The Future of Access Control
Kimberly Tjoumakaris – ICMA Public Relations Manager
Cards have traditionally been used for access control but there has been a recent shift toward using mobile credentials and in certain use cases, biometrics.
Certain vertical markets, such as higher education, are introducing the use of a mobile credential for access, where a smartphone is the credential instead of a card. The smartphone uses near-field communication (NFC) for access. Biometrics are also being used for access, again in the higher education vertical. For example, some universities are moving away from cards and using a fingerprint for access to dining services.
“We see a future where both cards and mobile will be used for access, along with biometrics,” said Martin Hoff, Entrust Datacard’s product marketing manager of hardware. “They are complementary form factors that can work together in an overall access control plan to secure a university, airport, government locations, financial institution, etc.”
Access control is an essential part of commercial security systems—keeping buildings, designated areas and sensitive information secure and safe by controlling entry or restricting access. With the wave or swipe of a card, authorized individuals can gain access to an entire facility, secured zone, networks or workstations, which may contain resources storing sensitive information about thousands
or millions of people.
The two primary types of access control are physical and logical. While physical access control limits access to buildings, rooms and spaces within a building, logical access control allows authorized and authenticated personnel access to resources, systems, directories, networks and files.
Combining physical and logical access control delivers a higher level of security, granting companies the ability to limit and monitor access to sensitive data and physical locations.
Access cards are tied to a person’s identity through a physical access control (PAC) system, which involves a two-step process that links a card to a person after the card has been printed. Some card personalization software systems can also connect to and update the PAC system after the card has been personalized.
First, a system identifies an individual. Then, his or her credentials are authenticated via a badge, smart card, password, mobile device or biometric (i.e. fingerprint, facial recognition or iris pattern). Following authentication, access is granted.
Many access control systems rely on one form of authentication, but more recently companies are moving toward multifactor identification, a security enhancement that requires the user to present two pieces of evidence for access. For example, entering a PIN and swiping a card for access. Combining multiple features is important to the security of both physical and digital credentials.
The top two factors in card technology choice for most businesses are budget and security. As companies realize the potential impact of a security breach, they are proactively taking measures to ensure they give employees only the right access to the right applications, buildings, labs, etc. at the right time.
“Security is a top concern for both private and public entities; many industries are transitioning to smart cards,” said Hoff. “Smart cards are the most secure type of access card and are used most often in government, health care and financial sectors, while proximity cards are commonly used in higher education and enterprise.”
Although the three types of access control cards—magnetic stripe, proximity and smart—may look the same, the technologies driving them vary significantly. Magnetic stripe cards work by swiping a magnetic stripe through a card reader like a credit card. They are one of the oldest forms of access cards and offer minimal security because they can be copied very easily. Magnetic stripe cards typically work as a single application card and are primarily used in low-security settings like for guest entry to a hotel room or for casino player cards. Many companies are moving away from magnetic stripe cards and replacing them with proximity cards.
Proximity cards, which use an older technology resulting in a low-security card, can be made of several different materials, as well as forms—cards, tags or fobs—but they all work in the same way: by being held in close proximity to a card reader. The low-frequency 125kHz credential has an embedded antenna, which when in close proximity, such as a few inches to two feet—sends a signal from the card to the controller that grants or denies access.
The most recent advancement in the access control card market segment—smart cards—were developed with the goal of being hard to duplicate. Smart cards are more reliable than magnetic stripe and proximity cards, and with an increasing demand for security solutions, growth is significant. The three types of smart cards—SEOS, MIFAREDESFire EV2, iCLASS SE—offer the most security, operating at 13.56Mhz (compared to a proximity card that operates at 125kHz).
Smart cards contain an embedded integrated circuit and are capable of writing data, as well as reading it, which allows the cards to store more information than traditional proximity cards. Smart cards can also provide personal identification, authentication, data storage, application processing and can be combined with other card technologies for increased security.
Previously, smart cards were used primarily by the U.S. Department of Defense for logical access management and in higher education settings for student identification cards, but now there is widespread adoption in the electronic benefits transfer, health care and financial markets.
“We are seeing a transition to smart cards across all industries,” Hoff said. “Due to stringent security requirements, we see higher smart card use in government, health care and financial, while proximity cards are more often used in higher education and enterprise, and mag stripe cards in K-12 education.”
While some health care organizations are still using proximity cards, many have started using smart cards since they are more secure and more difficult to clone than proximity and magnetic stripe cards. More specifically, the provider side is primarily using proximity cards while the client side is using smart cards (national health care cards and HSA cards).
The same trend is taking place on college campuses. While some schools still use proximity cards, more are starting to use smart cards.
“We’re also seeing the introduction of a mobile credential for access, where a smartphone is the credential instead of a card,” Hoff said.
Though access cards still play a powerful role in the access control market, some companies are turning toward smartphone Bluetooth-enabled and near-field communication (NFC) technology. Both are wireless technologies that give individuals frictionless access through secured doors, elevators and turnstiles.
The introduction of mobile credentials has the potential to revolutionize the access control industry, eliminating the need to carry and swipe a card. Instead, a phone’s technology can be used to authenticate identity and grant entry.
Although most Android devices have had full NFC support for close to a decade, Apple was more cautious about employing the technology, waiting to introduce NFC until it found a solid consumer use-case. But in the last couple of years, Apple is starting to open that up. In 2014, with the release of Apple Pay to the iPhone 6 and 6+ models, NFC was adopted for the first time with functionality locked to Apple Pay.
In higher education settings, Blackboard Mobile Credential is being used for student ID cards in Apple Wallet. Students can add their ID to the Apple Wallet on an iPhone and to Apple Watch, which allows for a seamless experience across campus by providing access to campus buildings, as well as payment for dining and retail.
One of the major advancements in access control is the propagation of biometrics, a category of authentication that relies on unique biological characteristics to verify a user’s identity. Biometric identification is the only mode of authentication that can unequivocally validate a person’s identity. It is on the rise with retinal eye scanners, fingerprint readers and facial recognition scanners becoming more common. In some cases, multiple methods of biometric identification are combined with the use of a card (or used in place of a card) for even greater security. Unlike proximity cards, smart cards or keys, biometric security cannot be transferred. A person must be physically present to gain physical or logical access.
The adoption of biometrics in access control will continue. Looking ahead to the next five or 10 years, growth will likely accelerate as the prices come down and biometric systems can be inexpensively deployed and upgraded.
In the meantime, if an access card is lost or stolen, a physical access control system administrator can deactivate the lost or stolen card to ensure that the card can no longer be used and the space remains secure.
“Since you can track each time the card is used, the administrator can validate if the card was used to access a space after the card was lost or stolen,” Hoff said.