Access Control systems use a process called authentication to ensure that it knows who we are.
It’s important to understand the difference with identification versus verification.
Sometimes we need to make additional checks to eliminate to ensure that the person standing at the door is who they say they are.
In the broadest sense, this is generally referred to as authentication.
There are, however, two principals that are important to understanding and how they differ from each other.
There are identification and verification.
Both identification and verification may involve the use of one or more authentication principals.
It’s useful to get these concepts correct early on to avoid misunderstandings and problems later.
Identification is how we tell the access control system who we are.
Usually, this will be with a smart card that will have the person’s name, photograph and other information on.
Each card has a unique number which is assigned to a person.
The access control system then knows if David is assigned card number 12345 when card 12345 is presented to a card reader, David is at the door.
Assuming David has the correct permissions for this door, the access control system will then open the door for him.
In the example above, we are using card based Identification to allow the access control system to identify David by his card number, 12345.
Not just cards
Whilst cards are often used for identification purposes, they do not have to be.
Key fobs may be used in residential settings where the fob can be attached to the owner’s keys saving them the need to carry a smart card to gain access.
In my experience, a large number of secondary schools in the UK use fingerprints to identify students.
Schools that I have worked with have two key criteria for selecting biometric identification over cards:
Cards are easily lost by secondary school age students.
When you combine the costs of the physical card itself, printing and personalisation and labour to print and issue the card, they can start to work out quite expensive.
With fingerprints, each student already has them when they come to school!
Most schools require students to wear a uniform.
This enables staff to visibly identify whether a student should be on site or not. This eliminates the need for a printed card.
Access control systems use verification to confirm the identity of a person beyond all reasonable doubt.
With a smart card, it isn’t possible for the access control system to know for certain that the person holding the card is the person that should have that card.
We use something like a PIN Code or Fingerprint to confirm the identity of the smartcard holder.
During this process, we combine the authentication of both the card and PIN or fingerprint for stronger security controls.
We use verification in our everyday lives when we use a bank card to pay for something.
We have the physical card (identification) and know a secret PIN code (verification) to prove we are the authorised cardholder.
In this instance, we can issue David with a PIN code of 9999.
The system then requires a combination of card number 12345 and PIN code 9999 to gain access to the data centre.
PIN codes do however rely on the authorised card holder not sharing this information with anyone else.
While it’s possible to force cardholders to change their PIN code on a regular basis, this is difficult to control.
In organisations where the threat is coming from inside the organisation, rather than from an external attacker, we need more than a PIN code.
The role of biometrics
This is where biometrics can play their part.
Instead of using his card and PIN Code, we now need David to use his card and fingerprint to gain access.
Now, when David enters the building, he must use his card, plus the finger he enrolled in order to gain access.
Whilst not impossible, it’s more difficult to replicate David’s fingerprint to get access to the building.
Most access control systems also allow you to combine more than two forms of authentication, this is useful in extremely high security areas.
This is an extract from my book, Designing Physical Access Control Systems.