clear policy, providing user support, and using mobile device management (MDM) or lightweight app controls commensurate with risk. The ICO’s BYOD guidance adds the data-protection lens: you remain the data controller, so you must document how access data is processed and protected on personal devices and set proportionate retention and removal controls. Build this governance into your roll-out plan and staff communications—it shortens approval cycles and keeps auditors comfortable.
If you don’t want to manage personal devices, a corporate-only approach still works well: issue managed handsets or allow mobile credentials only on enrolled devices using your chosen MDM. The NCSC’s MDM guidance explains what to look for (device inventory, policy enforcement, remote wipe, containerisation and update hygiene).
NFC vs BLE (hands-free) – picking the right fit
NFC gives a tap-to-enter experience similar to a contactless card. It tends to be fast and deterministic at turnstiles or busy lobbies and feels familiar to users.
BLE enables proximity-based entry (from a few centimetres to a few metres depending on configuration), which is excellent for hands-free or accessibility-friendly journeys—no need to present a card when carrying goods or using mobility aids. BLE security is mature but different from NFC; it relies on device pairing and encrypted links. If BLE is in scope, use platforms and readers that implement modern Bluetooth security correctly, and follow recognised guidance on key management and device authentication. NIST’s Guide to Bluetooth Security provides a solid industry baseline for hardening decisions around pairing modes, key strength and protection against relay attacks.
For an overview of touch-free journeys and practical upgrade paths across door types, see our short primer on Hands-Free Access Control.
Security model: raise the floor, don’t invent new risks
A defensible mobile deployment looks boringly sensible:
- Device assurance. Require a screen lock and current OS; block rooted/jailbroken devices; prefer devices enrolled in your MDM if risk is high. NCSC’s device security collection sets out practical controls for hardening endpoints used at work.
- Strong admin. Protect the management plane of your access platform with role-based access and multi-factor authentication for administrators. NCSC’s MFA guidance is clear: pick the strongest available methods and secure admin paths.
Edge determinism. Doors should make decisions locally using cached permissions if the server or WAN is down; events reconcile later. This principle remains valid whether you’re cloud-managed or on-prem—design for continuity at the door, not just in the server room. (For the networking underlay that keeps everything reliable, see our primer on IP Security System Installation.)
