Biometrics: The Future of Access Control

For much of history, identification systems have relied on face-to-face interactions and physical documents and processes. But digital technologies are transforming how identity is authenticated around the globe.

In an era of growing security concerns, governments, corporations and property managers must elevate the importance of a trusted identity while balancing the demand for convenient and efficient access.

According to the International Card Manufacturers Association (ICMA)’s 2019 Global Market Statistics Report, access control card use has increased globally with the demand for increased security driving growth.

“Recently, there have been a number of large-scale data breaches,” said Kevin Freiburger, director of identity programs at Valid, who is an ICMA member. “That means data security is now a foremost concern for businesses across the globe and that is one of the driving forces behind the expansion of access control technology.”

The two primary types of access control are physical and logical. While physical access control limits access to buildings, rooms and spaces within a building, logical access control allows authorized and authenticated personnel access to resources, systems, directories, networks and files.

Combining physical and logical access control technology delivers a higher level of security, granting companies the ability to limit and monitor access to sensitive data and physical locations.

Access control is an essential part of commercial security systems—keeping buildings, designated areas and sensitive information secure and safe by controlling entry or restricting access.

With the wave or swipe of a card, authorized individuals can gain access to an entire facility, secured zone, networks or workstations, which may contain resources storing sensitive information about thousands or millions of people.

Technological advancements like the deployment of wireless technology are enhancing access control.

“Security is a top concern for both private and public entities; many industries are transitioning to smart cards,” said Martin Hoff, Entrust Datacard’s product marketing manager of hardware, who is an ICMA member.

“Smart cards are the most secure type of access card and are used most often in government, health care and financial sectors, while proximity cards are commonly used in higher education and enterprise.”

Access cards are tied to a person’s identity through a physical access control (PAC) system, which involves a two-step process that links a card to a person after the card has been printed. Some card personalization software systems can also connect to and update the PAC system after the card has been personalized.

“Access control technology begins with a trusted identity, which validates the person who is entitled to the benefits associated with a credential,” said Sebastian Tormos, Entrust Datacard’s director of vertical marketing, who is an ICMA member. First, a system identifies an individual.

Then, their credentials are authenticated via a badge, smart card, password, mobile device or biometric (i.e. fingerprints, facial recognition or iris pattern). Following authentication, access is granted.

Many access control systems rely on one form of authentication, but more recently companies are moving toward multifactor identification, a security enhancement that requires the user to present two pieces of evidence for access. For example, entering a PIN and swiping a card for access. Combining multiple features is important to the security of both physical and digital credentials.

Digital Identity is Key to Security

Although technology continues to evolve and advance, when it comes to a trusted identity, physical cards will continue to play a valued role in securely granting or restricting access—especially in the health care and government sectors.

The combination of a physical card with a digital identity is powerful and provides multi-layered security.

“Access cards are encoded with a unique decimal number, which is linked to a user’s record,” said Howard Albrow, HID Global’s NPI product line manager of PACS credentials, who is also an ICMA member.

“Typically, an access control card does not contain any personal identifiable information, but through the system, it can link to a data record that may hold personal identifiable information.”

The amount of personalization that occurs with access cards depends on what type of information and security is put on the card, such as encoding a smart card with unique data, certificates and/or credentials.

“If a card is lost, stolen or permissions need to be amended, an integrated card management system allows the administrator to easily turn off a card and then notify the other integrated systems to turn off physical access control as well as logical access,” Freiburger said.

“Today, most companies are using an integrated access control system, but if an older legacy system is in place it may lack the technology for integration with a newer system.”

3 Types of Access Control Cards

There are two categories of access control cards—nonsecure and secure—and both provide ways to monitor who is accessing resources or entering or exiting a building.

A proximity card is the most common type of access card for commercial and residential buildings; however it offers little security. Typically the size of a credit card, an access card usually lasts five to 10 years before it has to be replaced.

However, many factors affect the durability and lifespan of the card, such as the type of card substrate and personalization techniques used, how the card is stored and if the card is resistant to chemicals, abrasion, moisture and ultraviolet light. Although the three types of access control cards—proximity, magnetic stripe and smart—may look the same, the technologies driving them vary significantly.

Proximity (prox) cards, which use an older technology resulting in a low-security card, can be made of several different materials, as well as forms—cards, tags or fobs—but they all work in the same way: by being held in close proximity to a card reader.

The low-frequency 125kHz credential has an embedded antenna, which when in close proximity, such as a few inches to two feet—sends a signal from the card to the controller that grants or denies access.

Magnetic stripe cards work by swiping a magnetic stripe through a card reader like a credit card.

They are one of the oldest forms of access cards and offer minimal security because they can be copied very easily. Magnetic stripe cards typically work as a single application card and are primarily used in low-security settings like for guest entry to a hotel room or for casino player cards.

Many companies are moving away from magnetic stripe cards and replacing them with prox cards.

The most recent advancement in the access control card market segment—smart cards—were developed with the goal of being hard to duplicate. Smart cards are more reliable than magnetic stripe and prox cards, and with an increasing demand for security solutions, growth is significant.

Read Next: The Complete List of Access Control Options

The three types of smart cards—SEOS, MIFARE DESFire EV2, iCLASS SE—offer the most security, operating at 13.56Mhz (compared to a prox card that operates at 125kHz).

Smart cards contain an embedded integrated circuit and are capable of writing data, as well as reading it, which allows the cards to store more information than traditional prox cards.

Smart cards can also provide personal identification, authentication, data storage, application processing and can be combined with other card technologies for increased security.

Previously, smart cards were used primarily by the U.S. Department of Defense for logical access management and in higher education settings for student identification cards, but now there is widespread adoption in the electronic benefits transfer, health care and financial markets.

“Smart cards are the best fit for commercial and residential building access because they provide greater security with an encrypted credential that must be decrypted by a reader,” said Hoff. “It’s much easier to spoof proximity and magnetic stripe cards.”

Although prox cards aren’t as flexible as smart cards and don’t offer multifunctionality like the ability to load payment purses and applications onto the card—a prox card does allow the user to be contactless.

“There’s definitely an uptick in prox card use,” Freiburger said. “We are seeing more interoperability, which does make a prox card more viable. For example, they can be used in multiple systems for logical and physical access control systems.”

Access Control: Future Trends

Though access cards still play a powerful role in the access control technology market, some companies are turning toward smartphone Bluetooth-enabled and Near-field Communication (NFC) technology.

Both are wireless technologies that give individuals frictionless access through secured doors, elevators and turnstiles. The introduction of mobile credentials has the potential to revolutionize the access control industry, eliminating the need to carry and swipe a card. Instead, a phone’s technology can be used to authenticate identity and grant entry.

“There has been a tremendous uptick in the popularity of mobile credentials,” said Albrow.

“A mobile credential can be used via a smartphone to interact with an access control reader in the place of a physical card, which is more convenient, allows greater flexibility, improves privacy and can also lower the maintenance costs of credential management for end users.”

Although most Android devices have had full NFC support for close to a decade, Apple was more cautious about employing the technology, waiting to introduce NFC until it found a solid consumer use-case.

Jeffrey E. Barnhart is the founder and executive director of the International Card Manufacturers Association (ICMA). He can be reached at jbarnhart@icma.com

“It was difficult for widespread adoption to gain traction of NFC as a wireless communication method because a major player, Apple, didn’t support it, which automatically eliminated half of the market in the U.S.,” Freiburger said.

But in the last couple of years, Apple is starting to open that up. In 2014, with the release of Apple Pay to the iPhone 6 and 6+ models, NFC was adopted for the first time with functionality locked to Apple Pay.

“Access is not as open as it is with Android, but Apple is starting to partner with curated partners who are building software and solutions around NFC,” Freiburger said.

“As Apple continues to open up NFC, we’ll start seeing more movement of mobile credentials to phones using NFC as a ubiquitous, known standard.” NFC is already being used in higher education and some airlines are starting to use Apple Wallet for NFC applications in club lounges and for airport security.

In higher education settings, Transact Mobile Credential is being used for student ID cards in Apple Wallet. Students can add their ID to Wallet on iPhone and Apple Watch, which allows for a seamless experience across campus by providing access to campus buildings, as well as payment for dining and retail.

“There’s definite growth in mobile,” Freiburger added.

“When it is used properly with an application for access control technology, the security is incredible. Issuers want to meet their customers where they are and that is typically on a phone or on a cloud service.”

Biometric Security Advancements

One of the major advancements in access control is the propagation of biometrics, a category of authentication that relies on unique biological characteristics to verify a user’s identity.

“The systems used to be incredibly expensive, hard to deploy and difficult to maintain and update,” Freiburger said. “Now, the cost has come down considerably and there is widespread adoption of biometric access control systems across many new verticals. Adoption is highest in sensitive markets like national security, information technology and banking.”

Biometric identification is the only mode of authentication that can unequivocally validate a person’s identity.

It is on the rise with retinal eye scanners, fingerprint readers and facial recognition scanners becoming more common. In some cases, multiple methods of biometric identification are combined with the use of a card (or used in place of a card) for even greater security. Unlike prox cards, smart cards or keys, biometric security cannot be transferred. A person must be physically present to gain physical or logical access.

“The adoption of biometrics will be a continuum,” Freiburger said.

“Looking ahead to the next five or 10 years, growth will likely accelerate as the prices come down and biometric systems can be inexpensively deployed and upgraded.”


About ICMA

Celebrating its 30th anniversary in 2020, ICMA is a nonprofit association of card manufacturers, personalizers, suppliers and related industry participants. With 205 members globally, ICMA acts as a resource for industry issues, including the production, technology, application, security and environmental issues of cards. More information is available at icma.com.