Popular Access Control

Popular Access Control

Why smartcards and their derivatives provide increased security

Today, 13.56 MHz contactless smartcards are used to provide increased security compared to 125 KHz proximity cards. Systems making use of smart cards can be more easily used for applications beyond electronic access control, such as tool checkouts, the company cafeteria and so on.

All the leading smartcard providers conform to ISO standards. ISO 14443 cards operate from zero to four inches, while ISO 15693 cards may provide longer ranges, though their read speed is often slower. Be aware. There are proprietary, non-standard-based contactless smart card technologies that could bind you to a single-supplier dependency and potentially restrictive pricing and delivery structures. Only in certain circumstances do you want to consider them.

One of the first terms you will discover in learning about smart cards is "MIFARE," a technology from NXP Semiconductors. Mifare enables 2-way secured communications between the card and the reader. Mifare Classic was an original version of the Mifare technology used in contactless cards. It stores the access data in one of its sectors, and then encrypts the communication between the card and reader to make it impossible or, at least, very difficult to clone a card.

Unfortunately, a security flaw in the Mifare Classic standard meant that with the right knowledge and hardware, a card could still be cloned or another card in the series created.

The newest of the Mifare standards, Mifare DESFire, includes a cryptographic module on the card itself to add an additional layer of encryption to the card/reader transaction. This is amongst the highest standard of card security currently available. MIFARE DESFire protection is therefore ideal for sales to providers wanting to use secure multi-application smartcards in access management, public transportation schemes or closed-loop e-payment applications. They are fully compliable with the requirements for fast and highly secure data transmission, flexible memory organization and provide interoperability with existing infrastructures.

Suffice it to say, MIFARE DESFire has become the contactless digital RFID technology benchmark for smartcards. As with proximity cards, you will also want to assure that the readers comply with a communication standard, such as OSDP (Open Supervised Device Protocol) or Wiegand.

There are two main types of contactless smartcards. The clamshell contactless smartcard is an ISO14443-compliant card with a multi-byte memory. The end user can add more memory. The ISO contactless smartcard is an ISO14443-compliant card also with a multi-byte memory. An end user can also order with more memory. Manufactured from glossy PVC, it is appropriate for dye sublimation printing.

Key fobs are also available in smartcard technologies. Used in place of cards, key fobs are typically part of a key ring. The most durable typically include a brass-reinforcing eyelet.

Another valuable option is Valid ID, a unique anti-tamper feature for contactless smartcard readers, cards and tags. Embedded, it adds yet an additional layer of authentication and integrity assurance to traditional Mifare smartcards. Valid ID helps verify that sensitive access data programmed to a card or tag is indeed genuine and not counterfeit.

Mobile Smartcards - Going to the Next Step
Mobile credentials are smartphone-based versions of traditional RFID smartcards and tags. Mobile credentials make it possible for smartphones, such as the Apple iPhone® and the range of Google Android® devices, to be used as an electronic access control credential.

No longer do users, such as government employees, need various physical credentials to move throughout a facility. Instead, a person's iPhone or Android smartphone, which they carry with them wherever they go, will have the credentials they need to enter into any authorized access system. In fact, such a system can reach beyond the facility into their homes, their automobiles or at the gym.

Commonly referred to as mobile, soft or virtual, smartphone-based access control credentials are another version of identification media, joining traditional proximity and smartcard credentials to support a user as she moves about a secured facility. Soft mobile access credentials provide several advantages over hard credentials. They are more convenient, less expensive and more secure. Adding multiple credentials is easy on a single smartphone.

They are more convenient because the user always has his credentials and already carries it with him wherever he goes. Credentials are delivered to the end user in either paper or electronic form, such as via email or text. The dealer has nothing to inventory and nothing to ship. Likewise, the user sponsor has nothing to store, nothing to lose and faces no physical replacement hassles. Costs are lowered as nobody must ship "onesie - twosie" replacement orders.

As always, there were the typical drawbacks with the new technology. Before they switched to virtual credentials, the next wave of users requested smartphone solutions that eliminated many of the frustrations that they discovered with their original smartphone apps and hardware, the main one being complicated implementation practices. The newer solutions provide an easier way to distribute credentials with features that allow the user to register only once and need no other portal accounts or activation features. By removing these additional information disclosures, vendors eliminated privacy concerns that have been slowing down acceptance of systems making us of mobile access credentials.

One additional concern held back some buyers. What if baby boomers at our facility don't have a smartphone? Problem solved. Just be sure that your mobile credential reader can also use a 13.56-MHz smartcard.

Just like traditional hard credentials, today’s soft credentials can support the 26-bit Wiegand format along with custom Wiegand, ABA Track II magnetic stripe and serial data formats, such as OSDP. They can be ordered with specific facility codes and ID numbers, and delivered in the exact number sequence ordered with no gaps and no under- or over-runs.

Secure!
Many companies still perceive that they are safer with a card but if done correctly, the mobile can be a far more secure option with many more leveraged features. Modern handsets deliver biometric capture and comparison as well as an array of communication capabilities from cellular and Wi-Fi to Bluetooth LE and NFC.

Bottom line - both mobile Bluetooth and NFC credentials are safer than hard credentials. Read range difference yields a very practical result from a security aspect. Installation of a Bluetooth reader on the secure side of the door will allow NFC mounting on the unsecured side.

As far as security goes, the soft credential, by definition, is already a multi-factor solution. Mobile credentials remain protected behind a smart phone's security parameters, such as biometrics and PINs. Once a biometric, PIN or password is entered to access the phone, the user automatically has set up 2-factor access control verification - what you know and what you have or what you have and a second form of what you have.

Once installed, the mobile credential cannot be installed on another smartphone. Think of it as a soft credential being securely linked to a smartphone. If a smartphone is lost, damaged or stolen, the process should be the same as with a traditional physical access credential. It should be deactivated immediately in the access control management software - with a new credential issued as a replacement.

To emphasize, one cannot have access to the credential without having access to the phone. If the phone does not work, the credential will not work either. The credential works just like any other app on the phone. The phone must be “on.”

Leading readers additionally use AES encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers resist skimming, eavesdropping and replay attacks. With the Federal Trade Commission (FTC), among others, now holding the business community responsible for implementing good cybersecurity practices, such security has become an increasingly important consideration.

Likewise, check if the new soft system requires the disclosure of any sensitive end-user personal data. All that is needed to activate newer systems is the phone number of the smart phone and nothing more. Indeed, privacy matters.

Smartphone credentials are sold in the same manner as traditional 13.56-MHz contactless smart cards - from the existing OEM to the dealer to the end users. For the dealer, smartphone credentials will be more convenient, less expensive and more secure, and can be delivered in person or electronically. They are quicker to bill with nothing to inventory or to be stolen. In most cases, soft credentials can be integrated into an existing access control system. Distribution can also be via independent access control software.

Get Smart - Make Sure Your New System is "Smart!"
A final bonus - If your new system leverages the Security Industry Association's (SIA) Open Supervised Device Protocol (OSDP), it also will interface easily with control panels or other security management systems, fostering interoperability among security devices, whether using mobile or a card.

With OSDP, security is an integral part of the overall solution. OSDP is not in the same ballpark with Wiegand; it is in a different sport and country. Simply check the origin of OSDP. Not only can integrators deliver the OSDP solution that a customer wants, but using a the OSDP Verified product lists, integrators can also validate that a product has been tested within lab conditions that handle all of the required messages, minimizing any mishaps at a customer site.

Today, there are more than 25 devices from seven different vendors listed as OSDP verified. Although that does not seem like a lot, it really is. Many of these vendors are OEMs, having among their customers’ scores of private-labeled units. Among them are component, device, solution and system providers. Several feature multiple brands. Thus, even with this presently seemingly narrow list, there are a wide choice of security access control products. Integrators will find it easy to select products that they can integrate simply.

This article originally appeared in the January / February 2022 issue of Security Today.

Featured

  • The Key to Wellbeing in the Office

    A few years ago, all we saw in the news was the ‘great resignation.’ Now we have another ‘great’ to deal with. According to CBRE, 2023 was the start of the ‘great return’ as office workers returned to their normal offices after working from home. The data shows that two-thirds of all U.S office buildings were more than 90% leased as of Q2 2023. Read Now

  • Failed Cybersecurity Controls Costing U.S. Businesses $30 Billion Yearly

    Panaseer recently released ControlWatch and the Continuous Controls Battle: Panaseer 2025 Security Leaders Report examining the cost of cybersecurity control failures and the impact of growing personal liability for security failings on security leaders. The report analyzes the findings of a survey of 400 security decision makers (SDMs) across the US and UK. It shows that security leaders feel under increasing pressure to provide assurances around cybersecurity, exposing them to greater personal risk – yet many lack the data and resources to accurately report and close cybersecurity gaps. Read Now

  • The Business Case for Video Analytics: Understanding the Real ROI

    For security professionals who may be hesitant to invest in video analytics, now's the time to reconsider. In a newly released Omdia report commissioned by BriefCam (now Milestone Systems), the research firm uncovered a compelling story: more than 85% of North American and European organizations that use video analytics achieve a return on investment within just one year. The study, which surveyed 140 end users across multiple industries, demonstrates that security technology is no longer just for security — it's a cross-organizational tool that delivers measurable business value far beyond traditional safety applications. Read Now

  • Survey: 54% of Organizations Cite Technical Debt as Top Hurdle to Identity System Modernization

    Modernizing identity systems is proving difficult for organizations due to two key challenges: decades of accumulated Identity and Access Management (IAM) technical debt and the complexity of managing access across multiple identity providers (IDPs). These findings come from the new Strata Identity-commissioned report, State of Multi-Cloud Identity: Insights and Trends for 2025. The report, based on survey data from the Cloud Security Alliance (CSA), highlights trends and challenges in securing cloud environments. The CSA is the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

Featured Cybersecurity

Webinars

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3