Access control authentication technology continues to evolve and to hybridise, with tags, QR codes, prox cards and smart prox cards, mobile and NFC authenticators sharing the role with keypads, fingerprint readers, and face recognition readers driven by dedicated readers and by integrated CCTV cameras.
For installers and integrators looking to ambush the future, and for security and facilities managers seeking to future proof access control solutions, choosing authentication technologies remains a balancing act governed by application – and budget.
According to Gallagher’s Steve Bell, the most secure access control authentication technology will feature a very strong cryptographic authenticator.
“Public key technologies provide the most secure options and are significantly more resistant to cyber-attacks, whereas systems with symmetric keys will have keys distributed to all card readers that could be leaked,” Bell explains. “Stealing the public key for one card does not allow the attacker to impersonate that card or person.
“Access control systems should protect symmetric keys securely enough to satisfy the risk profile for many customer groups. It may only be customer groups with very high-risk profiles such as government, defence, intelligence, critical infrastructure, or those protecting high-value assets that need to be considering the highest security options that public key technology provides.”
Bell says Gallagher chose to use public key technology in its Mobile Connect credential to provide a solution that would meet the highest needs but could also be used at all risk levels, without a cost overhead.
“When looking at the cost of access control authentication technology, we need to look at many aspects,” Bell says. “These include the cost of a physical token, any hardware or IT infrastructure that is required to support it, the administration cost, a subscription cost for service-based technology, and of course the cost of the access control hardware that needs to be at the door.
“For example, at the highest cost and security level, the U.S. Government issues a physical card to its five million employees and contractors. When taking into account the end-to-end process of issuing these cards to staff, it results in an estimated spend of around $US1400 per person.
“Keep in mind that this includes technology that is a very secure identity token and a vetting process which provides both physical and logical access with interoperability across all of government.”
According to Bell, it’s important to remember that regardless of the level of security required, there are costs beyond the card itself that need to be considered.
“If the business goal is to have good security and a frictionless experience for the user, then something like face recognition could be an ideal solution,” he says. “But for some, this may not be secure enough to cover the outer perimeter, or areas with very high value assets, such as a server room. So, in those cases they may choose to add a second factor of authentication that results in more friction but is justified to address the additional risk.
“In some situations, the choice of biometric technologies will come with an increased cost at each door or turnstile. It can also result in additional administration costs in the enrolment process, where the biometric templates are captured and saved to a card or database.
“To summarise, an access control solution should have the flexibility to offer a system that can provide the customer a range of authentication strength, based on the risk profiles of the business’ various areas.”
What’s the best access card technology, in Bell’s opinion?
“Unfortunately, the majority of the card technologies currently in use do not meet minimum security levels,” he says. “The lack of security in 125Khz cards, MIFARE Classic, and some IClass cards has been well published, however, many customers are still using them. The MIFARE DESfire EV2 and EV3 cards are a minimum standard for cards today and there are plenty of businesses where this will be the appropriate technology.
“Gallagher does believe that with the prevalence of mobile phones, Gallagher Mobile Connect does provide a very good alternative. Gallagher is open about the underlying authentication technology for Mobile Connect using a standards-based FIDO UAF certified authenticator. We cannot comment about the security of other vendors mobile credential technologies.”
We’ve reached a point in the evolution of electronic security and consumer acceptance, where biometrics can be a secure solution that protects privacy – the question for integrators in the current market is whether fingerprint, face recognition, or something else is the best option.
“Gallagher’s strategy for biometrics is to partner with other best-of-breed suppliers for biometric readers,” Bell says. “We recognise that customers will have several factors involved in the decision of the technology that is being used. For example, we have a number of food processing plants that have chosen fingerprint authentication as they have a desire not to have physical cards used in that environment.
“However, a biometric authenticator alone is never going to meet the highest level of security, as it is inherently down to a reader deciding if the probability of the biometric representing a particular person is sufficient to grant them access. But a biometric as a verifier or second factor is great, as the match threshold can be raised due to the fact we are only doing a 1:1 match.”
Bell argues that while there will always going to be a place for biometrics, physical cards will be around for many years yet.
“I personally believe that mobile credentials are likely to gain popularity over the next few years,” he says. “They can represent very good security and if a site uses staff personal phones, the overall cost is minimised.”
What are mobile/NFC benefits and pitfalls, in Bell’s opinion.
“Mobile credentials are going to continue grow in popularity and will reduce the number of physical cards being used in the industry,” he says. “NFC is the most appropriate technology for short range door access control that also reduces the risk of man in the middle attacks.
“With this becoming an option now for iOS phones, we can expect to see an increased acceptance of mobile credentials. However, do not discount Bluetooth low energy as a technology. When it is done properly, the frictionless experience is very good and, at times, I use it in preference for access in our building with my Android phone.”
According to Benjamin Cho of Nedap, the authentication technology that offers the best balance of cost, read rate and security might be biometrics…with a twist.
“An under-utilised technology is ‘biometrics on card’, where users would store their fingerprint data on a Mifare card,” Cho explains.
“This satisfies many scenarios – for instance:
* Those who are worried about biometric data being store in a server; the biometric data is stored in a card that they hold onto
* Dual authentication: tag the card, and the fingerprint – it matches ‘what you have’ and ‘who you are’ – so stolen ID cards won’t work
* Economy – does not cost any more than current biometric readers.
In Cho’s opinion, even though biometrics is the best option, card/token-based access technologies will continue to be used.
“Card technology is still valid – not because it is better than biometrics or mobile credentials, but because it will take decades for people to change their behaviour and stop using cards.”
When it comes to selecting the best access card technology, Cho argues MIFARE is top of the heap.
“Desfire Ev1, Ev2 technology provide sufficient levels of technology to compete with HID iCLASS and other proprietary card types,” Cho says. “Mifare allows individual users to programme their card technology to their liking without compromising security.”
When it comes to biometrics, Cho favours facial recognition for its contactless nature – appealing thanks to the COVID pandemic.
“Facial recognition technology used to be far more expensive compared to fingerprint readers, but face recognition readers have become more affordable,” he explains.
“I think biometric readers will soon reach parity with card technologies – in Europe and the Middle East, biometric readers sales have grown consistently for many years. Biometric readers will never replace the card technology, but more and more sites are using the combination of both biometrics and card. This will be the way to go for this industry.”
Cho believes there is room in the industry for mobile/NFC solutions but he argues they are different solutions.
“We should not look at mobile/NFC authenticators as a replacement to current cards,” he explains. “Mobile-based access authentication will just be another form factor of access credential – like keyfobs or RF sticker tags.
“I think mobile access will become a common way to handle visitor access credentials, with a temporary access authenticator sent to the visitor’s device, or a QR code sent to the visitor’s email.’
#sen #sennews #sen.news
