Access control systems are designed to limit physical or virtual access to physical locations, resources, or computer networks. One of the most basic examples of an access control system preventing physical access to an area or room is a locked door. More advanced models include electronic-based systems that require the use of a unique identity and authentication method such as a password. More advanced access control systems integrate physical and electronic systems and can use a combination of access authentication along with biometric information. The complexity of the model of control system implemented typically correlates to the risk or value of information or resources under protection.
How Does an Access Control System Work?
An electronic access control system using a single factor such as an ID or pass card, will notionally go through the following steps to determine if an individual will be allowed to proceed.
Step 1– Credentials are presented to the access point or reader of the system.
Step 2 – The credentials are forwarded or transmitted to an access control panel (typically a highly reliable computer processor).
Step 3 – The control panel’s responsibility is to compare the credentials to an approved access control list. Based on the contents of the access control list, it will give or deny permission for the access request.
Step 4 – The access control panel will log the access transaction into a centrally stored access database.
Step 5 – In the case of providing access to a door, if the credentials presented to the access control panel permit access, a relay will be activated that unlocks the door. Simultaneously, the control panel will prevent an alarm from being sounded while the door is open.
Step 6 – Most access control systems designed to interface with humans will also provide visual feedback to the individual indicating success or failure with obtaining access to the desired door or system. This will typically be indicated by green LEDs when access is granted or red LEDs if the requested access is denied.
Note: A common problem with single factor access control systems is that without a second piece of authenticating information, access can be obtained by individuals through theft of ID or Access cards. To address this problem, a two-factor system can be used where a password, PIN, or biometric input are required in addition to the access card when attempting to gain access through an access control system.
What are Three Types of Authentication Information Used in Access Control Systems?
The three most common factors or types of authenticating information are:
1 – Biometric information (Such as a fingerprint or retina scan),
2 – Physical material in the individual’s possession such as an access or smart card,
and, 3 – Password, PIN, or passphrase only known by the user.
Most advanced access control systems in use today will use a combination of physical material and information known by the end-user to provide access. In some cases, systems will recognize a fourth form of identification that leverages someone known to the user requesting access to validate their identity.
What are the Common Components of an Access Control System?
Access control systems are implemented at the access control points. These points include elevators, doors, parking gates, turnstiles, or other physical impediments to individuals being able to obtain access to a physical location. The most commonly encountered access point is an electronic access control door. These doors will include an electronic lock that is unlocked through switch operation. The electronic door will have an access reader that is responsible for collecting authentication information from the person requesting entry. For two-step authentication, the reader will typically have a smart card or access card inserted or swiped. After this, a PIN, password, or biometric data read will be required to collect the required information to forward to the access control panel. The access control panel will validate the authentication information against the approved access list to allow or deny access. While this process is occurring, the access control system will use a magnetic door switch to monitor the status of the door.
If the location being protected does not control exits from the door, there will be a request-to-exit (RTE) device that will have the system ignore the door being opened and prevent an alarm from being sounded. In the situations that require monitoring both entry and exit, there will be a second reader installed on the exit to the door. In some door designs, there is a requirement to allow exiting the structure without having to electrically unlock the door in a “mechanical free egress.”
What are the Types of Access Control Readers?
Access control reader classification is commonly determined by the functions the reader is designed to support or perform. The three common types are non-intelligent (basic), semi-intelligent, and intelligent readers.
Non-intelligent access control readers are designed to perform a function such as reading a smart card number and receiving input such as a PIN number. Once received, the reader will transmit or forward the information to the access control panel using a variety of protocols depending on the manufacturer of the device. These protocols include RS-485, RS-232, and the Wiegand protocol.
Semi-intelligent readers: have all inputs and outputs necessary to control door hardware (lock, door contact, exit button), but do not make any access decisions. When this type of reader receives authentication information from the user, it will forward the data to the primary access controller and await the response. This type of access control reader typically uses a RS-485 bus to connect to the access control panel.
An intelligent access control reader includes all hardware and software components required to operate the controlled access point as well as the computing power required to make the access decision on their own. The intelligent access control reader still requires connected to a control panel (also via RS-485 bus) for access control list updates. The latest generation of intelligent access control readers communicates via network communication and eliminates the need for a traditional control panel. Instead, they make use of a computer host which acts as a virtual access control panel.
Access Control System Topologies
There are a number of access control system topologies in use throughout industry. These include: Serial controllers, Serial main and sub-controllers, Serial main controllers & intelligent readers, Serial controllers with terminal servers, Network-enabled main controllers, IP controllers, and IP readers.
Access Control Serial Controllers
In this topology, the controllers use a serial RS-485 communication line to connect to the host computer. The use of RS-485 permits long cable runs (up to 1,200 meters), and provides for a fairly short response time. There is a limit on the total number of devices that can be connected to the RS-485 line (32) which allows for a high update frequency from each device connected to the access control system. Disadvantages of this system include: RS-485 not being well-suited for transferring large amounts of data, splitters are required to support start-type wiring, controllers are not able to initiate communications in the event of an alarm (have to wait until they are polled), and operation of the system heavily depends on the host PC.
Access Control Serial Main and Sub-Controllers
In this topology, all of the hardware for the door (or other physically securing device) is connected to and uses sub-controllers. The sub-controllers are used to forward all information or requests to the system’s main controller. Each main controller can support from between 16 to 32 sub-controllers. In this topology, the host computer or PC has a significantly reduced workload since it is only required to communicate with the main controllers. Additionally, the overall system cost is lower; however, it is very dependent on proper operation of system main controllers. Due to the high cost of main controllers, the system topology can be cost prohibitive for geographic setups that have remote locations requiring monitoring with a small number of access points.
Access Control Serial Main Controllers and Intelligent Readers
In this topology, all of the access point hardware is directly connected to a semi-intelligent or intelligent access control reader. The readers are not normally designed to make access decisions in this arrangement; instead, forwarding all access requests to a main controller. If the connection to the main controller is not available, the readers are designed to make and record access decisions based on locally stored or cached security access information. This architecture will normally support between 16 and 64 readers per main controllers.
Access Control Serial Controllers using Terminal Servers
In this topology, a terminal server is introduced which converts classic serial information to be transmitted via a network connection (LAN or WAN). The architecture allows existing network infrastructure to be leveraged for connecting different locations of the secure system when installation of new RS-485 wiring would be impractical or costly. The terminal server does increase the overall complexity of the access control system and creates more work for the company or individuals installing the system. The communication link between the access controller and terminal server can also act as a “chokepoint” for system communications.
Access Control Network Enabled Main Controllers
The network-enabled main controller topology takes advantage of an embedded network interface in the main controllers. This allows a faster communication path to and from the main controllers which can be accomplished in a parallel sequence. The overall system is more responsive as a result and does not interrupt normal access control operations to conduct system updates. This topology also eliminates the issues found with those that make use of terminal servers.
Access Control IP Controllers
In this topology, the controllers are connected to a primary host computer via an Ethernet connection making use of an existing network. There are no limitations on the total number of controllers per line like there are with a topology making use of RS-485 connections and communication with access controllers is accomplished at the rated speed of the network. The requirement for system polling can be eliminated using IP controllers since alarm controllers are able to establish a connection to the host computer. The system is open to network issues on the underlying infrastructure and if configured incorrectly, can be open to attack from outside hackers or rogue actors. Additionally, the maximum distance between an access controller from a network hub or switch can be limited by the use of copper cable (100 meters). In newer designs, the reliance on a host computer is reduced by setting up a peer-to-peer communication option for the access control network.
Access Control IP Readers
In this topology, IP readers are connected to a host PC via a network connection. Since the majority of IP readers are PoE capable, battery backed power can be provided to the entire system to include the electronic locks and detectors in the system. Additionally, IP-controlled readers don’t result in any wasted capacity as can be encountered when using a traditional access controller. IP readers can require specialized input/output modules when used for high-security areas to prevent intrusion via access of the lock or exit button wiring on a door or other access. Also, since an IP configured reader is more sensitive than traditional models, they are not suitable for installation in areas exposed to the elements.
What are the Security Risks for Access Control Systems?
The most significant security risk for an access control system is an unauthorized user following someone who legitimately gained access through a door or other access to a secure area. This act is commonly referred to as “tailgating” one’s way into a secure area. This can be accomplished either with the cooperation of the authorized user or by someone following the individual into the secured area. To combat this act, turnstiles can be used or in more secure environments using a security vestibule that only permits one person to be located in the area at a time.
Another common risk for access control systems is levering the accessed door open. Advanced access control systems are able to detect this action through a forced door monitoring alarm; however, can suffer from a high degree of false positive alarms.
A third vulnerability to access control systems is spoofing the door locking hardware. In this case, a strong magnet is used to activate the solenoid controlling the bolts in the electric locking hardware. Motor locks (used in Europe) can also be opened using a U-shaped magnet in a similar attack. Advanced uses of this technique also include manipulating power applied to the lock by adding or removing current.
Finally, access cards have been found to have vulnerabilities that are open to being hacked by portable readers capable of capturing the cards information. In this case, the hacker will walk past a user and use the device to read the card information. Once read, the information can be submitted to the door access control and obtain access to the system due to the information being transmitted in the clear vice being encrypted.