4. Access Control Credentials and Credential Readers
Chapter objectives
1. Learn the Basics in the Chapter Overview
2. Learn More about Access Credentialing Concepts
3. Learn All about Access Cards
4. Why and When to Use Keycodes
5. Learn All about Biometrics
6. Learn Photo ID Concepts
7. Pass a Quiz on Access Control Credentials and Credential Readers
CHAPTER OVERVIEW
The idea of the Access Credential and Credential Reader and a comparison Database of Authorized Users is the centerpiece of the concept of Access Control Systems. These elements are essential to any type of Access Control System from the most sophisticated global enterprise-wide integrated electronic security system to the most humble procedural system.
Access Credentials can take many forms, the most common being access cards, keycodes and biometric attributes (fingerprint, etc.). Common electronic Access Credential Readers include Card Readers, Keypads and Biometric Readers. Common card types include Magnetic Stripe Cards, Wiegand Cards, and Proximity and Contactless Smart Cards. Common Card Readers include Insertion and Swipe readers for Magnetic Stripe and Wiegand Cards and Proximity Type Readers for Proximity and Contactless Cards. There is a separate type of Biometric Reader for each type of Biometric credential.
Access cards are commonly coupled with Photo Identification, usually imprinted on the front of the access card, to help ensure that the bearer is the authorized card holder.
The idea of the Access Credential and Credential Reader and a comparison Database of Authorized Users is the centerpiece of the concept of Access Control Systems. These elements are essential to any type of Access Control System from the most sophisticated global enterprise-wide integrated electronic security system to the most humble procedural system.
Access Credentials can take many forms, the most common is access cards, keycodes, and biometric attributes (fingerprints, etc.). Common electronic Access Credential Readers include Card Readers, Keypads, and Biometric Readers. Common card types include Magnetic Stripe Cards, Wiegand Cards, and Proximity and Contactless Smart Cards. Common Card Readers include Insertion and Swipe readers for Magnetic Stripe and Wiegand cards and Proximity Type Readers for Proximity and Contactless Cards. There is a separate type of Biometric Reader for each type of Biometric credential.
Keywords: Access Control Systems, Access Credential, Biometric, Cards, Codes, Credential Reader, Database, Enterprise, Magnetic Stripe, Procedural, Proximity, Smart Card, User
Author Information:
Thomas L. Norman, CPP, PSP, CSC, Executive Vice President, Protection Partners International
Access Credentialing Concepts
As discussed in Chapter 3, the most fundamental concept of Access Control is the idea of the Access Control Credential. A credential is a method of proof of identity and evidence of authority, status, rights, and entitlement to privileges. In its original form, a credential was used by messengers in times of war and by anyone who needed access to the king or general. This practice was first recorded in Egyptian history over three thousand years ago. The purpose of the credential is to provide evidence of authority to a gatekeeper whose purpose it was to challenge unauthorized people seeking entry to the king's court. It did not matter whether or not the gatekeeper knew the person seeking entry; the credential gave that person the authority to enter.
Access Credentials in modern history (pre-electronics version) came in the form of a laminated Identification Card, usually with the bearer's name and photo and some emblem that identified the facility for which it was to be used. Along with that there was usually a number (to verify that the card was still valid), sometimes an expiration date, and very often some color codes (often two bars — top and bottom), where the top bar defined the areas and the bottom bar defined the times allowed.
Early Electronic Access Control Systems used a variety of different card technologies including Magnetic Stripe (almost everybody), Barium Ferrite (Cardkey), Hollerith (Ving), Rare-Earth (DKS-Australia), a very early form of Proximity technology (Schlage), and Wiegand Wire Cards (Cardkey). More recent card technologies utilize 125 KHz Proximity, MiFare, and contactless Smart Card RFID. It is rare today to see any other technologies.
Keypads are still in use, although less common today than in the past. Another common type of credential is a biometric. Biometric credentials may include fingerprint, iris, retina, voice, handwriting, hand geometry, and blood vessel patterns.
Although the use of plain, unprinted, or printed access cards is common for relatively minor security buildings, most governmental and larger corporate facilities utilize a Photo ID card similar to the one described in controlled high-security facilities. At a minimum, the Photo ID card typically includes a photo of the authorized bearer, his/her name, usually an icon representing the facility, and an access card number.
Keypads
The most basic types of ID readers are keypads (what you know). Basic keypads are simple twelve-digit keypads that contain the numbers 0–9 and a * and # sign. The most desirable attributes of keypads are that they are simple to use (Got fingers?); and they are just dirt cheap. The most undesirable attribute of keypads is that it is relatively easy for a bystander to read the code as it is being entered and suddenly, Wah-Lah! YOU have been duplicated in the access control database (i.e., now two people know your code — so now no one is sure if the person who used the code is really you). Also, the Pizza Guy always knows a code since there is always some fool who will give out his code for things as important to the organization's mission as pizza. This sort of defeats the whole purpose of access control, since now management has no idea who has the codes. Although there are shrouds for keypads, they are cumbersome and never seem to be well accepted; and the Pizza Guy still knows the code.
Two other variants are the so-called “Ashtray” keypad, which conceals the code quite nicely, and the Hirsch Keypad,® which works really, really well. The Ashtray Keypad is somewhat rare now, but puts the 0–9 keys on five rocker switches just inside the lip of the reader where prying eyes cannot see.
The Hirsch Keypad (Figure 4.1) displays its numbers behind a flexible, transparent cover using seven-segment LED modules. Then, just to confuse the guy across the parking lot with binoculars, it scrambles the position of the numbers so that they almost never show up in the same location on the keypad twice. This ensures that even though Binocular Guy can see the pattern of button pressing, it will be useless since that pattern does not repeat itself very often, if ever. We have also found that in many organizations, there is something about the hi-tech nature of the Hirsch Keypad systems that seems to make its users more observant of the need not to give out the code to unauthorized people. Sorry, Pizza Guy.
Access Cards, Key Fobs, and Card Readers
One step up the scale of sophistication from keypads are ID Cards and Card Readers. Access Control Cards come in several variants, and there are a number of different card reader types to match both the card type and the environment; there will be more on that later in the chapter. Common Access Card Types include:
• Magnetic Stripe
• Wiegand Wire
• Passive Proximity
• Active Proximity
• Smart Cards (both Touch and Touchless types)
Increasingly rare types include:
• Barcode
• Barium Ferrite
• Hollerith
• Rare-Earth Magnet
Magnetic Stripe Cards have a magnetic band (similar to magnetic tape) laminated to the back of the card. These were invented by the banking industry to serve Automated Teller Machines (ATMs). Typically there are two to three bands that are magnetized on the card. The card can contain a code (used for access control identification), the person's name, and other useful data. Usually in access control systems, only the ID code is encoded. Magnetic stripe cards come in two types: high and low coercivity (how much magnetic energy is charged into the magnetic stripe). Bank cards are low coercivity (300 Oersted) and most early Access Control Cards were high coercivity (2750 or 4000 Oersted). However, as clients began to complain that their bank cards failed to work after being in a wallet next to their access card, many manufacturers switched to low coercivity for access cards as well.
Desirable attributes of magnetic stripe cards are that they are easy to use and inexpensive. Undesirable attributes are that they are easy to duplicate and thus not suitable for use in any secure facility.
Magnetic Stripe Readers are available in two versions: Insertion and Swipe readers. Insertion readers, as the name suggests, require insertion of the card. This is common on ATM machines. The other type is the swipe reader. It has a slot through which the card is swiped. A read-head is present in the reader that reads the card's ID code as it is swiped through. Magnetic Stripe Readers were a common type of access control reader, but they have been largely replaced by proximity readers.
Barcode Cards: Barcode cards use any of several barcode schemes, the most common of which is a conventional series of lines of varying thicknesses. Barcodes are available in visible and infrared types. The visible type looks similar to the UBC barcode on food articles. Infrared barcodes (Figure 4.2) are invisible to the naked eye, but can be read by a barcode reader that is sensitive to infrared light. The problem is that either type can be easily read and thus duplicated; so barcodes are also not suitable for secure environments. Barcode readers were also available in both insertion and swipe versions, and the swipe version was the most common.
Barium Ferrite Cards: These are based on a magnetic material similar to that used in magnetic signs and refrigerator magnets. A pattern of ones and zeros are arranged inside the card and because the material is essentially a permanent magnet, it is very robust. Barium ferrite card readers can be insertion or swipe type in the form of a stainless steel plate placed within a beveled surface. For the latter type, the user simply touches the card to the stainless steel surface and the card is read. Swipe and insertion barium ferrite cards and keys are almost non-existent today, relegated only to legacy systems. The stainless steel touch panel is still common in some locales.
Hollerith: The code in Hollerith cards is based on a series of punched holes. The most common kind of Hollerith card is used in hotel locks. Some Hollerith cards are configured so their hole patterns are obscured by an infrared transparent material. One brand of Hollerith is configured into a brass key (Figure 4.3). Hollerith cards are not common in secure facilities. The most common application of Hollerith cards is in the hotel industry.
Rare-Earth Magnets: An extremely rare type of access credential is the Rare-Earth key. The Rare-Earth magnets are set in a pattern of 4 wide by 8 long and each can be positioned so that north is pointing left or right, making a pattern of ones and zeros. Such keys are very difficult to duplicate and are suitable for high-security facilities, although their cost is high since each key must be hand-made. Rare-Earth Cards were always unusual, but in some parts of the world, notably Australia, Rare-Earth keys were pretty common. All were of the insertion type.
Wiegand Wire Cards
After 40 years of research, the Wiegand effect was discovered by John R. Wiegand. The Wiegand effect is a way to cause the magnetic fields of specially processed, small-diameter ferromagnetic wire to suddenly reverse, generating a sharp uniform voltage pulse. Sensors based on the proprietary, patented Wiegand effect require only a few simple components to produce Wiegand pulses. These sensors consist of a short length of Wiegand wire, a sensing coil, and alternating fields, generally derived from small permanent magnets. 1
Wiegand wires are twisted into an “E” shape with two windings.
Wiegand Wire Cards (Figure 4.4) are access cards that use a series of short lengths of Wiegand wires embedded in it. These encode the identity of the card based upon the pattern of the embedded wires. The identity code of the wire is comprised of a combination of presence (wires present) and absence (wires absent) along the length of the card. A second set of wires provides a clock track against which the first set is compared. The card is read by swiping it through a slot in a Wiegand card reader that has a fixed magnetic field and a sensor coil. As each wire passes through the magnetic field its magnetic state flips, indicating a 1, and this is sensed by the coil. Where there is no wire, the number is registered as a 0. The Wiegand Protocol is a standard bit-code (typically 26 bits) comprising one parity bit, 8 bits of facility code, 16 bits of ID code, and a trailing bit for a total of 26 bits. The Wiegand protocol can achieve many permutations, including many specialized bit patterns, providing for a unique card for each individual facility.
Wiegand Wire Cards were extremely common for many years and presented the state of the art for non-proximity cards. Most Wiegand Card Readers were the swipe type.
The Wiegand Protocol provided for a significant advancement when it was introduced in access control systems in 1975, because it allowed for long cable runs from card readers (up to 500 feet). The typical Wiegand interface uses three wires, a common ground, and two data transmission wires usually called DATA0 and DATA1. When no data are sent, both are at high voltage. When a 0 is sent, the DATA0 wire is at low voltage while the DATA1 wire remains at high voltage. When a 1 is sent, the DATA1 is at low voltage while the DATA0 wire remains at high voltage. Most Wiegand protocols use a +5 volts DC to achieve the long cable runs. The Wiegand Protocol has also become the standard data protocol for Proximity type cards.
125 K Passive Proximity Cards
All of the cards we have discussed so far are either inserted into or swiped through a card reader. Proximity Cards are different. They are Radio Frequency Identification (RFID) cards that are read by placing the card near (in proximity with) a Proximity Card Reader. Proximity Card is the generic name for two types of these cards. It can refer to the older (125 KHz) or the newer (13.56 MHz) contactless RFID Cards.
Proximity Cards are tiny data transmitters that use no battery or energy storage device to operate. Instead, they do this by using resonant energy transfer. Proximity cards have three parts: a coil (antenna), a capacitor, and an Integrated Circuit (IC), which bears the ID code. The antenna of the card receives a radio frequency (RF) signal from the nearby card reader, which excites a coil and capacitor that are connected in parallel. The card reader presents an RF field that excites the coil (the antenna) and charges the capacitor. This energizes and powers the IC, which discharges its data code through the coil back to the card reader. The card reader transmits the card's code using the Wiegand Protocol (see the section Wiegand Wire Cards).
125 KHz Active Proximity Cards
Active cards are typically used in long-range reader applications, most notably on toll roads and for vehicle or container tracking. Such cards have a battery inside that powers a more powerful Card ID transmitter.
13.56 MHz Contactless Smart Cards
125 KHz Proximity cards were a great advance over previous cards. 13.56 MHz tags were created in an effort to lower card costs and provide additional functions. In 13.56 MHz cards, the coil does not need to be made of hard copper wrappings. The coil can actually be a printed ink on a paper-like substrate that has an EEPROM added to it. During the mid- to late-1990s 13.56 MHz was the technology that many researchers thought could address very high tag usage applications such as library books, laundry identification, and access control. Typical tag costs run from 50 cents to $1.00. 13.56 MHz access cards often utilize so-called Smart Card technology, which enables read/write storage of data up to 64 MB per card. This also allows the cards to be used in cash management applications. 13.56 MHz cards can also be encrypted to reduce the possibility of their signal being intercepted and hacked.
RFID Wireless Transmitter Systems
Radio Frequency Identification Wireless Transmitter Systems are common in vehicle access control. These are usually configured similar to a garage door opener, but unlike a standard garage door opener, each individual unit has its own unique code it transmits to a receiver that converts this code to a card number using the Wiegand Protocol. The output of the receiver is connected to a card reader input on an access control panel, and the access control system operates the vehicle gate exactly as though a standard card were presented.
RFID Wireless Transmitter Systems are ideal where there is a high traffic area and a potential for a large queue to extend into a major road due to delays in presenting normal cards and the time it takes for the gate to open and re-close for each vehicle. It is common to see RFID Wireless Transmitter Systems used in high-end residential compounds.
Multi-Technology Cards
As organizations grow, it is common for some employees to travel to multiple offices and facilities where different card technologies may be used. There are three solutions for this problem. One solution is to have the traveling employees carry a different card for each facility they visit. Another is to convert the entire organization's access control system to a single card standard, which can be expensive. Finally, technology can come to the rescue by creating a card that contains codes that are readable by two or more access control systems. Multi-technology cards can include Magnetic Stripe, Wiegand, 125 KHz Proximity, and/or 13.56 MHz Contactless Smart Cards all in one card, such as the one by HID Global Corporation.
Multi-Technology Card Readers
Like Multi-Technology Cards, some organizations need to be able to read the cards of several facilities where different types of cards exist. One of the most common types of Multi-Technology Card Readers serves 125 KHz Proximity and 13.56 MHz Contactless Smart Cards. It is also common to see Proximity or Contactless plus a keypad all in one reader. In the past other Multi-Technology card readers existed, but they are rare today (Figure 4.5).
Biometric Readers
Any device that reads the identity of a person by comparing some attribute of their physiological being or behavioral traits against a sample database is called a Biometric Reader. Biometric Readers come in many types, the most common including Facial Recognition, Hand Geometry (Figure 4.6), and Fingerprint and Iris Recognition readers (Figures 4.7 and 4.8).
Examples of physiological traits includes fingerprint, face recognition, DNA, iris recognition, retinal scan, palm print, and blood vessel. Examples of behavioral methods include, but are not limited to, walking gait, voice print, and typing rhythm.
Biometric traits can distinguish unique attributes about the individual that are permanent and collectable in a rapid, reliable fashion. The trait must also present a high barrier to circumvention. There are two basic types of Biometric analyses used in Access Control Systems: Verification and Identification.
Verification readers usually work in conjunction with a card reader or keypad wherein the user presents the first credential (card or keycode), thus claiming to be a given authorized user in the access control database. Then the biometric reader captures a biometric sample and compares the result of the capture against a previous sample drawn from the record belonging to the person to whom the card or keycode claimed that person to be. If the samples match, the identity is verified. Verification readers are a “One-to-One” match, which is very simple technologically.
Identification readers use a “One-to-Many” comparison and do not require the user to present a card or keycode first. Upon presenting the biometric credential (fingerprint, iris, etc.) to the reader, the access control system tries to look up a match for the credential presented by the unknown user. When it finds a match, it opens the portal and records the access to that authorized user.
All Biometric systems require authorized users to enroll in the database, usually by presenting several samples until the system recognizes the commonality of the biometric attributes taken. This is then associated with a given authorized user's name and other information. The process of enrollment also processes the biometric credential image so those attributes needed for future comparison are properly stored in the biometric database template.
Photo Identification
Access Cards grant access and Identification Cards provide visual evidence that the bearer is authorized to be in the area. Identification badges can have many visual attributes. These may include a photo of the bearer, a logo of the organization (not necessarily a wise thing), the bearer's name, a color scheme that may identify areas where the person is authorized, and sometimes a color or code may designate if the bearer is a contractor or vendor.
To help verify the authenticity of the card, it is common to laminate a holographic overlay, which provides a visual indication that the card has not been tampered with. Some organizations use a separate access card and identification card, but most have combined the two functions together into a single credential (Figure 4.9). These are printed on a Photo ID card printer (Figure 4.10).
Chapter Summary
1. The idea of the Access Credential and Credential Reader and a comparison Database of Authorized Users is the centerpiece of the concept of Access Control Systems.
2. All Access Control Systems, whether electronic or procedural, use these same elements.
3. Early Electronic Access Control Systems used a variety of different card technologies including Magnetic Stripe, Barcode, Barium Ferrite, Hollerith, Rare-Earth, a very early form of Proximity technology, and Wiegand Wire Cards. More recent card technologies utilize 125 KHz Proximity, MiFare, and 13.56 MHz Contactless Smart Cards.
4. Keypads are also still in use, although are they less common.
5. The other type of Credential and Reader is the Biometric system, which compares a physical or behavioral attribute against a previously taken sample.
6. Access Cards in most advanced systems are also printed with information unique to the user and the facility using a Photo Identification System.
7. Multi-Technology Cards and Card Readers allow organizations to service people from various facilities without having to issue multiple cards to each user.
8. Any device that reads the identity of a person by comparing some attribute of their physiological being or behavioral traits against a sample database is called a Biometric Reader.
9. Biometric traits can distinguish unique attributes about the individual that are permanent and collectable and that can be collected in a rapid, reliable fashion.
10. Verification readers typically use a Card Reader and a Biometric Reader creating a One-to-One comparison wherein the biometric sample is compared to only the record matching the card or keycode.
11. Identification Readers use a “One-to-Many” comparison and do not require the user to present a card or keycode first.
12. All Biometric systems require authorized users to enroll in the database.
13. Photo Identification Cards add a photograph and other visually identifying information to the Access Card so that users can be certain that the card used actually belongs to that user.
1) In its original form, a credential was used by
a. Carrier Pigeons
b. Messengers
c. All the King's Men
d. Servants
2) Early Electronic Access Control Systems used different card technologies including
a. Magnetic Stripe
b. Barium Ferrite
c. Hollerith
d. All of the above
3) Early Electronic Access Control Systems used different card technologies including
a. Rare-Earth Magnets
b. Wiegand
c. Early form of Proximity
d. All of the above
4) Early Electronic Access Control Systems used different card technologies including
a. 125 KHz Proximity
b. MiFare
c. Contactless Smart Card
d. None of the above
5) Keypads are the most sophisticated types of ID readers
a. True
b. False
6) Access Control Cards come in several variants and there are a number of different card reader types to match both the card type and the environment
a. True
b. False
7) Magnetic Stripe Cards
a. Use any of several conventional series of lines of varying thicknesses
b. Are set in a pattern of 4 wide by 8 long and each can be positioned so that north is pointing left or right, making a pattern of ones and zeros
c. Have a magnetic band laminated to the back of the card
d. Are access cards that use a series of short lengths of Wiegand wires embedded in it
8) Wiegand Wire Cards
a. Use any of several conventional series of lines of varying thicknesses
b. Are set in a pattern of 4 wide by 8 long and each can be positioned so that north is pointing left or right, making a pattern of ones and zeros
c. Have a magnetic band laminated to the back of the card
d. Are access cards that use a series of short lengths of Wiegand wires embedded in it
9) Barcode Cards
a. Use any of several conventional series of lines of varying thicknesses
b. Are set in a pattern of 4 wide by 8 long and each can be positioned so that north is pointing left or right, making a pattern of ones and zeros
c. Have a magnetic band laminated to the back of the card
d. Are access cards that use a series of short lengths of Wiegand wires embedded in it
10) Rare-Earth Magnets
a. Use any of several conventional series of lines of varying thicknesses
b. Are set in a pattern of 4 wide by 8 long and each can be positioned so that north is pointing left or right, making a pattern of ones and zeros
c. Have a magnetic band laminated to the back of the card
d. Are access cards that use a series of short lengths of Wiegand wires embedded in it
11) Proximity cards have three parts: a coil (antenna), a capacitor, and an Integrated Circuit (IC), which bears the ID code
a. True
b. False
12) Biometric Readers
a. Make you able to read the cards of several facilities where different types of cards exist
b. Are any device that reads the identity of a person by comparing some attribute of their physiological being or behavioral traits against a sample database
c. Include a photo of the bearer, a logo of the organization, the bearer's name, a color scheme that may identify areas where the person is authorized, and sometimes a color or code may designate if the bearer is a contractor or vendor
d. All of the above
13) Identification readers usually work in conjunction with a card reader or keypad wherein the user presents the first credential (card or keycode), thus claiming to be a given authorized user in the access control database
a. True
b. False
14) Identification readers use a “One-to-Many” comparison and do not require the user to present a card or keycode first
a. True
b. False
Answers: 1) b, 2) d, 3) d, 4) d, 5) b, 6) a, 7) c, 8) d, 9) a, 10) b, 11) a, 12) b, 13) b, 14) a
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.