Home/Access/Guides/Features/Mobile Credentials
Table of Contents
1 Introduction
2 How it works
3 Configuration
4 Operation
5 Special Topics

4 Operation

4.1 Send Invite

  1. Open Person Record and click “Invite to register” link above the Mobile Credential ID field.
  2. This opens the a dialog.
    A screenshot of a computer Description automatically generated
  3. Creating credential with Distributed Factors (no embedded factors)
    • Reader ID: Select a ID (domain name) from the list. One will exist for domain name you have assigned to one or more readers configured for Mobile Credentials. See Configuring SAFR SCAN above for more information.
    • Embedded add-on factors: Leave set to None. If selected other settings appear in this dialog as explained below.
    • Send invitation to email: Email address of the user to be issued the credential.
    • Make invitation valid for: Limits the during the credential can be redeemed. If the user does not generate the credential within this time the invitation must be re-issued.
  4. Creating credential with Embedded Factors
    • Embedded add-on factors: Set this to either To include embedded factors. This encrypts PII information into the Mobile Credential when it is created on the user’s mobile device. This information is then decrypted at the reader and used to authenticate the bearer. Possible choices are:
      1. None – Do not embed any factors into the mobile credential
      2. Card – Embed the facility id and card id into the credential. The information is first
      3. Card and Face
    • Revocation check: Set this if you want the credentials to expire and need to be renewed at the specified interval.
  5. Click OK and SAFR will launch your email client with pre-populated messages as follows:A screenshot of a computer Description automatically generated

4.2 Cancelling an Invite

You can cancel an invite by returning to the person record and clicking Cancel invitation as shown below.A screenshot of a computer Description automatically generated

4.3 Accepting an Invite

  1. Open email on Android or iOS device
    1. If SAFR Key App is not yet installed, user will be prompted to do so and should they accept will be taken to the appropriate page on the App/Play store.
    2. During this process the user will be prompted to allow following permissions
      A screenshot of a phone Description automatically generated
    3. The device will then prompt the user to grant these permissions thru a sequence of prompts. These permissions are required for SAFR Key to operate correctly.
      ⚠️ Location permission must be set to “Allow all the time” in order to allow granting access w/o requiring user to open the application (i.e. keep the phone in their pocket or bag). This setting is located under “Permissions > Location” in Android Settings. Options may vary, below is example:

      * Enabling “Use precise location” is also advisable to allow
      distance from device to be known more precisely.
    4. After installing, go back to email and click invitation link again.
  2. Invitation link will launch the SAFR Key App and prompt user to create mobile credential.
  3. User will be prompted to accept the credential as follows:
    A screenshot of a phone Description automatically generated

4.3.1 Taking Photo

If Face or Face and Access Card is to be embedded into the credential, user will be prompted to take a photo as described below.

Snap Photo

Review Photo

Invite Accepted

A person taking a selfie Description automatically generated

A screenshot of a phone Description automatically generated

SAFR Key reviews the photo for any flaws upon review. If any flaws are found, they are reported to the user and user is requested to retake the photo. Following are some common flaws that may be reported.

Center Pose

Occlusion

Lighting (Contrast)

A screenshot of a person's face Description automatically generated

A screenshot of a person wearing a mask Description automatically generated

A screenshot of a phone Description automatically generated

4.4 Gaining Access

Users are granted access when both factors (Face + Mobile Credential) are presented. By default, SAFR Mobile Credential is set to auto-send the credential to an authorized reader within BLE range of the phone. Below is an example of a SAFR Mobile Credential loaded in the SAFR Key app for Android.

A screenshot of a phone Description automatically generated

As indicated in the screenshot, the credential was automatically sent to the SAFR SCAN reader. The reader is then awaiting the corresponding face in order to grant access.

While not advised, one can set the credential to manual send mode. Manual mode may be useful for testing in order to control when and if the credential is sent. By default, credential is sent every 60 seconds.

To set manual mode, click on the credential to view credential details.

Credential in Auto-send mode

Credential in manual send mode.

A screenshot of a phone Description automatically generated

A screenshot of a phone Description automatically generated

When in manual send mode, the “Send” button in details view can be clicked. You can also swipe to the right to manually send the credential (see screenshot below).

A screenshot of a phone Description automatically generated

See section 2 above for how credentials are handled between the mobile device and the reader.

The reader will cache the credential for 60 seconds. Once the deice is out of range for longer than 60 seconds, the credential is discarded.