Mobile Access Is Identity Infrastructure W/ Guest Host SecuriTEA's Xander Alexander

Show Notes

In this episode of The Inside Track, Phil Coppola sits down with Xander Alexander from SecuriTEA for a practical conversation about mobile access, identity, and the changing role of physical security in the enterprise.

Mobile access is often introduced as a convenience story. Tap your phone. Tap your watch. Open the door. But the bigger conversation is about identity, trust, and how physical security can align with the same security models already being used across IT and cybersecurity.

Phil and Xander explore why the traditional plastic badge is largely a possession-based model. A card can show that someone has something, but it does not necessarily prove they are the person authorized to use it. Mobile credentials create an opportunity to move beyond simple possession by connecting access to a validated user identity, a trusted device, and enterprise authentication methods such as single sign-on and multi-factor authentication.

The conversation also digs into one of the most important areas of mobile access security: provisioning. Once a credential is securely issued to a phone, it can be extremely strong. But how that credential gets to the right person matters. Invitation codes, email-based enrollment, SSO, MFA, automated provisioning, device trust, and lifecycle management all play a role in building a stronger credentialing model.

Phil and Xander also discuss the convergence of physical security, IT, OT, and cybersecurity, and why security teams can no longer afford to operate in silos. As threats evolve, access control leaders need to think differently about how credentials are issued, managed, revoked, and governed.

If your organization is evaluating mobile access, planning a migration away from physical cards, or trying to better align physical security with enterprise identity strategy, this episode offers a grounded look at the risks, misconceptions, and best practices that should shape the conversation.

Topics include:

Mobile credentials versus physical cards
Identity validation and device trust
Why possession is not the same as identity
Secure credential provisioning
SSO and MFA for physical access
Visitor badge and lost card risk
Automated provisioning and lifecycle management
Revocation and governance
Convergence between IT, OT, cyber, and physical security
Why mobile access is more than convenience

Transcript

0:00

Today's episode is brought to you by HID Mobile Access, the most secure and convenient way to open doors with the device you already use every day. With HID, organizations get flexible, future-ready solutions that easily integrate into workplace and tenant experience apps, creating a seamless journey from street to suite. If you're ready to modernize your access control experience, try it for yourself. Sign up for a free trial at HIDglobal.com slash solutions and click on mobile access. Welcome to the Inside Track with Phil Capola. This episode is going to be a little bit different. Back during IST West, I was able to sit down with a really good buddy of mine, Xander Alexander, to talk about uh best practices in physical security, specifically around mobile access. Uh, this was done as part of his podcast uh called Security, T-E-A. But I thought it would be a good idea to post it here as well to reach as many of you out there that would be interested in this type of conversation. We cover all sorts of different uh aspects of credentialing. Obviously, this is uh meant to be mostly about mobile access, but we talk about sort of the dangers of mobile access, physical credentials, and really what the best practices are for organizations that are thinking about migrating from a physical card to a mobile credential. Um as mentioned, this as mentioned, this is an interview of me, which is kind of weird for me to be posting here. So without any further ado, I turn it over to the host of this podcast, Xander Alexander. Mobile security headlines are loud right now. Samsung's list for 2026 includes AI-driven social engineering, API exploitation, NFC related malware, 5G downgrade risk, like I'm just rattling them off right now, and direct-to-cell risk. So, with all of that, here's the question. If the phone is now identity infrastructure, right? What are the security teams still treating like someone else's problem? Wow. Okay. So I'm so glad you started there because identity uh as as it pertains to mobile, I think is the piece that we're all missing as as a security as the security industry. Yes, there's the the threat landscape will always evolve. If there's a new technology out there, bad actors are going to find to exploit it. It just it is what it is. The the point is we have to stay one step ahead, right? As as a PSP, um, they teach us layered approaches to security, right? Concentric circles of security around uh around your physical asset. Yeah. That same concept is true in the IT space, right? So you want to build out as many uh layers of security and whether that's good anti-phishing policies, good training around that, um, you know, device management and uh checking the veracity of the device. In in the access control world, I think the piece that we've all missed is the fact that the physical credential is no longer representative of identity. Okay, it's it's representative of possession, right? So when you say, hey, Xander, you're you now work for Motorola, great, congratulations, here's your card, and now you possess that card. Right. When you present that card at a card reader, there's no um validation that you are who you say you are. All you're doing is saying, I have this. In the mobile world, what we can do is now we can layer in the identity models that we're using on the cyber and the IT side. Yeah. Because when when you join that organization, I say, Xander, welcome to Motorola. Here's your username and password that you're gonna use to log into everything using single sign-on or active directory or enter or whatever. Yeah. And I use this identity to validate myself in, you know, my business systems. I log into it to use Microsoft Teams and all this stuff. You're also going to log into it in order to get the credential onto your phone, right? Which now uh not it's no longer just possession, it's now verifiable identity. I can say that Xander is the person with this device, or at least I can have a much higher probability of being the case. Confidence is a very higher. Yes. Yes, absolutely. So, with that being said, I want to welcome everyone to security. Yes, I'm continuing to keep it like that. So, security with the T, but it's not gossip. Right now, we are offering signal over noise, integration over silos, and action over outrage. And so, once again, as Phil alluded to, I'm Xander Alexander. I'm joined here by Phil. Today we're going to be talking about mobile being part of the incident uh stream that's out there, not just the convenience of it. And so, Phil, thanks for doing this. Absolutely. No, thank you. Thank you for having me. I love the name, by the way, Secure T. With with the T. So there are other podcasts that have that, but they have some subtitles that go with it. Mine was just Security, period. I love it. So, quick intro, right? So, for anyone that does not know you, is just now meeting you for the first time, tell us a little bit about yourself. Well, hello. My name is Boca Pola. I am the mobile evangelist for HID. My official title is director of end-user business development for mobile access. So I um I work alongside all of our great end user business development managers at HID to spread the good word about uh about mobile access. I've been in the security industry for 25 years, believe it or not. But this has been the only industry that I've known in my entire career, which is that's how it's been a long time, people. Uh, but the beauty part is I've worked on all sides of the industry. I used to work uh before HID, I was with Genitech. Before Genitech, I was with Sony. Before Sony, I was with um a company called uh Triad, which had acquired Northern Video, which for the folks that are watching this today would recognize them as Wesco. So Northern was acquired by Triad, who was acquired by Annexter, who was acquired by Wesco. Uh I left during that transition period, but then uh went to Sony. And I I've been doing this, I I don't know, I'm a I'm a nerd for this. I I love I love physical security and and I love uh social media. Yeah. Uh please follow me on LinkedIn. Yeah, well, it's a listen podcast, right? Yeah, yeah, yeah. So I I've got all these different uh tentacles out there. So I've got I've got the podcast uh called the Inside Track available uh wherever podcasts are are listened to these days. Um I've got a pretty good sized following on LinkedIn. I think I'm around 12,000 followers. No, listen. It's a grind. Uh you know, it doesn't happen overnight, people. Uh, and then I've got a YouTube channel with around 4,000 subscribers as well. Yeah, dude, that's a lot. Well, there's a lot going on. How do you maintain it all? I feel like we can have a whole podcast just about the whole evangelism part of it. We, you know, I I I've kind of settled on this in my old age here. Okay. Um, I think being an evangelist in any way, shape, or form is probably the new way of doing sales in the modern era. I think uh if you really want to be a successful salesperson, not just in the security industry, but yeah, especially with the rise of AI, um, those that have more of a connection to their audience, a connection to their customer, and being available 24-7, like if you have a question at night and you're scrolling Reddit and you see, oh, Phil commented on my post, or you know what, how how does this HID mobile credential work and Phil's available to watch? In the in the same way that that you're doing, I think this is this is the modern approach to sales uh that organizations are starting to realize is is really of benefit of and of value, uh i.e. Shoi Rola and HIV doing this uh sort of in a in an official capacity. Very, very true. All right, so shifting gears a little bit, sure, right? So we were talking about or opened with Samsung, right? And talking about uh what Samsung sees on the rise on their particular list. So when you see enterprise mobile threats headlines like that one, what is the real signal for the physical security and access control leaders? Um, what is one mindset shift that they may need to make? Yeah, I think the mindset shift again is like is uh having a card enough now, is the possession good enough to validate the identity of somebody coming in through your facilities? And what I'm starting to realize is the answer to that question, if you talk to IT professionals, is absolutely freaking not. Like it is tantamount to saying, here's your work laptop, yeah, use whatever password you want. You never have to change your password. In fact, password one, two, three is perfectly okay with us. And uh that obviously is not the case in the IT world. Uh, but uh as physical security professionals, we find that like, you know, we have the card readers on the door, we invest thousands and thousands of dollars to keep this door locked for just the right people. And in uh in the olden days, you know, going back five or six years ago, uh, where the threats were not as as harsh, we we enter a new era. It's uh more challenging for the security professional to validate the identity of the folks that are coming through their doors. And so I think the IT-centric way of managing identity is now starting to bleed over into physical access. And and this is just I think this is a matter of course, as as security professionals always hear like, oh, you should involve the IT department early. The one of the reasons why you want to involve involve the IT department early is to talk about identity. How do we validate the person with the credential, whether it's on the phone or or in their pocket and on a plastic car? How do we validate that they are actually who they say they are? And there's, by the way, there's facial recognition, there's uh artificial intelligence like uh AI can can scan your face. There's all that sort of, I think they call that vision ops. Uh there, there's a few people out there that are really pushing that hard. Uh, but the bottom line is I think as a as an industry, we're starting to see that the threat landscape has certainly evolved, and we need to, we need to evolve just as fast. Yeah, I've been having conversations the last couple of days just about, well, as you likely know, I champion convergence, right? Convergence of IT, OT, the security. And so the way that I see this is that security is overall. And then we have segments of you have sex, if we want to use the olden term of that of security. So that could be the physical, that could be the IT part. And then within IT, you have the cyber part on top of that, right? Then you got the OT. So, anyways, kind of uh in your experience with this, what causes the most damage in practice? So is it unmanaged devices or is it a weak account recovery that happens? Uh is it phishing and social engineering? I think uh if we're talking about mobile access in particular, the the the biggest gap I I would say is in the provisioning of the credential. Once the credential lands on the person's phone, it's actually quite safe and quite secure. Whether that's in the app, um for us it's a CEOS credential, so it's leveraging the same um credential standards that HID considers to be best practice. Okay. So whether that's in the app or in the wallet, it is basically a CEOs card. Um, but the provisioning aspect, I think, is where the the biggest gap is. So for a mobile credential right now, uh, I could theoretically email you your credential. And the gap there is I am I'm hoping that Xander is the is the person who receives the email, right? And and doesn't take that invitation code and give it to somebody else. Uh but as again, as that threat landscape in uh um evolves, there are new ways of provisioning credentials. So uh if I go if I take a step back and I say, like, oh, well, why would you have uh a provisioning method that could potentially be um you know vulnerable? Yeah. Well, you know, it's kind of fit for purpose. Not every organization is this big giant enterprise that really cares about, you know, the veracity of the devices necessarily, or they might just have 50 or 100 employees. They don't want to do integrations with single sign-on. It's like I I I know Xander. Xander, can I see your phone? Do you have the credential on there? And that's perfectly fine. And the way we have enterprises globally that that deploy credentials in that exact way. However, again, as the threat landscape evolves, I feel like um uh integration with single sign-on, uh, with multi-factor authentication in order to identify yourself against a database that is what is relied upon from an IT security perspective, is the premier way. That that is the gold standard. So now it's you use your single sign-on to log into your businesses, you use your single sign-on to log into anything that you need on on your on your company network. Now you're using single sign-on to log in in order to have access to the physical hardware on site, i.e., your access control system, your secure print system, your elevator destination dispatch system, all of these things are unlocked for you once you validate your identity using single sign-on. So basically that, and as you mentioned a moment ago, that gap in between that, right? Because if someone else gets that in there, that should be a problem. We could just run through at that point. So But there's no spoofing SSO. I mean, obviously, so and this is the beauty part with SSO and multi-factor authentication. So I log in. So let's just say, in the rare circumstance, I say, Xander, my username and password is this. You're still going to get that multi-factor code, whether that's in an authenticator app or a six-digit code through a text message, like like we're all used to doing, like, yeah, no. Yeah. So I get those OTP notifications sometimes from my bank, and I'm like, I didn't try to log in. It wasn't me. It wasn't me. But that that is the fail safe. So now uh taking that same concept, right? If that's what banking requires in order for you to log into and and gain access to your money, why shouldn't the security department of these large enterprises leverage that same type of validation? Yeah. It's like, dude, you're already you're already doing it. You're already seeing it. We're just adding it to another piece of your life. Is what I'm trying to say. We're just adding into another piece of your life. So where do you where do you think that mobile and physical intersect in a way that can create risk fast? Could it be with the mobile credentials, visitor access? Yeah, so where where it could potentially be uh harmful, yeah. I guess if we're just saying so I it's it's really I if I'm being honest, like I can't think of a single instance in which a mobile credential is riskier than a physical card, right? Because at the end of the day, let's just let's just say in the rare instance, I'm at the bar tonight here in in Las Vegas, uh, as as has been known to happen, and I leave my phone at the bar. Okay, well, the organization can say, in order for that credential to even transmit, the phone actually has to be unlocked. So a bad actor who gains access to my phone does not necessarily gain access to my credential. And when I get back to my hotel room and I say, Oh my gosh, I forgot my phone at the bar. Yeah, I run to iCloud and I turn off my phone. And then my credential is disabled, all my credit cards are disabled. There's all of these steps that I can take as an individual that has nothing to do with my enterprise. And you juxtapose that against uh the possession model of I have a card. Well, that card has my picture on it, that card has my company logo on it. And if I were a bad actor, I could say, There's a card, I'm gonna take that, and I know exactly what company this is, and where to go to. Right, and I know exactly where to go, and I and I'm gonna start tapping away. Um I deal with lots of lots of end users throughout the world, and you know, we talk about that very scenario as a hypothetical, and they've told me, no, no, no, that's that's real life. It it has happened to us, or uh my favorite uh circumstance of this is in visitor management, where uh the organization would provision a physical piece of plastic to a visitor, and the visitor leaves, like they're done with their appointment, and the card will set to expire at midnight, which is usually typical, typical practice. But they leave the office, they take the lanyard off, they throw the the card in the garbage, which first of all don't do that. Like that's just so bad for the environment. But please, uh not to mention all the bad security, but what they said was there are people that see that and they go dig it out of the garbage can, and now they have access to the building until the card expires. Yeah, and all it takes is one one bad moment in time, yeah. Right where where things just sort of converge together to to be to be bad. Now, uh, you know, the uh the other piece of it is again with the possession model, and we see this all the time. Hey, do me a favor, can I have your card? I have to go to the bathroom. It's like, yeah, sure, here you go. Which it's again sketchy questable. You wash your hands. But if I said, Hey, Xander, I um I would love to go to the bathroom. Can I borrow your phone? Oh, and do me a favor, can you unlock that? I it's it's not gonna happen. Yeah, no, those are some words, and then no. Exactly. Exactly. Now, if we really want to get into like the cybersecurity weeds uh of like vulnerabilities of potential vulnerabilities, uh, when we talk about the in-app credential that transmits over Bluetooth, there is a very small chance because the transaction happens so quickly, uh-huh, that let's just say I'm I'm sitting there in your in your lobby and I'm sniffing Bluetooth packets and I see that transaction go over and I see access granted. Oh, now I have some information. But all of that information is totally encrypted. So if I and and it's it's basically a random session, you can't replay it. If when I tell you all all worlds have to collide in order for this to happen, is it hypothetically possible within a 500 milliseconds for me to read that transaction, transmit it to somebody else in a different location, and then replay that into the reader at that exact right moment? Is that possible? Yes. If you're worried about that, I've got some conspiracy theories I can talk to you about. I got a bridge I can sell you in Brooklyn. Um, but if if organizations are concerned about that, uh there are some organizations that we deal with that's like, you can't have a blue, you can't have Bluetooth anything. And so we crypto cryptographically turn Bluetooth off on the reader so that the the Bluetooth radio is off and it can never be re-enabled ever again. For those folks in a mobile world and they go to wallet with NFC, the N in NFC stands for near. You have to be right on top of the reader. There is the the and and the transaction time is 200 milliseconds. If you want to try to replay that, you'd have to be right on top of the reader with the bad actor and and do all kinds of crazy stuff in order to get that to happen. Well, we don't have black hat conferences. Exactly. Like, so is it is is it theoretically positive? Sure, but it is far more likely that somebody's just gonna socially engineer somebody and say, Let me get your card. Let me ask you this. So if an organization wants to use phone for access, right? What would you say are three non-negotiables that would make the mobile safer than the card? Okay, non-negotiable number one. All right, number one. Number one. Um, actually, I have them written down. Oh, do you? All right, let's do it. Yeah, because I I wanted to I want to make sure I don't forget any of these. We don't want to steer you the wrong way, yeah, the wrong direction. So okay, secure issuance, device trust, and um an identity. And all of this has to do with ultimately what we've been talking about this entire time in terms of single sign-on. Enforce single sign-on for the mobile credential. That way you're validating the identity of the user. The next step is automation, automate the process. Because right now, if if you want to issue a badge to somebody, it's a lengthy process. I was just having a conversation with with a gentleman that runs a large global company, and he said one of one of our biggest challenges right now is uh we have an uh HR integration, okay, and they're onboarded, their card number gets created, it gets pushed into their access control system. All right, how do you distribute the badge? Oh, well, we have to have them come down, they have to take a picture, then we we batch it, and then a lot of people they email us their their picture, and then we have to uh print it, and then we have to ship it out. So single sign-on and automated provisioning means all I have to do is download an app or go to a website, log in with my credentials, and then issue badge to wallet, and then boom, I'm I'm fully, I'm I'm fully issued. And then lifecycle management. Okay. So automated provisioning, single sign-on, life cycle management. Here's here's the thing that nobody really wants to talk about. But because uh there are folks in in our industry that are you know really gung ho about visual ID and by the way, as a physical security professional, I absolutely agree, you should have some sort of visual identifier that says like you belong to this organization. But if if the if if the litmus test for that is I have this plastic card around my neck and it works on the door, yeah, great. But what that could also Potentially lead to is if Xander is fired for doing something really bad or Phil is fired for doing something really bad, how do I know that he doesn't belong here anymore? Because I still have this piece of plastic around my neck and I be going up to the door, but can you hold that door for me, please? And then people are nice. Yeah, they're gonna hold the door freaky. You have this visual like the training says don't do that. Correct. Everybody does it and like it is it like put in turnstiles people. I am surprised by how many organizations, by the way, sidebar that don't have turnstiles or don't have some sort of like really stringent program before you get into the office anyway. But it's those organizations that are potentially at risk because I have this piece of plastic that says that I belong here. And even though my access control rights have been turned off, the bottom line is I can still get onto your property. Right. With um life cycle management, which you could say is part of that automation is once they're removed from HR, pull that credential off their phone. Like immediately pull it off their phone. So now they go to their wallet or they go to the app and the credential's gone. So it's not even like they could say, Oh, look, it's it's right here. As long as we're not in airplane mode. Correct. That's the only instance in which the credential can't get pulled off. Um, but here again, life cycle management is key. So single sign-on, automation, life cycle management, which by the way, those are three different ways of saying automate the process and put the credential on a device that you can trust. And by the way, like at HID, I'm BYOD. Like I it is my iPhone, I own it. Yeah, I allow uh HID to manage it to a small degree, uh, but it is not a company-owned device. But the convenience factor is I can put the credential onto my phone through single sign-on, and HID can see, oh, that's an iPhone 14 Pro Max running this firmware. It's your serial number. Exactly. And then they can say, like, oh, Phil, you're not running 26.4. We're gonna turn off your credential and do. That is very different than here's a card and may the force be with you. Because you got that card. I got that card. Yeah, yeah. I got that card. It it is mine until it is not. Exactly. All right, so as we close out, yes, what is one actionable step that a security leader can take this week to or next week to reduce the mobile credential risk? Um, along with that, what is one metric that proves that it is indeed improving? So, two-part question there. Do you say it again? No, I got it I I think I got you. So from a metric perspective, in the metric that I always refer back to is how many cards do you lose? The the industry average is around 20%. Some organizations before some organizations are left, the the industry average is around 20%. And by the way, this is true for logical access credentials in a way, like UB keys and stuff like that. People lose these things all the time. The larger the organization, the number more or less stays the same. So if you have a thousand employees, 200 of them will lose their card every year. If you have 10,000 employees, 2,000 of them will lose their card every year. And when you put it into those terms and people start thinking about it, they're like, oh yeah. And every time I lose, somebody loses a card, there is a gap period in between when they realize they lost it and when they report it. And that's risk. That's vulnerability right there. And if it's happening 2,000 times a year, that's several times a day. Yeah. Is how these organizate how vulnerable these organizations could potentially be. So the thing that I would ask everybody to do this week, next week, or whenever, uh, is for the physical security folks to get with IT security. That's it. Yeah. How do you provision access to our own internal resources that you're trying to keep as secure as possible? And how can I benefit from that same um best practice on the physical security side? Bringing bridging that gap, that convergence between IT and physical security is a match made in heaven. And for a long time, I know because I'm an old gristled security guy. 25 years, I don't want to deal with the IT security people. They're weird, you know, the their office is dark and everything's on dark mode. But the reality is we all trust them implicitly because we they know that one incident could cost them millions, tens of millions of dollars potentially. So if they're protecting resources like that, why can't they help you protect the people resources and the and the physical assets in in the real world? And they absolutely can by incorporating uh their identity models into the physical security space. Dude, so as you say that, I think it rings very much true that mobile is the identity infrastructure. Yes, it is part of the identity infrastructure, and we have to win it with the governance, with the revocation, and the speed that goes along with that, and not just the vibes of how you think that it feels, right? Yes, being able to stretch. I know, you know, 25 years within the game. At that point, it's like marriage. You're kind of stuck in your ways a little nicker, right? But you gotta you gotta stretch, you gotta get to know your your significant other in new ways. Absolutely. And and like in marriage, your relationship evolves. Yeah, and that's okay. And for those folks that can't handle that re evolving relationship, there's a there's divorce, but we don't want to do that. No, we don't want to. We want to we want to have this nice, cohesive, happy thing. And I think as an industry, we kind of get stuck on, and and I've been just as guilty of this, by the way. Uh, you know, I've that since we're on the therapist couch here. I I always thought that the best benefit of mobile access was the convenience and was the user experience. Oh, it's so delightful. You get to the door and you tap your watch and you go through it. Yeah, yeah, yeah. And really that, yes, that is great. And that is what the everyday person with the phone or with the watch gets to experience. But the the bigger value is in the identity management, it is in the automation of provisioning and the added security that comes along with with marrying IT and the physical stuff. So, like I I really like if if if you take nothing away from this, it is it is that it's yes, it's cool and it's fun, and it's it's like it's part of my digital identity as a person, but your IT department will love you forever. There will be no divorce if you take on their best practices for physical security. Yeah, for sure. We can't operate in silos anymore. I think we are way past that. Yes. And so thanks for coming on to Security. Yes, I love it. Thank you very much. Uh, elephant in the room, there's like a concert happening behind us. So if you hear if you hear it, we do. The noise cancellation is working real hard right now. But Xander, dude, thank you so much. Yeah, man, absolute pleasure. We should do it again. If you come across a headline that you want me to cover, or you want me to bring Phil back to cover, feel free to slide into my DMs and let me know what it is. Until then, this is Xander from Security. Today's episode is brought to you by HID Mobile Access, the most secure and convenient way to open doors with the device you already use every day. With HID, organizations get flexible, future-ready solutions that easily integrate into workplace and tenant experience apps, creating a seamless journey from street to suite. If you're ready to modernize your access control experience, try it for yourself. Sign up for a free trial at HIDglobal.comslash solutions and click on mobile access.