Back to Basics is an article series highlighting important, but possibly overlooked, information that security professionals should know.
Security professionals should be concerned about how their facilities incorporate physical access control systems, which grant employees, contractors, and visitors access to a site based on their credentials. A weak physical access control system could allow unauthorized personnel to enter a site, which could put building employees and company assets at risk.
Objectives of Access Control
When determining how to set up physical access control systems, security professionals should work to meet the four objectives as outlined by the U.S. Department of Homeland Security’s Access Control Technologies handbook:
- Permit authorized personnel entry while denying entry to those who are unauthorized.
- Prevent prohibited items, such as weapons and explosives, from entering the site while also prohibiting items from leaving the site, as dictated by the site’s security department.
- Occupants of the facility and security professionals should notify security management of any attempts of individuals to gain unauthorized access or tamper with or bypass physical access control measures. While some access control systems can track unsuccessful attempts, security professionals should use surveillance and intrusion detection systems to assist in these efforts.
- Records of physical access control activity, user permissions, and property configuration changes should be maintained at all times.
Levels of Physical Access Control Equipment
For highly-secure facilities, physical access control systems begin at a distance away from the building at a security gate where vehicular movement is controlled through an automated gate or with a security guard. Beyond this point, security professionals should focus on securing their buildings with physical access control.
There are three levels of physical access control: low, such as door locks; medium, which can involve a keycard or key fob; and high, such as biometrics.
Low: Door Locks
For low-grade access control, security professionals should consider installing and maintaining an old-fashioned lock mechanism. While they are the cheapest and most efficient kinds of locks, keys can easily be copied, lost, or stolen, and locks can be picked.
The main types of door locks include the following:
- Cylindrical: Cylindrical locks are installed through a door and have a knob on either side that retracts the latch when turned. These can be found in offices and interior doors. Facilities that have cylindrical locks can be opened with just a key or a key and a push-button on the handle.
- Mortise: More durable than cylindrical locks, mortise locks can be installed on a metal or wooden door with a separate deadbolt. The deadbolt has a steel bolt that extends into the door jamb and strikes the frame of a door. Mortise locks require a pocket, or mortise, to be cut into the door where the lock will fit.
- Cipher: More expensive than cylindrical and mortise locks, cipher locks are great for providing access to a secure area without having to use multiple keys. They can automatically lock after several unsuccessful attempts and include:
- Mechanical: The buttons for these types of locks can be installed on a door vertically or in a circle near the knob that moves the bolt once the lock is released.
- Electronic: These can be installed either on a door or on a wall next to the door and control a strike plate. They are operated by pressing a combination of buttons, which are located behind a shield so the combination can’t be observed by others.
- Electromechanical: These locks share features of mechanical and electronic locks and might have a dial-type combination lock.
Medium: Keycards and Key Fobs
Keycard and key fob door systems have a reader attached to the door and are an important component of the latch control mechanism. Most of these systems use red and green LED lights to show the state of the lock.
Once the keycard or fob is used, if the user has access, the light will turn green and the system will unlatch the electric and mechanical locks, allowing the user to enter. If a user does not have access, a red LED light will display, the electronic lock will not open, and the mechanical lock will remain locked. Key cards are typically the size of a credit or debit card.
Keycards and key fobs are used in many industries, including the hospitality and hospital industries, to provide access to rooms or the building after hours. They can also allow access for specific times and days and can be reencoded. However, although the technology allows for custom access control, keycards and key fobs can be lost or stolen.
There are a variety of keycards and key fobs, such as:
- Wiegand key cards: These cards, which can’t be demagnetized, provide binary information to readers, and data is stored on two parallel polarized magnetic wires.
- Magnetic swipe card keys: This type of card requires the user to swipe the card through a reader mounted to a nearby wall. The magnetic strip is used to store and read data.
- Contact smart cards: These cards must be inserted through a reader on the door, and their plastic body contains integrated circuits. However, strong magnetic fields can demagnetize them.
- Contactless smart cards: These radio frequency identification (RFID) cards operate on different frequencies and require users to hold them near a reader to enter. The cards’ antenna of coiled wire sends the identification on the chip to the reader.
- RFID fobs: These are small plastic, epoxy resin, or metal keychains that transmit an RFID or a radio frequency (RF) signal to a reader. Typically, the reader reads the code that is placed on the fob. These types of keys are suitable for interior and exterior applications.
Biometric access control uses human biological attributes to allow access and is typically implemented in areas that require high levels of security.
Various types of biometric access control measures include:
- Facial recognition: Uses one or more photographic images by measuring points on a face with no physical contact and is often used in banking, gaming, healthcare, law enforcement, customs, and retail.
- Fingerprint recognition: The most widely used and uses unique features found in the ridge patterns of a user’s finger. The data is also inexpensive to collect and analyze.
- Hand/finger geometry recognition: Uses a camera that captures 96 hand features. This is used in nuclear power plants, welfare centers, immigration facilities, and daycare centers and includes full hand geometry, which measures the whole hand, and finger geometry, which measures the index and middle fingers.
- Vascular pattern recognition: Is a relatively new technology that looks at patterns formed by veins on certain parts of the body, like the back of a hand, a finger, the wrist, or the face.
- Iris recognition: Takes an infrared picture of the iris, the plainly visible colored ring surrounding the pupil, from 4 inches to 6 feet away. This is typically used in high-security areas.
- Voice recognition: Uses unique aspects of human voice patterns to verify a user’s identity. It is used in warehouse and distribution, electronic commerce, financial services, government, and healthcare and telecommunications and can also be useful in lower-security settings.
- Signature dynamics recognition: Identifies a user from a handwritten signature and analyzes the shape, speed, stroke, pen pressure, and timing information. It has a high user acceptance rate and is used where written access logs are maintained, such as in financial institutions or at prescription counters at pharmacies.
- Bluetooth smartphone apps: Can be configured to allow personnel to access buildings, or specific parts of them, with a smartphone.
An Optimal Combination
For an optimal level of access control, security professionals should require a user to provide three main attributes:
- A pin or password—something the person knows
- RFID/near field communication (NFC) card/key/smartphone—something the person has
- Biometric—something about the person
Security professionals should consider the needs of their buildings when determining whether some areas would be best served by low, medium, or high levels of access control. The decision should be made based on a number of factors, including the number of people using the facility; the type of facility; and the kind of security required based on decisions by management and local, state, and federal law.