Choosing the right type of access control can be a daunting task. The range of different authentication methods on the market today is broader than ever. Each method has its strengths, too. So how do you pick one?
You must start by assessing your company's physical security risks and choosing the best technology that counters them. This article breaks down the key components of physical access control systems and details the leading authentication technologies available in 2023, so you can decide how to upgrade your company’s physical security.
Physical access control is the process of securing who and what can enter a facility. It typically involves a human security guard or electronic physical access control system (PACS) authenticating individuals when they approach security gates.
At a high level, a physical access control system is comprised of the following:
Access control points are simply the barriers where you stop personnel and require them to authenticate before proceeding. For example, an access point could be a locked door, gate, turnstile, or any other physical barrier that someone cannot bypass until they take the necessary actions to gain entry.
Personnel must present credentials to authenticate themselves at an access control point. Many options will be available in 2023, each offering different types of control. There are so many options to consider that we’ve devoted a whole section to them below.
An access control point needs a sensor or reader to scan a user’s credentials for identity verification. Then, data is sent from the reader to the system’s control panel and server. Some readers come as part of an interactive terminal, where you can prompt users to enter additional information when they’re authenticated.
Access control panels are remote computer systems, typically on-site in the facility where you carry out access control. Readers send scanned user credentials to the panel, which verifies whether they have access and unlocks the door or other barrier accordingly.
You could also program the control panel to take one or more triggered actions when they read credentials. For example, it could alert on-duty security guards if someone tries to access a high-security location for which they are not authorized.
Some newer access control systems don’t use control panels, instead using straight reader-to-server authentication. The best configuration depends on your facility and IT network layouts, so we recommend consulting those teams to determine which model system makes the most sense for your facility.
This physical access management system tracks, analyzes, and reports access control data to you. If you’re in a small facility, this could be in the same location as your doors and control panels. But it could just as well be anywhere in the world.
The access control server maintains a complete list of users you’ve granted access to and all the conditions attached to their access. It also generates reports you can use for your own internal security audits or meet different regulatory standards.
Because user profiles can be stored in standard formats, it’s easy to integrate your access control with other security systems at this server level. In addition, integration tools allow you to use a single user list to manage your different systems.
So, for example, when a new user joins your team, you grant them access to the rooms they’ll need to enter for their job, as well as to keys and other assets. Then, when the user leaves your organization, you can easily turn off all access at once. As a result, there’s no risk of bad actors gaining access to your facility after termination because someone forgot to update every single user list.
There are a bewildering number of access control technologies on the market today. Here are the leading options.
A knowledge-based authentication system requires users to authenticate themselves with something they know—for example, a password or PIN code. KBA access control systems are less expensive because they require less infrastructure, and there are no physical access control tokens to purchase or manage.
That makes it trivially easy to add new users. You only have to generate a new PIN or code for them.
The downside is these systems tend to be less secure. Unlike physical or biometric authentication, it is very easy for users to share passwords or PIN codes, compromising the security of your assets.
Biometric authentication involves scanning an attribute of the person requesting access.
Since fingerprints are unique to each individual and stay consistent throughout our lives, they make an easy, permanent biometric record for access control. A fingerprint reader compares stored print records to the fingerprint a user scans.
Bad actors cannot simply scan a fingerprint photo to gain entry. Like smartphones, fingerprint scanners use a capacitive screen that only responds to contact from electrically-conductive materials, like skin.
Facial recognition scanners use pattern-matching software similar to those used in fingerprint scanners to match the shape of a user’s face against scanned records. But unlike fingerprint scanners, this is a non-contact form of biometric authentication. As a result, they are also very difficult for attackers to bypass.
One potential downside is that facial recognition only works in good lighting, which makes it unsuitable for some workplaces. It can also be more temperamental than fingerprint scanning, as things such as facial hair, smiles, or frowns can sometimes impact whether a scanner can properly read a face.
Much like fingerprints, the irises in a person's eye hold a unique pattern that remains stable throughout their life. A scanner can detect that pattern and match it against access control records.
Iris eye scans are highly accurate and difficult for an attacker to defeat. They are also fast and easy to use, scanning from several inches to several feet away in seconds.
However, much like facial recognition scans, they require consistent lighting. In addition, some medical conditions like diabetes can also alter a person’s irises, invalidating earlier records.
This system uses infrared light to record and match someone’s blood vessel pattern. Retinal scanning has a near-zero failure rate, making it the most secure biometric. In addition, scanners authenticate users quickly, making them suitable for high-traffic environments. However, some users find retinal scanning uncomfortable and intrusive.
Voice recognition access controls match your users’ spoken passphrases against high-definition digital records. As a result, this authentication method can be more accessible than eye or facial scanning systems, which often must be mounted at a particular height. They also require significantly less training compared to most other biometric authentication systems.
However, they are only suitable in quiet environments. Background noise can interfere with authentication. They are also more open to attack than other systems. Known passphrases can be recorded for attacker playback.
Unlike knowledge-based credentials, which a user memorizes, or biometrics, which are user attributes, physical token authentication requires the user to present an item they carry.
These identification cards have an embedded magnetic strip holding identification data swiped through readers. Magnetic swipe cards are the least expensive physical token option, usually just a few cents per card. Replacement cards and associated materials are always in supply.
However, their availability is also a vulnerability, as criminals have just as ready access to materials as security professionals. And the commoditization of swipe card systems and the ease with which they’re copied makes them appropriate only in lower security environments.
Instead of encoding credentials on magnetic strips, this technology uses computer chips embedded in ID cards, fobs, or other tokens. Credential data sent from the card to the physical access control system is encrypted—or scrambled—making it hard for attackers to intercept.
Smart tokens are not interchangeable. They must be encoded to work with specific systems, making them exceptionally hard to counterfeit.
These specialized smart cards use Radio Frequency Identification (RFID) to communicate wirelessly with access control systems. They are unpowered and have a short-range, usually about 6” (15cm). As a result, RFID scanners can scan multiple tokens simultaneously, reducing wait times at busy access control points.
While RFID is a robust wireless standard, its transmission range is very short. And RFID technology cannot transmit through some common materials, including metal and water.
As you can see, each authentication system has advantages and disadvantages. Each has its place in business security. It’s just a matter of determining what makes sense in your organization and your access control policies.
With our "Physical Security 101: How to Start Building a World-Class Security Program" guide, you'll have everything you need to plan, design, implement, and test a comprehensive access control physical security program.