The most common and widely used physical access control technology is the lock. There are a wide variety of locks, each with their own level of sophistication:

• Warded locks—A typical padlock is a warded lock. It is the simplest of all mechanical locks. It consists of metal projections, or wards, in the locking chamber that match up to the grooves on the key. Once the key is inserted, it uses leverage to turn the bolt to the unlocked position. These locks are inexpensive and are the easiest to pick. They are secure enough to deter the curious but not the determined thief.
• Tumbler locks—These are more sophisticated than warded locks. They have a series of spring-loaded tumblers that are moved into alignment by the grooves on the key. Once all the tumblers are in position, the bolt can be slid into the unlocked position.
• Combination locks—Combination locks, such as those used on high school lockers, provide a higher level of security than warded or tumbler locks. They work by aligning a series of wheels. When the dial is spun to the right and left in a specific sequence, the wheels are aligned and the lock will release. Electronic versions do not align a series of wheels but rather act as a simple password system. When the user enters the combination on a keypad, it is checked against the stored password. If the two match, the lock is released.
• Cipher locks—These locks are programmable and are the most sophisticated type of lock. Unlike previous styles, cipher locks can be programmed with many combinations and can be combined with a swipe card or biometric identity verification system. This type of lock can also have added security features built in, such as a door delay alarm that triggers if the door is held open for another individual, or hostage alarms. To trigger a silent alarm, an individual under duress would enter a panic code instead of his or her normal combination. When a user enters a duress code, the cipher lock opens to make the hostage-taker think that everything is operating normally. However, the lock also triggers a silent alarm to notify security responders that a hostage situation exists.

Mechanical locks are most commonly used to secure equipment such as laptops that are easy to steal. Combination and cipher locks are often used to secure sensitive areas within a facility, such as data centers.

In facilities with a large number of physical keys, keeping those keys secure can be a challenge. Electronic key management systems are locked boxes designed to control who has access to the keys and to keep a record of which keys are checked out and by whom. Typically, an EKMS has a keypad or smart card reader mounted near the lockbox. When an individual needs to check out a set of keys, he or she scans the smart card or enters a combination on the keypad. If the credentials are acceptable, the lockbox opens and the user can remove a set of keys from a chamber. The EKMS logs the user ID, a timestamp, and which keys are removed from the lockbox. The system also logs when the keys are returned.

In situations in which more sophisticated access controls are needed, challenge-response tokens on key fobs are useful. These are small devices that display a new code every minute, which are based on public key encryption. The key fob tokens are convenient for the user because of their small size. They are often designed to attach to a key ring, making them more difficult to lose than a loose device.

To access a secured facility, VPN, or other resource, the user is given a challenge. Typically, this is simply a request for a code. The user then uses the key fob device to generate a code, which the user enters into the access control system. If the code is accepted, the user has the opportunity to enter a username and password or some other authentication factor. Challenge-response tokens are generally used in two-stage authentication schemes.

The Common Access Card (CAC) is a smart card issued by the U.S. Department of Defense to military and civilian personnel and contractors. It is used as a single sign-on for secured resources and as an identification card for access to facilities. The CAC includes a magnetic stripe used in card readers for access to facilities. It also includes a digital photograph for visual identification purposes and a microchip that stores a card holder unique identification (CHUID), personally identifying information and privilege data on the cardholder. CACs store basic identity verification data such as name and Social Security number, as well as two fingerprint biometrics.