Access Readers and Tokens
Identification and Authentication Methods
Overview
Once upon a time, physical access control typically meant there was a person (security guard, receptionist, etc) whose job it was to watch the entrances to a restricted area and only let in people who were on a list or personally recognized by them as an authorized user. Technology solutions to the problem of controlling access came about both as a way to save money and as a way to better enforce policies.
It is important to recognize that controlling access requires both identification and authentication of people. A good discussion of this problem is here:
- Microsoft Essay on Identification vs. Authentication
- Wikipedia Authorization and Authentication compared
Identification in this context means uniquely identifying each user who presents at an access terminal or reader. Since the point of access control and physical security is to enforce a security policy, it is important to know which exact user is attempting to gain access to the resource in question. Some typical identification methods include:
- Token ID (i.e. a barcode,serial number, etc)
- Username/user ID
- Biometric ID (Typically only used in very high-end systems such as the Morphotrack products
Authentication means verifying that the user is who they claim they are. They are logically separated, as our system may present different choices or use different methods based on the user's identification. The "authorization" component may not be unique to eachj user either. (PIN codes for instance.) Authentication methods for users include:
- Something they have (a physical token)
- Something they know (a password or PIN)
- Something they are (biometrics/facial recognition/other trait)
Considerations for Access Control
- Method must be simple and reliable
- Users tend to bypass controls that are too burdensome
- Must not lock out legitimate users frequently
- Must not allow unauthorized users in to the extent possible
- Two-factor authentication an option (Token+PIN, PIN+Thumbprint, etc)
- SMS messaging/one-time PIN
- Tokens with unique ID that changes after each use
- Interactive applications (Smart phones, tablets)
- Protect against common failure modes
- Tailgating (multiple users entering on one token)
- Pass-back (Users passing their token to the outside so that someone else can use it)
- Doors left open/propped open
Types of tokens
Contactless (RFID)
Advantages
- No electrical connection to the outside world
- Can be mounted behind glass or inside a secure perimeter
- No keypad or contacts to require maintenance
Disadvantages
- Tokens can be interrogated be a third party
- Transactions can be snooped with RF listening gear.
Types of RFID Tokens
Most of the commercial RFID vendors require an NDA and/or purchase commitment to get access to their detailed specifications. There are at least two systems with widely-published specifications and products available from multiple vendors.
- EM4100/TK4100
- Vendor Spec Sheet
- 125Khz (Low Frequency) tags
- Read-only and read-write versions available
- 26-64bits of data typical
- Writing tends to be slow
- Mifare
- 13.56Mhz (High Frequency) tags
- Have read/write capability
- Basic encryption on-board
- Come unconfigured, all 'F' values store in data blocks
- Blocks of data are stored with encryption key after first write
- 1K,4K version available
- NXP, other vendors sell token and reader chips
- Mifare Code and libraries