5.4.4 Mobile Key
User Identification (Auth ID)
The 2N Mobile Key application authenticates itself with a unique identifier on the 2N device side: Auth ID (128-bit number) is generated randomly for every user and paired with the 2N access control units user and its mobile device.
Note
- The generated Auth ID cannot be saved in more mobile devices than one. This means that Auth ID uniquely identifies just one mobile device or its user.
You can set and edit the Auth ID value for each user in the Mobile Key section of the device Users list. You can move Auth ID to another user or copy it to another 2N device. By deleting the Auth ID value you can block the user's access.
Encryption Keys and Locations
The communication between 2N Mobile Key and the 2N devices is always encrypted. 2N Mobile Key cannot authenticate a user without knowing the encryption key. The primary encryption key is automatically generated upon the 2N device first launch and can be re-generated manually any time later. Together with AuthID, the primary encryption key is transmitted to the mobile device for pairing.
You can export/import the encryption keys and location identifier to other 2N device. The device with identical location names and encryption keys form so-called locations. In one location, a mobile device is paired just once and identifies itself with one unique Auth ID (i.e. a user AuthID can be copied from one 2N device to another within a location).
Pairing
Pairing means transmission of user access data to a user personal mobile device. The user access data can only be saved into one mobile device, i.e. a user cannot have two mobile devices for authentication, for example. However, the user access data can be saved into multiple locations in one mobile device (i.e. the mobile device is used as a key for more locations at the same time).
To pair a user with a mobile device, use the user's page in the 2N access control units Users list. Physically, you can pair a user locally using the USB Bluetooth module connected to your PC or remotely using an integrated Bluetooth module. The results of both the pairing methods are the same.
The following data is transmitted to a mobile device for pairing:
- Location identifier
- Location encryption key
- User Auth ID
Encryption Key for Pairing
An encryption key other than that used for communication after pairing is used in the pairing mode for security reasons. This key is generated automatically upon the 2N device first launch and can be re-generated any time later.
Encryption Key Administration
The 2N device can keep up to 4 valid encryption keys: 1 primary and up to 3 secondary ones. A mobile device can use any of the 4 keys for communication encryption. The encryption keys are fully controlled by the system administrator. It is recommended that the encryption keys should be periodically updated for security reasons, especially in the event of a mobile device loss or 2N access control untis configuration leak.
Note
- The encryption keys are generated automatically upon the first launch and saved into the 2N device configuration file. We recommend you to re-generate the encryption keys manually before the first use to enhance security.
The primary key can be re-generated any time. Thus, the original primary key becomes the first secondary key, the first secondary key becomes the second secondary key and so on. Secondary keys can be deleted any time.
When a key is deleted, the 2N Mobile Key users that still use this key will not be able to authenticate themselves unless they have updated the encryption keys in their mobile devices before deletion. The mobile device keys are updated at every use of the 2N Mobile Key application.
List of Parameters
- Location ID – set a unique identifier for the location in which the selected encryption key set is valid.
- Export – push the button to export the location ID and current encryption keys into a file. Subsequently, the exported file can be imported to another device. Devices with identical location IDs and encryption keys form a so-called location.
- Import – push the button to import the location ID and current encryption keys from a file exported from another device. Devices with identical location IDs and encryption keys form a so-called location.
- Restore primary key – by generating a new primary encryption key you delete the oldest secondary key. Thus, the 2N Mobile Key users that still use this key will not be able to authenticate themselves unless they have updated the encryption keys in their mobile devices before deletion. The mobile device keys are updated at every use of the 2N Mobile Key application.
- Delete primary key – delete the primary key to prevent the users that still use this key from authentication.
- Delete secondary key – the 2N Mobile Key users that still use this key will not be able to authenticate themselves unless they have updated the encryption keys in their mobile devices before deletion. The mobile device keys are updated at every use of the 2N Mobile Key application.
- Pairing PIN validity – set the authorisation PIN validity for user mobile device pairing with the 2N device.
Tip
- In the case of loss of a mobile phone with access data proceed as follows:
- Delete the Mobile Key Auth ID value for the user to block the lost phone and avoid misuse.
- Re-generate the primary encryption key (optionally) to avoid misuse of the encryption key stored in the mobile device.
Warnung
- With the upgrade to version 2.30, the bluetooth modules will also be upgraded. When downgrading to version 2.29 and lower, they may malfunction.