Mobile Credentials and Cloud PACS

Two shifts are changing how access control gets deployed: the credential moving from a plastic card to a phone, and the management software moving from a server in the closet to the cloud. They are independent choices, but they often arrive together. This article covers how each works and what to weigh before specifying them in Canada.

How Mobile Credentials Work

A mobile credential is a cryptographic key stored on a smartphone instead of a card. It is held in a protected area of the device, the secure element or a trusted execution environment, so the credential cannot be copied off the phone. The phone presents it to the reader over one of two radios:

• NFC (Near Field Communication): short range, requires a deliberate tap, behaves much like tapping a card.
• BLE (Bluetooth Low Energy): longer range, supports reading from a pocket or bag and the wave to unlock gesture, and lets the reader and phone work at a distance.

The credential is issued over the air. An administrator sends an invitation, the user installs it in a wallet or vendor app, and the door starts working. Revoking is just as fast, which matters for staff turnover and lost devices. Because issuing and revoking are remote, mobile cuts the cost and handling of plastic cards.

Cloud-Managed PACS Architecture

A traditional physical access control system (PACS) runs its management software on an on-premises server. A cloud, or access-control-as-a-service, model moves that software to a hosted platform. The door controllers stay on site and keep the access decisions local, so doors keep working during an internet outage. The cloud holds the configuration, the cardholder database, the audit log, and the user interface, reached through a browser or app.

Benefits and Trade-offs

The upside is real: no server to patch or back up, automatic software updates, remote management of many sites from one screen, and easier scaling. The trade-offs need attention.

• Connectivity dependence. Doors keep working offline because the controller decides locally, but you lose remote management, live monitoring, and fresh credential pushes until the link returns. Size the local controller’s offline cache and event buffer accordingly.
• Data residency. A cardholder database and access logs are personal information. Under Canadian privacy law, including provincial regimes, you should confirm where the provider stores and processes that data. Ask whether Canadian data centre regions are available and get it in the contract if residency in Canada is required.
• Subscription cost. Lower up-front cost, ongoing fee. Model the total cost over the system’s life, not just year one.
• Vendor dependence. The provider’s uptime, security practices, and roadmap become yours. Review their security posture and breach history.

Integration with Video and Identity

Cloud PACS usually ties into video and identity systems. A door event can call up the matching camera clip, so an operator sees who actually went through. For interoperability across vendors, ONVIF profiles help the access and video sides exchange events and verification. On the identity side, the PACS can sync with a corporate directory through standards-based identity providers, so a person hired or removed in HR is provisioned or de-provisioned at the door automatically. For credential assurance and identity proofing, NIST SP 800-63 is the common reference framework. This keeps the cardholder list current and removes a frequent source of stale access.

Practical Guidance

Pin down data residency before signing. Verify the offline behaviour of the controllers, not just the marketing claim. Run mobile credentials alongside cards during rollout rather than cutting over all at once, and confirm the readers carry the listings your authority having jurisdiction and insurer expect.

Last updated 2026-06-14.