One of the biggest trends in the world of visitor management and access control is the use of QR codes as a key or credential to unlock access points with a mobile device.
This technology has exploded in use and popularity in recent years. It has some obvious appeal – but also some shortcomings that should be considered, especially as new alternatives like digital credentials have evolved to fulfill a similar function.
If you’re looking to modernize your mobile access experience, weigh your options and choose the right solution for your needs.
How QR Codes and Digital Credentials Work for Access Control
In order to select the best option for your mobile access process, it’s important to understand how each one works in the context of mobile access.
“Quick Response” codes aren’t a new technology, but new innovations in recent years have led to creative new uses of this tool. Functionally, QR codes are complex bar codes capable of storing a lot of information (up to 4,000 text characters) in a consolidated visual image easily translated by a computer.
That condensed information can represent any number of things: a serial number for a product, a url for a restaurant menu, or login information for a WiFi network, to name a few.
QR codes have emerged as a flexible option for permissioned access, too. They can store a unique, personalized code representing a ticket or credential. If you’ve used your phone to get into an airport, concert, or sports event, you’ve likely used a QR code in this capacity
This implementation of QR codes can be used to get through access and security points with a smart device, as well. Customized QR codes can be issued to users via app, email or mobile browser and used to unlock doors, gates, elevators and more. A special QR reader scans the code presented on the smartphone screen and sends a signal to open or unlock the access point.
This approach is especially appealing for granting access to temporary visitors and guests who don’t warrant a more permanent credential like a fob or key card. For instance, a building manager might send a delivery or maintenance person a QR code on their phone to enter an apartment or office building, allowing them to bypass the security desk and quickly enter the building without having to be physically present to let them in.
Digital credentials are another way to present verified access permission via smartphone, but they operate in a different capacity from QR codes.
While a QR code stores and shares information in a visible graphic, digital credentials are consolidated and transmitted via a smart device’s remote signaling capabilities, such as Bluetooth and BLE (Bluetooth Low Energy) signals. The smart device securely mimics the RFID signal sent from a magnetic key card or fob and transmits it digitally to an enhanced receiver.
This approach is effective for granting instant remote access to guests and visitors, similar to a QR code. However, it has the added benefit of being a viable permanent solution for all frequent users of a property and can even replace traditional fobs and access badges entirely.
Weighing the Options
These two approaches to visitor management and access control share several appealing benefits, chief among them the ability to grant access to anyone from anywhere with just a smart phone. However, there are some important differences that need to be considered before implementing a mobile access technology on your property.
Security is a critical factor in any decision about your access control and visitor management. We all want to make getting and granting access more convenient, but if that compromises the safety of tenants and property it’s not worth the risk.
Unfortunately, QR codes come with an intrinsic vulnerability that is difficult to work around. They’re a visual form of information sharing, meaning they can be duplicated and shared any number of times with anyone at all. If you email someone a QR code that’s personalized with the intent to only grant them access, there’s nothing stopping them from taking a screenshot or saving the image and forwarding it on to anyone.
There’s no way to ensure that a QR access code belongs to the person who is presenting it other than tedious, time consuming manual identity verification. At that point, you’ve lost all the benefits of using these codes in the first place!
On the other hand, digital credentials are considerably more secure. They can’t be copied, printed out, or shared with anyone other than the person holding the permissioned device. That allows easy 1:1 verification of granted access to credential usage.
A lot needs to go right for QR code-based mobile access to work correctly.
Each access point needs to be equipped with a reader capable of interpreting QR codes. Sometimes they work great...sometimes they can be quite finnicky. If you’ve ever used a self-checkout line at a supermarket, you may have experienced something that just never seems to scan easily. That same problem can occur with QR readers.
There’s a lot of room for user error. Not everyone will intuitively understand how to bring up a QR code on their device, have it displayed correctly on their screen, and present it effectively to the reader.
In order for a QR code to trigger and grant access, the credential stored within has to be written to the backend access controller in a unique way. Not all access controllers have this capability natively, so you may be faced with getting a new one or reconfiguring your existing one (which is time consuming, is prone to breaking and creates a lot of confusion for your technology and operations teams).
Digital credentials are quite straightforward in comparison. The access request signal is set to deploy automatically, minimizing the input needed from the user. There’s no fiddling with screen brightness or settings or worrying about a cracked screen interfering with the image. And there’s no special readers needed or required updated to the backend access controller: digital credentials can work with any conventional access system with a simple upgrade to your access points.
Finally, there’s an important factor of reliability to consider.
Mobile access only works if the mobile device can source and present the credential when its needed. For QR code access, that typically means the device must be actively connected to WiFi or cell network in order to bring up the image for a reader. That works most of the time, but can be disrupted deep in large buildings, basements, and parking garages.
In instances like this the system simply doesn’t work. No connection means no way to get the QR code, no code means no entrance or exit.
Digital credentials avoid this issue much the way a fob or key card does. The signal is housed right in the device and doesn’t need to be ‘summoned’ from a link or email or app and doesn’t get disrupted in the event of a network overload or outage.