Access control offers a great number of benefits to most security solutions. The technology not only controls access and egress to sensitive areas, but helps manage visitors and contractors, aides in time and attendance management and can be used to track assets and enforce workplace policies necessary for compliance. The systems rely on authorised persons making use of credentials to implement granted permissions, but which credentials are best suited to modern applications?
Access control is, at its core, a technology designed to enable access and egress for authorised individuals. It does offer a host of other benefits such as logging of access transactions, management of privileges, reporting site occupancy and status, etc.. However, a vital condition of security and correct operation is the ability to define who is authorised and who is not. Once an authorised identity is created, relevant access permissions can be granted to it.
The creation of authorised persons, trusted identities if you like, is typically established through the use of a credential. Credentials come in many forms: a PIN code, card, tag or biometric element. Increasingly, credentials can be digital and are carried on a mobile smart device.
The selection of credentials has historically been made based upon the assessed risks facing a site, along with the threats against a specific location within that site. For example, PIN code-based locks are rarely used for entry and exit points but do represent a cost-effective option for low risk areas such as ensuring that the storage of cleaning materials in caretaker areas are stored in compliance with health and safety regulations.
At the other end of the scale, high end biometric systems can offer a positive identification that the individual is definitely who they should be.
That in itself highlights one of the biggest issues with the use of credentials: is the person using it actually the same individual it was issued to? Whether through nefarious means, coercion or collaboration, the use of credentials by unauthorised persons represents a challenge for many sites.
The right identity
It is important to realise that no security system is foolproof and this is also the case for access control and secure identities. Criminals will always find ways to defeat security systems, and this leads to the various manufacturers coming up with new ways to prevent the violations being implemented. The need for a risk assessment with any security system, including access control, must include an assessment of the likelihood for an attack being orchestrated in specific ways.
For example, much marketing noise has been made of the potential for biometric spoofing. People cite the ease with which individuals on the internet copy fingerprints and make very basic prosthetics using items available from supermarkets to defeat entry-level fingerprint readers. Of course, such attempts rely upon collusion with someone who is enrolled on the system.
If collusion does not exist, the scenario changes significantly. A criminal would need to lift the fingerprint of a registered individual. This isn’t an easy task. If, for example, they lifted the fingerprint from a car door handle, they would have to hope they’d captured the right person’s fingerprint, and the print from the individual finger registered on the system.
They would then have to construct a three dimensional prosthetic from a two dimensional image, which again would be very difficult. Finally, there are a number of risk factors which might arise if the fingerprint is rejected when the access attempt is made. An access rejection might alert security staff, trigger video surveillance of even prevent egress from a protected area.
In such circumstances, the reality is that looking for a weak point in the site’s fabric, such as a door or window that could be forced, would be simpler and more likely to be successful.
In short, the risk of biometric spoofing will not be significant in the vast majority of applications. However, where high risks exist and there is a need for absolute identity, anti-spoofing systems will be required.
A similar issue relates to the cloning of RFID cards and tokens. The technologies used in many established access control systems have been around for many years, and as such have come under scrutiny from hackers and criminals. This has coincided with advances in the tools available to those seeking to defeat systems, such as data gathering and copying devices.
RFID credentials come in many forms, ranging from the ridiculously simple to those that manufacturers have enhanced with proprietary security features. It is not a simple task to differentiate trusted and untrusted credentials. As a result, integrators and installers owe it to their customers to ensure any specified access control systems make use of the most secure credentials available. It is also necessary to keep up-to-date with security bulletins from the various providers.
Because of the demands from other industries, including the financial and IT sectors, card and token technologies are advancing at a rapid pace, with security being one of the more important considerations.
Specifying credentials
When specifying access control credentials, it is not uncommon for installers and integrators to focus on issues such as read range. In the past the battles for ever-longer ranges conditioned many into putting convenience over security, and such attitudes need to be reconsidered in today’s risk-adverse society.
Many legacy access control systems use RFID (radio frequency identification) technologies, and a high number of manufacturers offer these solutions. In the past many prox cards offered standalone access control, but a desire by users to reduce the number of cards or tags that staff and authorised users hold has seen a move towards smart card options.
The fact that prox cards can be vulnerable to cloning has been raised for the past decade. As a result, credible manufacturers have taken steps to enhance security on their systems. However, with smart alternatives now being cost-effective, a debate can be had over the sense behind smarter options. This is aided by the fact that an increasing number of multi-format readers are available. These simplify any upgrade process, allowing credentials to be upgraded in stages on a department by department basis.
Some RFID technologies can be used for access control transactions as well as other applications such as cashless vending, time and attendance, compliance monitoring and network access.
Low-frequency RFID credentials are based upon fairly basic technology. The cards give fairly long read ranges which, in the past, resulted in some dubious practices. Benchmark has visited a site where the installer sold the read range as a benefit, as staff would find any protected door in tight corridors for which they had permission to be automatically opened as they passed. The shortsightedness of this was realised following an incident, when the access reports proved to be useless.
One issue with LF RFID is that many manufacturers have adapted their readers and cards to enhance performance, so compatibility is not always ensured.
The cloning issues with 125kHz credentials has already been mentioned, so some users may be resistant to these applications. The same is increasingly becoming the case for 13.56MHz Mifare Classic credentials. Reports of cloning and hacking have made the technology less desirable for risk-relevant applications.
Mifare DESFire EV1 and EV2 credentials, HID iClass SE and SEOS, and Legic Advant are well-established 13.56MHz HF RFID technologies. Memory capacities of the cards can enable multiple uses and higher level encryption is included to enhance security. Read ranges are often lower than LF RFID cards but for those with a security bias at their sites this is often a preferable feature.
Where long read ranges are a necessity, such as for vehicle-based access control, semi-active RFID or UHF (ultra-high frequency) RFID is often deployed. Risks with such systems can be reduced via careful design. Also, vehicle entry points do not typically give access to secure points within a site.
Mobile credentials
There are not many aspects of daily life that have not been touched by the use of smart mobile devices, and the world of access control credentials is no exception. In business environments, most people will carry mobile telephones or tablets. An increasing number of manufacturers are enabling these to double as access control assets.
Such systems predominantly make use of two technologies: NFC (near field communication) and BLE (Bluetooth low energy). For a while NFC battled with widespread acceptance due to the fact that Apple’s popular iPhone only used it in very limited ways.
NFC is a two-way communications standard, based on RFID, predominantly used in smartphones and other mobile devices. It allows devices to communicate, using a radio-based link, over very short distances. This usually requires devices to touch or be in very close proximity, with a few centimetres.
Whilst the highest profile use of NFC has been to use mobile devices for payments, the technology isn’t limited to financial transactions. The technology allows for encryption, which enables it to be adopted in secure ID-based applications.
BLE is a wireless technology. It is argued by some to have a greater potential based upon almost universal smart device support.
It requires a reader enabled with Bluetooth signalling. Software installed on the mobile device is profiled for the access system. The application communicates with the reader, without a need for pairing as is required in common Bluetooth signalling, and the security key authenticates the user identity.
The use of mobile devices as access control credentials is currently being developed by the vast majority of access control manufacturers. The use of deliberate movements to ‘activate’ the security element has made use simpler and more intuitive.
Growing use of cloud services mean that businesses and organisations are able to grant and revoke permissions to mobile credentials over-the-air in real-time. The approach also allows enhanced management of access control credentials.
Advanced security implementations can ‘bind’ trusted identities to specific devices, ensuring that the data is protected using best practice. It is also claimed by many manufacturers and suppliers the overall site security is increased thanks to the idea that people take greater care of their mobile phones than they do with access or business identification cards.
It has to be said that there are pros and cons for the use of mobile devices as access control credentials. On the plus side, ease of use is increasing and the reduction is credential management appeals to finance departments. Also, as the capabilities of mobile devices increase, so the additional functions could be adapted within the access control system.
The downside includes issues with personnel using their own smart devices in the business environment, the cost of the devices if certain staff are not supplied with phones, plus the fact that mobile devices are highly desirable items that often are targeted by thieves.
A final point is that some businesses are having success with a hybrid approach, coupling mobile devices with standard credentials to allow greater flexibility for authorised persons.
In summary
Site conditions and a thorough risk assessment should always be considered before a credential is specified. It is not best practice to simply opt for a credential on the basis of cost or because a certain system is familiar and therefore faster to install.
As credentials become smarter, there is also a need for their security to be considered. The newer technologies may add benefits which end users demand, but these could quickly become irrelevant if security is compromised.
