If you’ve been following the security industry for at least the last decade, you may have seen the claims from biometrics companies about the impending demise of the access control card.Yet year after year more card systems are installed for first time users.
Now, before we continue, let’s make something clear.
Biometrics have a place in access control. The technology is also becoming much more reliable and less costly.
Biometrics will become more popular. They will, in certain systems and applications, be used in lieu of proximity or smart cards.
However, something else is clear. Cards will continue to be the credential of choice in the great majority of systems and the predominant credential in new electronic access control systems for many years to come.
They simply make sense for personalidentification. There are five main reasons for this.
1. Culture
Look inside your wallet. What do you see? Currency and cards. The cards are not there by mistake.
Since most people can remember, they have always used cards for shopping. In fact, most people have several credit and/or debit cards.
Just one seems not enough. You use cards to get into work, check out a library book or go to the doctor.
For fun, check how many times you use a card in the next 24 hours. You will be surprised on how ubiquitous cards are in your life.
Go to a hotel. To enter your room, they give you a card. Go to a resort. For an all-day pass, they give you a card.
Join a gym…another card. Want a driver’s license. You get a card. Obtain a bank account; get another card.
We are used to using cards. Cards are easy to use. They are reliable. It will take a very long time, indeed if ever, to eliminate cards and replace them all with biometrics.
For that reason, if no other, you will continue to see the use of cards, especially in access control, for many years to come. It’s just not easy to change culture, even if there is a better alternative, which there certainly will not be for some time to come.
2. Huge installed base
The number of access control systems using cards on the front end is massive, so massive that many still don’t even use proximity or contactless smart cards yet. They still deploy the venerable magnetic stripe card.
A quick trip to the US and you will see magnetic stripe cards used in access applications on college campuses and elsewhere from coast to coast. The odds of such systems migrating to solely biometric identification/verification solutions before upgrading to contactless card systems are minimal.
Then, when you add in the number of systems presently deploying contactless proximity and smart cards, the number of worldwide card systems is in the hundreds of thousands if not millions.
The labour time and availability of biometric product alone to switch out all those systems means we’ll be seeing card based systems for many, many years.
3. Most systems don’t need high security
With all those card based systems installed around the world, how many of them really need the higher security that only biometrics provides? 10 percent? Less?
Cards are working very good at schools, at business offices, at factories, at hospitals, at large corporations, at small businesses, and so on. How soon will they be used in homes?
For the great majority of installed card systems, how many CFOs would sign off on pulling their present card system, which is doing exactly what they want it to do, for a biometric system? Not many.
4. Ways to address card decurity
To improve card system security, you don’t need to jump to the drastic measure of pulling out your card system and installing biometrics. Let’s review a couple of much simpler ways to enhance card systems.
One of the easiest solutions is to create 2-factor validation of the person wanting to enter. Not only must that person have something (the authorised access control credential-a card or tag) but they must also know something (a personal identification number – PIN).
For those higher security areas especially, you can select a card reader with an integrated keypad. To gain access, the individual will typically present their contactless card, get a beep and flash, and then enter their unique PIN on the keypad.
The electronic access control system then prompts a second beep and flash from the reader, the door unlocks and the individual is authorised to enter.
For the highest security applications, your system integrator can also provide a high-security handshake, or code, between the card or tag and reader to help prevent credential duplication and ensure that your readers will only collect data from these specially coded credentials.
In a sense, it’s the electronic security equivalent of a mechanical key management system, in which your organization is the only one that has the key you use. Such keys are only available through your integrator. Note they should never provide another end user with the same key.
In the electronic access control scenario, no other company should have the same card and reader combination that only you get from your integrator. Make certain to ask your integrator.
Only your reader will be able to read your card or tag and your reader will read no other card or tag.
How about smart card systems? First of all, often at a cost comparable to proximity card systems, smart card systems may be more secure and can be used for applications beyond access control, such as library checkouts, the hospital cafeteria, dormitory laundry rooms and so on.
Regarding smart cards, the next term you should look for is ‘MIFARE’, which is based upon NXP Semiconductor’s 13.56 MHz technology. (Others will look for France’s Inside Technologies. The idea is very much the same so we’ll discuss MIFARE.)
We could go into a deep technological explanation but, suffice it to say, MIFARE is the gateway to a series of security levels. That’s a whole new article in itself.
If you are really interested, ask your manufacturer or integrator for a quick run-through so you pick the right level of MIFARE security. Typically, to minimise costs, systems integrators will choose a relatively inexpensive smart card such as a MIFARE Classic card and concentrate security efforts in the back office.
Additional encryption on the card, transaction counters, hidden read/write keys and other methods known in cryptography are then employed to make cloned cards useless or enable the back office to detect a fraudulent card and put it on a blacklist.
Systems that work with online readers only (i.e., readers with a permanent link to the back office) are easier to protect than systems that have offline readers, since real-time checks are not possible and blacklists cannot be updated as frequently with offline systems.
You can also ask for a smart card validation option. In this enhancement, the cards and readers are programmed with a fraudulent data detection solution.
The reader will scan through the credential’s data in search of discrepancies in the encrypted data, which normally occurs during credential cloning. Tip: if you are looking to stop smart card forgery, consider this a must.
5. Cards work
The next time you go to IFSEC or another security show, try a little experiment. Go into booths featuring card-based electronic access control systems.
See how many times the card works versus not works. See how many times the exhibitor lets you use the card yourself to see how it works. The answer you will get – the card works every time.
Next, go to the biometrics booths. Check the same thing. You will be amazed at how many times that biometric provides the red light instead of the green light…yes, at the show!
And most will be very reticent to let you try it yourself. “Well, we would have to get you enrolled and…”
Hey, you have a couple extra minutes… let’s do it.
Here is another thing you will find. Low cost biometric solutions don’t work very well. They have a lot of problems. Those that do work cost one heckuva lot more than contactless card systems. Perhaps, the remarks of one of our integrators sums it up best: “Biometrics have been one percent of our sales revenues but ten percent of our maintenance issues.”
Plus, there is no enrollment procedure, no problems with privacy and no false rejects with cards.
Bottom line
Without question, there are some applications that scream for a biometrics solution. And, there are some quality biometric vendors that can provide reliable resolutions for these problems.
However, that does not mean that fingerprints, vein patterns, face recognition, iris scans or a host of other biometrics are going to be replacing cards in either the near or far future in the great majority of applications.
That’s because it will be difficult to change our card culture, there is no biometric infrastructure that could be used to replace so many card systems, most card system applications don’t require higher security, there are many ways to improve card system security without going to biometrics and, maybe most important of all, cards just work.
Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.
Sign up now!
I think this another one of those myths like the paperless office. Actually not only do cards work and are cheaper they can also do things that biometrics will never do like acting as e-purses, loyalty cards, include multiple technologies on the one chip and the list goes on. I fully agree biometrics will continue to be an option but the card, or something physical, is here for many years to come.
I think this another one of those myths like the paperless office. Actually not only do cards work and are cheaper they can also do things that biometrics will never do like acting as e-purses, loyalty cards, include multiple technologies on the one chip and the list goes on. I fully agree biometrics will continue to be an option but the card, or something physical, is here for many years to come.