A Secure and Sustainable Transition from Legacy Smart Cards to Mobile Credentials in University Access Control System

A secure and sustainable building access control system plays a vital role in protecting organisational assets worldwide. Physical access management at Auckland University of Technology (AUT) is still primarily done through traditional card-based authentication. But using old Mifare Classic credentials, which use antiquated Crypto1 encryption, leaves the system vulnerable to replay and cloning attacks. For laboratories, testing facilities, and technical areas that need stringent security measures, such flaws pose serious risks. To overcome the above issues, we propose a secure and sustainable university building access control system using mobile app credentials. This research grounded a thorough risk analysis of the university’s current infrastructure, mapping potential operational continuity threats. We analyse card issuance records by identifying high-risk areas such as restricted laboratories and evaluating the resilience of the current Gallagher–Salto system against cloning and replay attacks. We quantify the distribution and usage of cards that are vulnerable. To evaluate the risks to operational continuity, the system architecture is examined. Additionally, a trial implementation of the Gallagher Mobile Connect platform was conducted, utilising cloud registration, multi-factor authentication (PIN or biometrics), and books. Pilot implementation shows that mobile-based credentials improve user experience, align with AUT’s environmental sustainability roadmap, and increase resilience against known attacks. Results have shown that our proposed mobile credentials can improve the system performance up to 80%.