For Solid Access Control, Security Begins with Trust

July 7, 2020
Enhanced card security is characterized by advanced technologies like biometrics, Bluetooth and mobile apps

This article originally appeared as the cover story in the 2020 Access Control Trends & Technology bonus publication.

Access control is an essential part of commercial security systems—keeping buildings, designated areas and sensitive information secure and safe by controlling entry or restricting access. With the wave or swipe of a card, authorized individuals can gain entry to an entire facility or secured zone through an entry point like a door, turnstile or gate. In an era of growing security concerns, governments, corporations and property managers must elevate the importance of a trusted identity while balancing the demand for convenient and efficient access.

The two primary types of access control are physical and logical. While physical access control limits access to buildings, rooms and spaces within a building, logical access control allows authorized and authenticated personnel access to resources, systems, directories, networks and files. Combining physical and logical access control delivers a higher level of security, granting companies the ability to limit and monitor access to sensitive data and physical locations.

Access cards are tied to a person’s identity through a physical access control (PAC) system, which involves a two-step process that links a card to a person after the card has been printed. Some card personalization software systems can also connect to and update the PAC system after the card has been personalized.  “Access control begins with a trusted identity, which validates the person who is entitled to the benefits associated with a credential,” said Sebastian Tormos, Entrust Datacard’s director of vertical marketing, who is an International Card Manufacturers Association (ICMA) member. First, a system identifies an individual. Then, his or her credentials are authenticated via a badge, smart card, password, mobile device, or biometric (i.e. fingerprint, facial recognition or iris pattern). Following authentication, access is granted.

Uncover Security Vulnerabilities with a Risk Assessment

Although digital technologies are transforming how identity is authenticated around the globe, a risk assessment and an application audit comprise the backbone of the security framework and are the first steps in determining vulnerabilities and which type of access control technology is needed. The goal of a risk assessment is to gain an understanding of the existing system and environment and then use the data to allocate mitigation resources to the areas that will significantly lower the enterprise’s risk profile. When done well, the risk assessment will identify high impact areas, allowing the integrator and user to prioritize mitigation to vulnerable areas.

“Risk assessments are critical for end-user enterprises,” said Kevin Freiburger, director of identity programs at Valid, who is an ICMA member. “They are often overlooked or are not allocated the proper resources by companies, which can lead to security vulnerabilities. It is recommended that end-user companies engage integrators from the industry to ensure a comprehensive risk assessment and audit of security applications.” Not every integrator is equivalent in terms of experience and expertise, so the integrator of choice should itself be considered a potential risk. Therefore, it is important to lower the risk by performing due diligence and research on various companies and products within the industry. It is essential for companies to carefully vet vendors to ensure that they have all of the compliance credentials in building and deploying software and protective systems. “An experienced integrator is a valuable partner and a critical link throughout the risk assessment and audit,” Freiburger added. “Having confidence in the integrator’s ability to analyze assets, threats, and vulnerabilities to mitigate risk by deploying the proper solutions and technology to minimize security risks is paramount.”

Recently, there have been several large-scale data breaches and that is what is driving security, giving information technology directors much of the power in purchasing decisions. “However, it isn’t just about data breaches,” Freiburger said. “It is about privacy issues and how the data will be used.”   Risks and vulnerabilities will arise; therefore, an organization must have a solid information security framework, which will enable a business to pivot and address new risks and vulnerabilities over time.

Choose the ‘Right’ Card Technology

The top two factors in card technology choice for most businesses are budget and security. As companies realize the potential impact of a security breach, they are proactively taking measures to ensure employees and residents have access to applicable buildings, zones and entrances at the right time. 

Technological advancements like the deployment of wireless technology, are enhancing access control.

“One type of card is not best for a specific application,” Freiburger said. “There’s choices and tradeoffs, especially with different types of cards, reader technologies and software vendors.”

There are two categories of access control cards—nonsecure and secure—and both provide ways to monitor who is accessing resources or entering or exiting a building. A proximity (prox) card is the most common type of access card for commercial and residential buildings; however, it offers little security.

Typically, the size of a credit card, an access card usually lasts five to 10 years before it has to be replaced. However, many factors affect the durability and lifespan of the card, such as the type of card substrate and personalization techniques used, how the card is stored and if the card is resistant to chemicals, abrasion, moisture and ultraviolet light. 

Although the three types of access control cards—proximity, magnetic stripe and smart—may look the same, the technologies driving them to vary significantly.

Prox cards, which use an older technology resulting in a low-security card, can be made of several different materials, as well as forms—cards, tags, or fobs—but they all work in the same way: by being held in close proximity to a card reader. The low-frequency 125kHz credential has an embedded antenna, which when in close proximity, such as a few inches to two feet—sends a signal from the card to the controller that grants or denies access.

Magnetic stripe cards work by swiping a magnetic stripe through a card reader like a credit card. They are one of the oldest forms of access cards and offer minimal security because they can be copied very easily. Magnetic stripe cards typically work as a single application card and are primarily used in low-security settings like for guest entry to a hotel room or for casino playing cards. Many companies are moving away from magnetic stripe cards and replacing them with prox cards.

The most recent advancement in the access control card market segment—smart cards—was developed with the goal of being hard to duplicate. Smart cards are more reliable than magnetic stripe and prox cards, and with an increasing demand for security solutions, growth is significant. The three types of smart cards—SEOS, MIFARE DESFire EV2, iCLASS SE—offer the most security, operating at 13.56Mhz (compared to a prox card that operates at 125kHz). Smart cards contain an embedded integrated circuit and are capable of writing data, as well as reading it, which allows the cards to store more information than traditional prox cards. Smart cards can also provide personal identification, authentication, data storage, application processing and can be combined with other card technologies for increased security.

Previously, smart cards were used primarily by the U.S. Department of Defense for logical access management and in higher education settings for student identification cards, but now there is widespread adoption in the electronic benefits transfer, health care and financial markets. “Smart cards are the best fit for commercial and residential building access because they provide greater security with an encrypted credential that must be decrypted by a reader,” said Martin Hoff, Entrust Datacard’s product marketing manager of hardware, who is an ICMA member. “It’s much easier to spoof proximity and magnetic stripe cards.”  Although prox cards aren’t as flexible as smart cards and don’t offer multifunctionality like the ability to load payment purses and applications onto the card—a prox card does allow the user to be contactless.

“There’s definitely an uptick in prox card use,” Freiburger said. “We are seeing more interoperability, which does make a prox card more viable. For example, they can be used in multiple systems for logical and physical access control systems.”

Security is a top concern for both private and public entities; many industries are transitioning to smart cards. Smart cards are the most secure type of access card and are used most often in government, health care and financial sectors, while proximity cards are commonly used in higher education and enterprise,” Hoff added.

Control Access: From Keys to Cards

With the ease of set-up, use, and management, card-based access control systems are the most secure way to give access to the right person at the right time. Surprisingly, 20 years into this century, some businesses are still using traditional locks and keys for access. Although there is little need to use keys in today’s interconnected world, keys still make sense in some use cases. 

Keys may be the right choice if a company has a completely offline system or is located in a very remote area. In that instance, it may be difficult or expensive to implement a card-based access control system, especially if there is no internet connectivity. To be secure, an access control system needs to be updated, maintained and monitored and depending on the connectivity of a building or a system a physical key could make perfect sense. However, it is time-consuming and tedious to change locks and replace keys if they are lost, stolen, or misplaced. If an access card is lost, stolen or permissions need to be amended, an integrated card management system allows the administrator to easily turn off a card and then notify the other integrated systems to turn off physical access control as well as logical access.

“Access cards are encoded with a unique decimal number, which is linked to a user’s record,” said Howard Albrow, HID Global’s NPI product line manager of PACS credentials, who is also an ICMA member. “Typically, an access control card does not contain any personally identifiable information, but through the system, it can link to a data record that may hold personally identifiable information.”

Today, most buildings are using an integrated access control system.

Access Control Trends to Watch

Though access cards still play a powerful role in the access control market, some companies are turning toward smartphone Bluetooth-enabled and Near-field Communication (NFC) technology. Both are wireless technologies that give individuals frictionless access. The introduction of mobile credentials has the potential to revolutionize the access control industry, eliminating the need to carry and swipe a card. Instead, a phone’s technology can be used to authenticate identity and grant entry. “There has been a tremendous uptick in the popularity of mobile credentials,” said Albrow. “A mobile credential can be used via a smartphone to interact with an access control reader in the place of a physical card, which is more convenient, allows greater flexibility, improves privacy and can also lower the maintenance costs of credential management for end-users.” However, when it comes to a trusted identity, physical cards will continue to play a valued role in securely granting or restricting access—especially in the health care and government sectors. The combination of a physical card with digital identity is powerful and provides multi-layered security. “There’s definite growth in mobile,” Freiburger added. “When it is used properly with an application for access control, security is incredible. Issuers want to meet their customers where they are and that is typically on a phone or on a cloud service.”

Another major advancement in access control is the propagation of biometrics, a category of authentication that relies on unique biological characteristics to verify a user’s identity.

“The systems used to be incredibly expensive, hard to deploy and difficult to maintain and update,” Freiburger said. “Now, the cost has come down considerably and there is widespread adoption of biometric access control systems across many new verticals. Adoption is highest in sensitive markets like national security, information technology and banking.”

Biometric identification is the only mode of authentication that can unequivocally validate a person’s identity. It is on the rise with retinal eye scanners, fingerprint readers and facial recognition scanners becoming more common. In some cases, multiple methods of biometric identification are combined with the use of a card (or used in place of a card) for even greater security. Unlike prox cards, smart cards, or keys, biometric security cannot be transferred. A person must be physically present to gain physical or logical access. “The adoption of biometrics will be a continuum,” Freiburger said. “Looking ahead to the next five or 10 years, growth will likely accelerate as the prices come down and biometric systems can be inexpensively deployed and upgraded.”

About the Author: Jeffrey E. Barnhart is the founder and executive director of the International Card Manufacturers Association (ICMA). He can be reached at [email protected]