Access Control Cards & Credentials: The Key to Increased Profits

Nov. 1, 2016
Question: Which access control credential should you choose? Answer: The right one for that particular application.

If you haven’t yet started selling electronic access control (EAC), you might consider it. It can become an important adjunct to your keys-oriented business and some locksmiths have found that it has become the most profitable portion of their revenues.

EAC is not difficult to sell. Most customers will understand the role of access control badges and tokens in their EAC program. Cards, or badges, limit access to the facility to only those with one.

Many companies take this a step further. For instance, office workers can access their work areas but not the warehouse while the exact opposite holds true for warehouse staff. Often, too, the security system is programmed to limit access only during specific time intervals. For instance, nobody can get in on Sundays. This is especially important for those organizations that provide access credentials to vendors and/or delivery personnel.

Most importantly, as a result of using the badges, tokens and other credentials, management can provide audits of who was where and when. 

Credentials– A Quick Overview

There is a range of credential technologies from which to choose. Here are descriptions of those in use today.

Bar Codes.  Some facilities still use bar code badges, the least secure of all credentials.  They are what they sound like. As at the grocery check-out lane, a bar code reader scans the bar code to allow access. However, since the bar code is visible, it can be reproduced very easily. 

Magnetic Stripe.  No different than the common, ordinary credit card, information on a magstripe card is held on a strip of coated magnetic recording tape. Since the stripe must come in contact with the reader, there is ultimate wear-and-tear on the card.  Of course, they are also easy to forge, making their security questionable. Nonetheless, they are still successfully used in EAC by thousands of companies who require only simple access. Today, though, they are typically sold only as replacement cards for companies still deploying old magstripe readers. Very few companies include them in new systems.

You Will Most Likely Promote Some Type of Contactless Card. There are two general types. Passive cards, the most popular, are powered by radio frequency (RF) signals from the reader. They do not have a battery of their own. The passive card and reader communicate with each other by an RF process called resonant energy coupling. Passive cards typically have three internal components - an antenna, a capacitor and an integrated circuit which holds the user's ID number or other data. The reader also has an antenna which constantly generates a short range RF field in a spherical orbit. When the card is placed within range of the reader, the card's antenna and capacitor absorb and store energy from the field and resonate. This powers the integrated circuit which sends the ID number to the card's antenna which transmits by RF signals back to the reader.

Active cards are powered by an internal lithium battery. As a result, they can produce a much longer read range. Its integrated circuit contains a receiver and transmitter that use the battery's power to amplify the signal so that the active card can be detected from farther away. The longer read ranges and that spherical orbit can create a problem that active cards might face. Several readers and cards could end up conversing with each other, creating a sort of communication mayhem.

Contactless Proximity Badges and Tokens. The 125 KHz proximity card using Wiegand standards is still today’s most widely used access control technology for two main reasons. First of all, being contactless, there is no contact between cards and the reader. This eliminates the wear-and-tear factor. Secondly, proximity readers can be made very durable or even hidden into another structure to make them relatively vandal-resistant.

The Wiegand protocol is a de facto wiring standard which arose from the popularity of Wiegand effect card readers back in the 1980s. The Wiegand technology is no longer used but the protocol survived and is still the most popular today. Another popular protocol is the ABA Track II interface, a holdover from magnetic stripe card technology. You don't need to know what these protocols do or how they work. You just need to use the interface that the rest of your customer's system uses.

Most proximity manufacturers provide one of three types of cards: standard light, image technology and multi-tech card. The standard light proximity card is a clamshell design, meaning that there are two connected sides sealed together to hold the electronics. An image technology card is a slightly thicker card appropriate for dye sublimation printing. Lastly, some customers want a system that adds more than just a one credential technology to activate the door lock. It is commonly referred to as an ISO standard size. (More on this later.)

Contactless Smart Cards. As proximity became the predominant credential technology over the last decades, 13.56 MHz contactless smart cards will augment and, most likely, overtake proximity over the next three to five years. At often a cost comparable to proximity card systems, smart card systems are typically more secure and can be used for applications beyond access control, such as tool checkouts, the company cafeteria and so on.

Not only are they are more secure than proximity, but smart cards also offer increased data storage and can be used for multiple applications within your facility. Smart cards use high security encryption methods that ensure the data on the card is safe, even during transactions. With the ability to store more data than other credentials, smart cards are the perfect choice when creating a credential strategy that involves consolidation of many credentials into one card that can be used for all of the different applications that are required in the facility. 

ISO 14443A cards operate from zero to four inches while ISO 15693 cards operate from zero to 39 inches, though most readers created for these cards hold the distance at 14 inches, comfortable for the user and assuring a positive read.

Most access control veterans will suggest you concentrate on the ISO 15693 standard.  Here’s why. ISO standards are the standards that all leading security systems software manufacturers and integrators are using. Caveat emptor…buyer beware. There are proprietary, non-standards-based smart card technologies that could bind you to a single-supplier dependency and potentially restrictive pricing structures.

Conversely, the ISO 15693 standard promotes an open and competitive market for any organization that decides to employ contactless smart card credentials. It ensures a lower cost of total system ownership as the ISO 15693 technology increases in popularity and acceptance. Importantly, it will allow your customer to deploy future technologies based on ISO 15693 standards, circumventing the need to replace their entire security system in order to leverage this new technology.

No matter what the application or site constraints, you can employ the ISO 15693-compliant badges. Key fobs and disc tags are also available to facilitate migration to the new contactless technology. For instance, if you have a facility using proximity, you would simply affix disc tags to your present proximity cards so that you can continue using your legacy readers and credentials as the migration takes place.

The next term you must look for is "MIFARE DESFire EV1." We could go into a deep technological explanation but, suffice it to say, MIFARE DESFire EV1 has become the contactless digital RFID technology benchmark for smart cards. MIFARE is the gateway to a series of security levels. Ask your manufacturer for a quick run-through so you pick the right level of security for your customer.

Keyfobs. Keyfobs are also available in both proximity and smartcard technologies. They are often used in place of cards, being designed to be carried on a key ring. The most durable typically include a brass reinforcing eyelet.

Long Read Transmitters. Note that this 433 MHz technology uses the terms "transmitters and receivers" in place of "cards and readers." The receivers support either 2-button or 4-button transmitters from ranges up to 200 feet. Each button outputs transmitter data, the user's ID number or other data, over separate Wiegand outputs yet the receiver installs just like a standard proximity reader for easy integration with popular access control systems.

They are a terrific solution for long range access control applications such as gates and vehicle barriers, moving aircraft in and out of secure hangars, arming and disarming alarm systems as well as situations calling for emergency duress. Instead of using a card which uses a spherical signal, which could activate more than one device or door at a time, the transmitter send a direct signal to its reader. The holder thus selects exactly the mechanism to be immediately triggered.

Available in two- or four-button configurations and equipped standard with a potted proximity or contactless smart card module, the transmitter can also be used as a traditional, presentation-style access credential. For example, a button may be pressed to activate a long range application, such as a gated parking barrier, and then be presented to a proximity reader to allow entry through a door and into the building.

  1. Driven by both security concerns and the desire for efficiency, biometric applications are growing faster than ever. Although biometrics was first seen as a high security solution, they are now being used more extensively in high convenience applications. For locations with card systems, they provide an additional layer of higher security to vital entrances or doors, assuring that lost or stolen cards are not later used to access facilities. For locations not using cards, these biometric technologies are easy to supervise since nobody forgets to bring their hands, fingers or eyes to work and there are no hands, fingers or eyes for administrators to manage. Body parts also can't be lost, stolen or loaned to a friend.

Multi-Technology Credentials.  Some customers want badges in combinations such as proximity/magnetic stripe, proximity/smart card and proximity or smart card/biometrics.  These are typically employed where a company has an older legacy access control credential technology and wants to migrate without eliminating access to buildings. This is especially important for companies with multiple facilities. In other cases, the company cafeteria or some other application may only take magnetic stripe or the other technology credentials.

Some Say Cards Can Be Hacked

It’s true. According to Scott Lindley, president of Farpointe Data, which OEMs cards to many access control companies, “The bad guys have figured out how to capture and use card-based information to fool the system and let the unauthorized in by using skimming, eavesdropping or relay attacks. Adding to the problem is that Wiegand is no longer inherently secure due to its original obscure and non-standard nature. ID harvesting has become one of the most lucrative hacking activities. In these attacks, a credential's identifier is cloned, or captured, and is then retransmitted via a small electronic device.”

As a result, leading card and card reader manufacturers offer security options. The first is to provide a higher-security handshake, or code, between the card or tag and reader to help ensure that readers will only accept information from specially coded credentials. The locksmith will never provide another organization with the same code. As a result, no other organization will have this reader/card combination. Only that single company's readers will be able to read their cards or tags and their readers will read no other organization's cards or tags. Think of this as EAC’s answer to the familiar key management system. It can lead to a nice source of recurring income.

The second major solution is an anti-tamper feature available with contactless smartcard readers, cards and tags. It adds an additional layer of authentication assurance to NXP’s MIFARE DESFire EV1 smartcard platform, operating independently, in addition to, and above the significant standard level of security of DESFire EV1. This protection lets a smartcard reader help verify that the sensitive access control data programmed to the card or tag is not counterfeit. At manufacture, readers, cards and tags are programmed with this fraudulent data detection solution. If tampering is detected, the reader reports it promptly to the access controller, identifying the credential in question.

According to Global Industry Analysts, a business strategy and market intelligence firm, the global market for card-based EAC is projected to reach $10.1 billion by 2020. This is driven by the growing demand from new office and both commercial and residential construction projects intersecting with the realization that a lack of personal physical access control or password-based network access control is now being regarded as a security risk.

What does this all mean to the locksmith? This is a good time to learn about and sell card-based EAC. You’ll be surprised at how helpful the manufacturers and their representatives will be.