Pin codes are one of the most common second factor authentication methods for access control.
How they are issued is important to ensure they remain secure.
We are familiar with using pin verification to confirm we are the legal owner of a card on a daily basis when we pay for something using our debit or credit card with a pin code.
This same technique is also used in building access control systems to ensure that the person holding the card is the correct person as they need to have the physical card in their possession, plus they need to know the pin code.
There are a number of ways that a Pin code can be issued, in this article I will explore the pros and cons of each method.
Self selection is where we allow the card holder to enter and use their own pin code at a computer workstation when being issued with a card.
- It’s easier for the user to remember as they set the code themselves
- It doesn’t require any extra equipment other than the existing keyboard
- It is fast and easy to do
- Unless the access control system can be suitably configured, the pin selected may not be secure, e.g. 1234
- Someone else may be able to look over their shoulder and see the pin
Operator issued with pin change reader
With this option, the operator manually enters a Pin code of their choice and tells the cardholder the pin code when they issue the card.
Before the card can be used for the first time, the cardholder needs to go to a pin change reader, enter the code given to them and change it to a code of their own choice.
- Multiple cardholders can be provisioned to the system in advance if the cardholder is not available
- The cardholder can still choose their own pin
- Only the cardholder knows the pin once changed
- For a limited amount of time, someone else knows the code.
- Additional pin change reader is required
- Without using a physical mask on the pin change reader someone could look over the cardholders shoulder when changing the pin
System generated with sealed letter
The system generates the pin code itself and securely prints it into a sealed letter which is handed to the cardholder with their card.
- Most secure method of issuing a pin. Can be done in advance and could even be posted out.
- No-one apart from the cardholder knows the pin
- The pin is secure as the system is programmed to ensure that simple codes are not generated
- Requires specific printers and specialist software
- May require development to integrate with the access control system
- May prove too expensive for some installations
Question: What method do you use ?