Whether a seller or user of electronic access control (EAC), you have come to accept how, in many cases, a card and reader provides increased flexibilities and reliabilities in many applications in which authentication is required for an individual to access and get through a door. As your solution begins to roll out through many facilities, though, you may hit a snag where just the card and reader can't do enough. What if the door is 200 feet away from the computer? What if management asks for a couple areas to be more secure than others? What if the company is concerned about hacking and asks for a way for your system to minimize the threat? How are you going to provide easy product additions in the future?
There is good news. For probably any quandary you face, there's very likely some type of accessory that will help you proceed. Here are a couple of the most common.
Covering Longer Distances
First of all, we must make a quick disclaimer. For all specs, we are using common norms or rules of thumb. With that understanding, a wireless system can usually cover a distance of 200 feet inside while outdoor applications can run up to 1000 feet.
But, oftentimes, you need to cover longer distances than your standard access control network can reach. To achieve this, you can add repeaters, also called wireless range extenders, to your wireless access control system. Other times, you need to create a longer distance for the read between the person and the reader. For this, you can incorporate a long range 433 MHz system that uses wireless readers and transceivers to cover that portion of your system. Let's take a closer look.
A repeater is an electronic device that simply receives a signal and transmits it so that the signal can cover a longer distance. A repeater can greatly enhance the performance of a wireless network by allowing communications over distances much greater than would be possible without it by relaying and extending the transmission. In doing so, it takes an existing signal from a wireless router or wireless access point and rebroadcasts it to a second network. It bridges the gap, solving a potential problem in creating an access control network.
There are a couple caveats. Remember, whatever the distance, a direct line of site is required. And, each repeater connection can provide another gateway for hackers to gain access to the network so be sure that they are secured.
To let individuals send signals from longer distances to the reader, there is growing great interest in long range reading (433 MHz technology) recently. In these systems, receivers support transmitters that operate from ranges up to 200 feet. Each button on the transmitter outputs data over a separate Wiegand output, yet the receiver installs just like a proximity reader for easy integration with popular proximity or contactless smart card access control systems.
The transmitter can be used as a presentation-style access credential. Each transmitter can integrate long range identification with traditional proximity or contactless smart card access control. For example, if a site requires employees to access a parking structure (gate/barrier) and a door (building entrance), the 433 MHz solution will enable each user to access both the long range and proximity applications with a single transmitter. For the parking structure, the user presses the transmitter button from the secure convenience of their vehicle (without lowering the window) and, when wanting to gain access at the door, they simply present the transmitter to the building’s proximity reader. Since identical data is transmitted upon button press or presentation, each user needs only be enrolled once in the access control system.
The 433 MHz system is quite secure. First of all, it sends its directed signal straight to the receiver (yes, you may point it). Plus, the signal is only "alive" while the user presses the button. In addition, the system takes advantage of a secure digital anti-playback routine, based upon a custom rolling code variant of the Tiny Encryption Algorithm (TEA). The anti-playback feature virtually eliminates the risk of code sniffing and unauthorized duplication. Every time a button is pressed, the encrypted rolling code changes, preventing a sniffed code from being successfully retransmitted.
Using standard 26-bit Wiegand protocol and featuring standard mounting holes, the technology can be used as "add-on" or "wire-in" receivers. Using custom Wiegand protocols, such as 32- or 36-bit formats, the long range system can be made even more secure. This prevents credential duplication and ensures that the readers will only collect data from this single system's coded credentials. The transmitter’s lithium cell battery is tested to exceed 250,000 presses. Since 433 MHz is a standard harmonized around the world, these receivers can be used globally.
Going Beyond the Card & Reader System
Today, many industries and customers are demanding credentials with two-factor authorization. Not only must that person have something (the authorized card or tag) but they must also know something (a personal identification number - PIN).
For instance, if you install access control systems for members of the North American Electric Reliability Corporation (NERC), an organization of U.S. electric grid operators, you must meet their CIP-006 requirements for 2-factor authentication. NERC protection standards under CIP-006 require that the network be segmented to prevent an attack on one network being spread to the next network and that strong two-factor authentication be used to ensure only authorized individuals may have physical and logical access to the critical assets. Strong two-factor authentication must be used for remote access to the networks, access to the physical security perimeter, access to the electronic security perimeter and access to specific critical assets.
Likewise, the NIST SP800-171 guideline states in Section 3.5.3 that federal contractors must "use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts" or risk losing their contracts. The rest of this guideline reads exactly like that for NERC above.
For those higher security demands, you can select a proximity or smart card reader with an integrated keypad. To enter, the individual presents their card, gets a flash and beep, and then enters their PIN on the keypad. The electronic access control system then prompts a second beep on the reader and the individual is authorized to enter.
Since the combination reader can be installed in tandem with proximity card-only or smart card-only readers throughout the facility, it becomes very easy to provide higher security via 2-factor validation at areas that need a security boost. Now, instead of using just their card to enter the finished goods storage area, the power room or the corporate manager offices, the person seeking entrance must also punch in the correct PIN to open the door.
For some time, installers have resisted using such readers because of their larger sizes but, now, two-factor readers are also available in a mullion size.
How about a biometric?
Good idea! A biometric looks for an unalterable personal attribute, verifying an individual’s actual identity. Additional benefits are that there are no credentials or codes to administer and biometrics can’t be shared, stolen, lost or left behind. The two factors can include a card plus a biometric or a PIN plus a biometric. Three factor systems would include a card, PIN and biometric.
Thus, biometrics can help meet these regulatory requirements, provide an audit trail, and facilitate transactions . Today, biometric solutions authenticate people requiring access to secure facilities, sensitive records, government services, and controlled substances. The possibilities and benefits are real — if the biometric is chosen carefully.
Security integrators are already aware that all biometric technologies and scanners are not created equal. Some biometrics work very well when the finger is clean and prepped with lotion. Is that convenient? Other sensors work perfectly — on the third or tenth try, while a line forms behind the user! These situations are the cases that cause security managers to abandon an application.
On the other hand, there are technologies capable of overcoming the myriad of capture problems that some systems have in less-than-ideal conditions. No salesperson is going to tell you that their biometric doesn't work. You need to talk to some actual users. Ask for some reference accounts. Or, attend industry meetings and ask your peers to tell you of the biometric(s) that works for them. They're out there; just be sure you use them.
Be prepared for prospective privacy complaints if you plan to introduce biometrics to the employees. They will not want their biometrics shared with the police or other government agencies. This is not a problem. They need to understand the following.
There is a very important distinction that must be made between “identification,” a one-to-many match, and “verification” – a one-to-one match. A system designed to “identify” a person compares a biometric presented by a person against all biometric samples stored in the database. The one-to-many system identifies the individual if the presented biometric matches one of the many samples on file. This type of system is used by the police to identify criminals.
The verification process, however, involves a one-to-one search. A live biometric presented by the user is compared to a stored sample, previously given by that individual during enrollment, and the match is confirmed. However, the actual hand geometry, vein pattern or fingerprint is not stored in a database. Instead, a mathematical equation, or algorithm, creates a unique number that represents the points measured on the finger, veins or hand. The number – or template – that results from this equation is all that is stored.
When the user presents an ID card or enters an assigned PIN, only that mathematical template's number is transmitted. When the employee presents his/her hand or finger, the reader runs the authentication process to determine if the template that is stored matches the template of the biometric being presented. If there is a match, the person is verified.
Encrypted Credentials
As an RFID access card gets close to its reader, it begins to wirelessly transmit its binary code. If using 125KHz proximity, then the wireless protocol is typically Wiegand, an older technology that can no longer provide the security needed today. In a worst case scenario hackers could simply lift that fixed Wiegand clear text, retransmit it to the card reader, and, from there, physically enter the facility and thereby the network, allowing these characters free rein to target the IT system.
"In fact," Scott Lindley, president of Farpointe Data warns, "the United States Federal Trade Commission (FTC) has been apprised of so many cyber attacks, and the threat these hacks pose, that it is now holding companies responsible for not implementing good cybersecurity practices. Data encryption is part of good practice and is, indeed, an opportunity for the security industry."
If concerned with hacking, consider more secure 13.56 MHz smart cards over 125 KHz proximity cards. Look for the term "Mifare," a technology from NXP Semiconductors. The newest Mifare standard, DESFire EV1, includes a cryptographic module on the card, adding an additional layer of encryption to the card/reader transaction. DESFire EV1 protection is especially important for customers wanting to use secure multi-application cards for access management, public transportation or closed-loop e-payment.
Another valuable option is Valid ID, an anti-tamper feature for contactless smartcard readers, cards and tags. Embedded, it adds yet an additional layer of authentication and integrity assurance to traditional Mifare smartcards. Valid ID helps verify that sensitive access data programmed to a card or tag is indeed genuine and not counterfeit.
What about Future Integrations?
The Open Supervised Device Protocol (OSDP) is a communication standard adopted by the Security Industry Association (SIA) that lets security equipment, such as card and biometric readers from one company interface easily with control panels and equipment from another manufacturer. In other words, OSPD fosters interoperability among security devices. It also adds sophistication and security benefits through features such as bi-directional communication and read/write capabilities. A two-way channel paves the way for forward-looking security applications such as the handling of advanced smartcard technology, PKI, and mobile device access. Not only does it provide a concise set of commonly used commands and responses, it eliminates guesswork, since encryption and authentication is predefined.
In other words, OSDP helps ensure that numerous manufacturers’ products will work with each other. Interoperability can be achieved regardless of system architecture. For instance, the specification can handle smartcards by constantly monitoring wiring to protect against attack threats and serves as a solution for high-end encryption such as required in federal applications. The specification for handling LEDs, text, buzzers and other feedback mechanisms provides a rich, user-centric access control environment. Make sure the smart card system hardware you select include OSDP
Added Protection
If additional security system components are available, such systems can also play a significant role in reducing the likelihood of an assault as well as mitigating the impact of an attack should it occur. For instance, if the access control systems gets hacked and grants entry to a wrong individual, a burglar alarm system could help detect and annunciate the intrusion while the video system could record it. Guards in the control room as well as those performing regular tours could receive an alert notifying them that someone has physically tampered with the access control system and be directed to the intruders.
Such other components will help the total system stay one step in front of the bad guys. With the proper tools, any of these assaults can be defended.
Extend Your System
Your access control system, in one way or another, can protect just about any environment you will encounter. There are accessories that will help your installation stand up to vandals, ballistic assaults, heat, cold, humidity, dust and grime. Don't ever say no until you've checked with your distributor or manufacturer. Whether you are a facility manager or independent locksmith, you can undoubtedly find the accessory that makes your EAC system complete.