Modern Credentials -Ready to switch over?

Taking notes, exchanging e-mails, chatting, GPS navigation, making payments, watching movies, booking rooms, and even managing bank accounts, … Rarely forgotten and “always” in hand, mobile phones have become, probably, our most important day-to-day companion.

Why shouldn’t we also use them as “keys” to open doors and manage our security system? Modern security systems already rely on mobile phones, which are conveniently replacing keys or cards to open doors and make access control more user-friendly.

read more

To better understand the importance of using the latest access control technologies, let’s take, first, a few steps back in time to explore the evolution of access control technologies from the ancient world until the present day.

The invention of keys and wooden locks more than four thousand years ago in the ancient Near East enabled people to control and manage access to properties, providing a proactive method of security.

The Romans innovated further and substituted wood materials for brass keys and iron locks, making locks more resistant, and invented wards, a groundbreaking technological advancement, as it required the corresponding key to open a lock.

Warded locks remained the standard for several hundred years. So, nothing to mention, only that the Germans were manufacturing excellent locks that were better fitted and finished. Business as usual.

At the end of the 18th century, two English locksmiths and inventors, Robert Barron and Joseph Bramah, created new locking mechanisms.

While Barron patented a double-acting tumbler lock, Joseph Bramah created a new, highly secure lock mechanism that used a cylindrical key, a lock that remained unpickable for over 67 years.

In the middle of the 19th century, Linus Yale Sr. patented a pin tumbler lock that used a key with ridges of various heights to align a set of key pins correctly to allow for the lock’s barrel to turn. This mechanism was improved by his son, Linus Yale Jr., who patented a lock version with pins of varying lengths and the known small flat key.

The name “Yale” has become a common noun in certain countries, replacing the word “lock” itself, as Yale locks are still broadly used today all across the world.

The security based on the “lock and key” concept has had to address some issues:

  • Who has really entered the area, and at what times?
  • What if someone makes copies of the key without the owner’s knowledge?
  • What if the keys are lost?
  • What if someone locks the keys inside?
  • What if the guards forget to lock the door?

In a complex business environment with many doors and high-value areas, these questions should be multiplied many times.

Push Button locks – nice try, but…

Attempts to solve the key problems began with the invention of mechanical “push button locks”. These locks (still used today) require a predetermined combination of numbers/buttons that cause the lock to open once entered.

However, while these new locking mechanisms have freed people from managing the keys, they require users to remember the combination, keep the combination confidential, and change the combination regularly for security reasons. Too many …” combinations”.

At the end of the 20th, it was the moment when access control systems card-based entered the stage. Security began to resemble the advanced systems of the present day.

First step – Punch cards

In the 1970s, a Norwegian inventor, Tor Sornes, conceived a system that would punch a series of 32 holes into a plastic card. These hole or punch cards required a cardholder to slide a unique card with holes into a slot “card reader”, which released the locking mechanism.  However, this technology had no long life because of its coding limitations, the labor involved in production, and its fragility.

Second step – Barcode cards

“Bar code cards” were the next innovation in key card technology. In this type of system, an individual bar code is printed on a card that corresponds with a particular lock. When the bar code is held under an electronic scanner, it unlocks the door. Simple and cheap.

While still used today, this technology cannot offer any security, as most of the barcodes could be easily replicated and the electronic reader could be easily fooled.

Childhood – Magstripe cards

By the 1980s, these card technologies had been replaced by a new one: the “magstripe card”.

This card, of credit card size, has a thin magnetic strip on the back. When it is swiped through a card reader, the electronic code recorded on the magnetic strip is read, and, if valid, the corresponding lock is opened.

Invented in the 1960s, mag-stripe cards were initially used for data storage purposes as debit or credit cards. Yet, being easier to encode and relatively cheap to produce, they were rapidly adopted by the growing security industry as unique “keys”.

The great benefits came with two serious vulnerabilities: easy to duplicate by informed hackers (the data was unencrypted) and eventually demagnetizing. Also, being a swipe technology, damaged cards and physical wear on readers became costly and time-consuming for administrators.

Adolescence – 1980s Wiegand cards and protocol – a technology that has mastered the game;

In the 1970s, an American physicist born in Germany, John Richard Wiegand, discovered the unique electromagnetic property of a specially designed wire. It was called the Wiegand Effect and based on this, a new card technology appeared.

The new access cards had built-in thin special wires, arranged in two rows corresponding to 0’s and 1’s.  When these cards are swiped through a slotted “Wiegand” card reader containing a magnet, a data stream is produced, which is then transmitted over two wires to a door controller.

The new cards were extremely secure, virtually impossible to duplicate, and very durable. Unfortunately, their manufacturing was so specialized, and a maximum of 37 Wiegand wire filaments could be placed in a standard card size before misreads would affect reliability.

The impact of Wiegand innovations has been so important for the security industry, as most of the access control systems used in the last 40 years were designed around Wiegand data formats. Proximity cards and contactless chip cards have all been encoded using this original Wiegand data structure. Wiegand wire technology has become a “de facto” standard for access control systems worldwide.

The maturity – RFID era – 1990s.

“Prox” cards

In the 1990s, the emergence of contactless technologies (Radio Frequency Identification–RFID) was a game-changer in the access control industry, lowering maintenance costs, increasing user convenience, and solving issues with magstripe and Wiegand cards.

The predominant technology during this stage is known as “Prox”, or “low-frequency proximity” (still used today in many legacy security systems).

A “Prox” card has a “unique” identification code (ID number) programmed on a chip (the “key”) embedded in a plastic card, about the size of a credit card.

The data is sent to a card reader via electromagnetic waves of low frequency of 125 kHz, when the card is detected in proximity to the reader (usually a few centimeters) and runs through the controller system.

Database access control became faster, more reliable, and more convenient.

However, technology has some important limitations: the data from the card is unencrypted and can be read in the clear, making the cards easy to clone or forge. Moreover, the Prox cards cannot be encoded with multiple IDs or other attributes.

Late 1990s-2010s – A more complex device – the Smart Card

Smart Card technology has been adopted by the security industry only at the turn of the century as an improved solution to “Prox” cards, despite it being conceptualised in the mid-1970s.

Physically similar to Prox cards, Smart Cards use a higher frequency (13.56 MHz) to communicate with the card readers, offer higher security, add multi-application functionality, and address the two main limitations of Prox cards:

  • Mutual authentication – both the credential and reader contain a set of cryptographic keys (like a password). When the credential is presented to the reader, the two compare “keys”. If the keys match, the credential shares the binary data with the reader, and the reader accepts it as genuine. However, if the keys do not match, there will be no transaction, and the credential will keep the data private.
  • A Smart Card could store more information than just an ID number, such as an electronic purse or a user biometric template.

In the last few years, smartcard technology has significantly evolved, and newer smart card generations (Mifare DESFire EV3, Seos) have come with even better security and more application capabilities.

Cards vulnerabilities

Using a modern card access control is convenient, fast, and offers reasonable security.

However, regardless of the card technology, there are still some question marks:

  • How do we really know if the person presenting the card to the reader is really the owner of the card?
  • Can we be 100% sure that the card is not cloned?
  • What if the card is lost and the owner doesn’t even know?
  • What to do when he or she forgets his/her card at home?

Are there any better alternative solutions to the cards?

 

The biometric solution

In short, with a biometric security device, the user doesn’t need to carry any physical key (key/card) as the person becomes “the key” itself. An electronic biometric device scans one of the several physical traits that differentiate one human being from another and runs it against the existing database.

The idea of biometric identification is quite old (from the Babylonian era), but it was not until the 1980s that the first “hand geometry” scanner began to be used in security systems, and in the 1990s, John Gustav Daugman, a British-American professor, made it possible for iris recognition technology to be applied commercially.

With advances in fingerprint scanning, voice, facial recognition, and especially AI, it’s entirely likely that new biometric technologies will play a major role in the security industry for decades to come.

However, given their current security vulnerabilities, GDPR concerns, and still prohibitive prices, for now, biometric technologies are most often used as an additional security layer of an RFID, especially for high-security areas.

Modern Times

Mobile credential

A mobile credential is a digital unique access key (an encrypted ID code), a trusted identity, that is installed and held within the smartphone.

Depending on the system, this can take the form of a mobile app that users can download, a QR code that users can scan, or a personalized link sent via SMS or email. It can be easily issued, modified, or disabled instantly and remotely from within the access control system software.

The phone becomes the employee’s new “badge”, always on hand.

How do they work?

Compared with an RFID card, mobile credential technology uses various ways to initiate communication between a smartphone and a door reader.

In most cases, the phone is simply placed close to the reader, just like using a card credential. The smart reader connects to the smartphone using NFC, BLE (Bluetooth Low Energy), or even a combination of them. Some systems also accept a Wi-Fi and/or GPRS connection to ensure that there’s always a failsafe if other types of communication experience signal loss or become unresponsive.

When the credential is detected by the reader, the digital key provided by the smartphone will be transferred to the system, where it is compared to the list of users, and it is decided if access is granted or not.

In some cases (touchless access) the reader reads the ID code from the phone without the user having to take it out of the pocket. In this case, the user can show his intent to enter a specific door just by waving his/her hand in front of the reader.

Very convenient, secure, and fast.

The great benefits of mobile credentials

Much better security

  • Using digital credentials sent directly on the phone, no confidential information is ever on display, reducing the risk of a security breach.
  • Unlike a plastic credential, a mobile credential is less likely to get lost or be misplaced, and even in this less probable case, users take less time to notice their missing phone compared to a missing badge. Also, the replacement of a “lost” mobile credential is faster, more secure, and costs nothing.
  • Switching to mobile access control also eliminates the high percentage risk of card theft, as no physical key cards are necessary.
  • While plastic badges and pins are sometimes shared between employees to unlock a door (a real security risk), a mobile phone, which is a personal device, is never shared.
  • While most plastic badges can be easily cloned with the technology already available online, mobile credentials are much more secure, unclonable, and protected by encrypted technology. Once a mobile credential is installed on a smartphone, it cannot be re-installed on another smartphone, being securely linked to a specific smartphone.
  • Higher security without expensive biometric devices and GDPR headaches. The multifactor authentication capabilities of modern smartphones allow fingerprint or facial recognition, while all private data remains on personal devices.

Cost-effective

Using physical RFID plastic cards, companies spend a lot of money on badges, cardholders, lanyards, badge printers, and consumables for printing, not to mention the time and effort to replace damaged, lost, or forgotten badges.

  • Mobile virtual credentials reduce ALL these costs and move the solution from a capital expenditure to an operational one. As for a mobile credential, the company will pay only a small amount of money a year, like any cloud app license. Also, the security budgets will be more predictable.
  • The “replacement” or reallocation of a mobile credential costs nothing, as there is no physical object to be replaced but just a license.
  • Mobile credential technology continues to grow and evolve as a new trend. Let’s think that, in 2022, about 97% of Romanians already use smartphones.
  •  

Convenient

For companies:

  • With traditional methods, companies need to early plan, purchase, and maintain a large inventory of physical cards, accessories, and printer ribbons to have them readily available when new people are hired or just to replace lost or damaged cards. The mobile credentials are always available, even in minutes, and in the quantities you need. You are no longer in peril of delays, stock shortages, or supplier issues, and lastly, there is no need to chase the employees for physical cards back at the end of employment.
  • On-premises access control systems usually require well-trained staff who know how to enrol and print cards on special printers. Mobile systems eliminate that administrative burden and overhead. Mobile systems are designed to be intuitive and easy to use.
  • Administrators can issue mobile credentials to any employee or visitor remotely, regardless of the number of branches the company has. No physical handoff of a key card is necessary.
  • With mobile credentials, you can remotely and easily grant access to visiting staff at the chosen doors. No physical card is to be issued; just send an e-mail, WhatsApp message, or SMS, and your visitor has only to click on the link received by message. The door will open.
  • A mobile credential can be instantly remotely revoked when a former employee or tenant leaves the company/building from anywhere. Nothing to return; there is no need to be on-site.
  •  

 

User Experience

  • Employees visiting other offices can use their smartphones, on which they have already received the mobile credential. The same is true for visitors who could use a virtual temporary credential received by e-mail or SMS. They don’t have to email long ahead to get access credentials, wait to pick up a physical card, or return something when they leave the premises.
  • Users can gain access in a much more agile way from their smartphone, which is always on hand and always has it located. There is no need to carry around an additional plastic card, no need to rummage through the purse or wallet to find it, and no need to worry that it is probably forgotten at home.
  • One can open a door remotely, for trusted people, from the mobile credential app, Slack, or another popular app. No need to be on-site or in a certain building.
  • The new “touchless technology” makes access even easier and faster; just wave a hand in front of a door reader, tap your smartwatch, or even (kindly) ask Alexa to open the door. One can control even the lift floors from the smartphone, with no need to touch any lift button.
  • There is no need to carry multiple badges anymore; you can have multiple credentials on the smartphone app.
  • And the near future will bring more….
  •  

Conclusion

While the last generation of RFID contactless smart cards is still widely used, the new generation of mobile devices comes not only with more security and convenience, in a cost-effective way, but also with unimaginable functionalities for our new and complex business ecosystems.

And the good news is that upgrading your physical access control system is not as difficult as you may think. Often, it only requires installing new readers and issuing new credentials.

Contact Rolf Control Access, we will gladly help you step into the new security times.

contact us