Five Best Practices In Access Control


To insure that the ever-changing security requirements of a facility are met, a periodic review of a site’s access control system and its associated policies is a necessity. In fact, conducting an annual access control system review is the first step in establishing a systematic process for assessing the security of your organization; it is the principle best practice that provides the framework for all the other guidelines. Once a yearly review process is in place, the fundamental best practices concept is that an effective security system uses a layered approach to security. A good analogy of this concept would be one where a home protected by a burglar alarm might use both glass break detectors and motion sensors to detect when an intruder enters the house. This white paper contains important guidelines for all of the stakeholders in an access control installation including the facility owner, the system specifier, the installer and the end user.

Choosing the Right Reader and Card Technology Contactless smart cards are fast becoming the technology of choice for access control applications. Security, convenience, and interoperability are the three major reasons for this growth. Since there are a wide variety of reader technologies being offered by today’s manufacturers, it is important to make sure that the correct technology is chosen to match the desired level of security. Using a good, better, best grading system will help make the correct choice easier.

Recognizing that there are many legacy card technologies still in use and that replacing them with the latest contactless smart card technology may be expensive or logistically difficult, implementing the recommendations included in this paper will raise the level of security of an installation and should be done regardless of the card technology employed.

1. Use Proper Key Management

Key management deals with the secure generation, distribution, storage, and lifecycle management of cryptographic keys. This important subject deserves an entire white paper by itself, but here are a few of the essential key management best practices. Whenever there is a choice, choose a manufacturer that allows you to utilize your own cryptographic authentication key that is different that its other customers so you have a unique key for your facility or organization.

Although it may be easier not to have the responsibility of managing and safeguarding your own keys, utilizing your own authentication keys will protect your organization from a key compromise that occurs in someone else’s readers purchased from the same manufacturer. Do not choose a manufacturer that stores the same key in all of its credentials. Extraction of the key from a single card compromises all of the cards in use. Use a manufacturer that uses diversified keys, which means that each card uses a different key that is cryptographically derived from a master key. Ideally this diversification would use a publicly scrutinized method such as SP800-108, a NIST Special Publication titled “Recommendation for Key Derivation Using Pseudorandom Functions.”

2. Protect the Communications

The individual components of an access control system need to communicate with each other. Typical data includes card read messages, door unlock messages, audit trail data, cardholder privilege changes, and much more. Consequently, it is critical to protect this information exchange on the communications media on two levels. The actual communications medium, be it hard-wired or wireless, as well as the data content must be protected. When the communication takes place using wires, there are many different methods, interfaces and protocols to choose from. The most popular and de-facto industry standard is the Wiegand Protocol.

This protocol became very popular because it is universally supported by almost all reader and panel manufacturers. More modern communication methods such as RS485 and TCP/IP offer more security and are therefore more desirable. If a perpetrator can get access to the wires used for communications between the reader and the upstream device, it may be possible to intercept messages; this could result in a loss of privacy as well as the possibility of replaying a previously captured message and unlocking the door. It may also be possible to simply send an ‘unlock’ message as well. That is why a secure protocol is important, ideally employing 1) mutual authentication to ensure that each device trusts the other device, 2) encryption, and 3) message replay protection.

3. Use Security Screws

Always utilize security screws that require special tools to remove a reader and other security components. If the correct tool is not available, then it makes it nearly impossible to remove the reader without causing damage to the screws. This damage may be noticed alerting security of a potential intrusion attempt – especially if policy dictates that readers be physically examined on a periodic basis. (Physical examination of readers should be included on guard tours.) It also has the effect of making the removal process more difficult, and slowing down the removal increases the possibility that the perpetrator will be noticed.

4. Prevention Using Antipassback

Another best practice that may be feasible is to program the access control host software to refuse granting access to a cardholder that is already inside the facility, which will prevent a duplicate card from entering the facility. This mechanism, referred to as antipassback, is available in many access control systems. Note that this feature requires two readers at the door – an ‘in’ reader and an ‘out’ reader. One additional benefit of using antipassback is that it prevents a user from using their card with others following through an open door (tailgating).

5. Protect the Cards

Cardholders should be instructed not to wear their badges in prominent view when outside the premises and be aware of people approaching them attempting to perform a ‘bump and clone’ in which an attempt is made to try and surreptitiously read their card using an electronic skimming device. For contactless smart cards operating at 13.56 MHz, there are many companies that sell RFID shielding devices that are packaged into a card holder that are very convenient to use that prevents these kinds of attacks. Another best practice is to avoid putting any identifying data on the card that gives an indication as to the location or address of the facility to make it harder to identify where a lost card can be used. Of course, many companies put their company logo on their cards but organizations should balance this requirement with the disadvantage of including artwork that reveals the company’s location. For companies with multiple facilities at different physical locations, do not use the same facility code (also known as site code) data in all of the cards so that a lost card can be used at any of the locations.

Following as many of these best practices as feasible – with attention to appropriate levels of security – will result in a system that better fulfills its intended function with less possibility of being compromised. And these are just a few best practices to look for. There are many additional best practices that have not been discussed in this paper, such as the use of security mechanisms on the card (like holograms) and other tamper evident technologies and much more. This paper will be continually expanded to include additional best practices for organizations to effectively balance cost, convenience and security when deploying an access control system. Please set a book mark where you downloaded this document and check back for later versions.