Which Is More Secure: Keys Or Prox?

A few years ago I worked at a technology distribution company. The corporate office campus consisted of 5 or 6 structures, each with 4 entrance/exit doors equipped with standard 125Mhz Weigand format Prox readers. Doors were locked to entry at all hours. Each building had roughly 100 to 200 employees at one time, most working 9-5, but with a definite minority needing off hours access. Only one building had a staffed reception during the daytime.

Would you consider this Prox-only setup more or less secure than a key-only system?


All other things being equal, I would say that using an electronic access control system (prox cards) would provide better security because of: 1) the ability to tailor access privileges to specific times and days, 2) the ability to track when and where each card was used, and 3) the ability to quickly cancel the access privileges of cards that are lost or stolen, eliminating the need to rekey and issue new keys to everyone. Most access control systems are also capable of monitoring the doors and alerting staff when doors are forced or propped open.

That being said, good security requires so much more than just hardware or technology. Two important elements are good security procedures and ongoing security awareness training for employees. Without these, even the best electronic security systems can be rendered useless.

In my consulting practice, I have seen some facilities that have excellent security while using very little technology. On the other hand, I have seen many, many more facilities that use the latest video and access control technology, but still have very little actual security because of poor security procedures and acts of carelessness by employees.

So, I would argue that a facility that used a manual key system, but had excellent security procedures and training for employees, would probably have a higher level of security than a facility that had a prox access control system, but nothing in the way of security procedures or training for employees.

Thanks Michael.

When I worked there, (in IT not Facilities), with a typical IT geek bias, I assumed that Prox was more secure.

But after reading on IPVM and other places how inexpensive card grabbers can be used to clone 125khz* cards, I'm wondering.

I feel pretty confident that I would just need to go to the nearby sandwich shop and get in line during the lunch crush to get a number of IDs without anyone knowing.

I am missing something?

*Correction to my OP where I wrote 125Mhz.

Neither are terribly secure. However, Prox still requires some special knowledge to spoof/copy, compared to a key that can be copied at any home improvement store indiscrimiantely.

Either form of credential is weak compared to multifactor authentication or smartcard encryption.

If I really wanted to promote security I wouldn't hang my hat on any single credential technology - key, prox, or smartcard. Most badguys are going to find a much easier way in to a facility than copying a key or proxcard. (Door prop, tailgating, crowbar, etc)

I am in complete agreement with Mike Silva when he writes:

"I would argue that a facility that used a manual key system, but had excellent security procedures and training for employees, would probably have a higher level of security than a facility that had a prox access control system, but nothing in the way of security procedures or training for employees."

However, Prox still requires some special knowledge to spoof/copy, compared to a key that can be copied at any home improvement store indiscrimiantely.

But how do you get the physical key to copy in the first place? Moreover, if you steal someone's physical key you have a limited time before they may become aware of its absence, and the precise time and place of its disappearance.

With a Prox card sniffer you can get a 'key' without taking theirs, and you can wait until it is most advantageous to use it.

As to how hard it is to purchase a device and successfully capture and clone an ID, I defer it you since I haven't done it. Would you say it's as hard as setting up port forwarding on a router?Maybe you often end up with cards that don't work;

The reason I'm asking is a real one: After speaking with a friend who still works there, he mentioned that a third mutual acquaintance had been fired for being part of a laptop theft ring.

Apparently for several weeks different people had come in after hours and would steal laptops or any other electronics from people's desks etc, all gaining access thru his ID. He was never ID'd on any video as being the actual theif. They fired him and didn't prosecute him. He claims he had nothing to do with it. Honestly, IMHO, he was a little hinky, so I would normally have been inclined to believe it, but knowing what I know it's at least possible someone copied his card...

thoughts?

Picking or impressioning a lock doesn't take physical possession of the key either.

In fact, making a copy of a key doesn't require much more than a picture of a key. (See: App Replaces Locksmiths: KeyMe).

The situation you bring up would be an issue no matter the key or card he carried, unless manned guard checkpoint, biometrics, or video accompaned access controls.

Terminating someone for theft without proof or admission of guilt can put an employer on dangerous legal ground. The fact that you know about this incident means that probably lots of other people do too, and this could be very damaging to the reputation of a person that could very well be innocent.

If the employee didn't have a legitimate reason to be on premises after hours, why did his card allow access during this time period? If not for work, what was the employee's stated reason for being in the building during the times in question? Sounds like security procedures at this company might be a little weak.

If the employee didn't have a legitimate reason to be on premises after hours, why did his card allow access during this time period?

He was a on-call programmer, he was often there odd hours/weekends, as we all were.

Also, it was not at all uncommon to give someone else your card temporarily, usually when several would be at the local watering hole and somebody would get a text that a job failed or the site was down etc, and have to go in to do something. As far as we were concerned, one card was the same as another, and I wouldn't be surprised if more than a couple of us ended up with a card that wasn't technically "ours".

Also, I remember from personal experience needing a requesting a new card after not being able to find mine. Some time after that I found the lost one. It still worked. Right to your point about technology being only as good as the people and procedures that are used to implement them.

There may have been other evidence linking the employee to the crime, or he may have been reckless. In any event, tech jobs being what they are, he ended up somewhere else probably making more so nothing but sour grapes ever came of it. The company still uses 125khz cards.

Did I mention that this was a large technology (and security) distributor, which ironically would have the very latest RFID technology in stock, for next day delivery.

Sounds like the company needs to hire a good independent consultant to do an assessment and help them get their security program on track. :)

Picking or impressioning a lock doesn't take physical possession of the key either. In fact, making a copy of a key doesn't require much more than a picture of a key.

Two pictures to be exact, and a thumbprint at the kiosk

"A casual photo from across the bar is absolutely not going to work," Marsh said. "What you do is you take the key off the key chain and you put it on a blank, white piece of paper, you scan the key from four inches away, you flip it over and you do the same thing. So you really have to have full possession of the key." - KeyMe CEO Greg Marsh

Bumping/picking is definitely a weakness, as you have previously explained. Though it requires at least some suspicious time spent (minutes?) at the door, as opposed to just a normal swipe.

Funny thing is, in this case, had it been a duplicate physical key, they would have not known who to suspect initially, and would probably have had to do a costly rekey in any event.

So I can see advantages/disadvantages to both. Curious, do you think that bumping is harder to learn than cloning?

The app requires two pictures, but many locksmiths can decode a key on sight. I think with about 30 minutes of practice, you could do it pretty easy. A simple snap from a camera phone can really do the entire job.

Marcus Tobias trolled Medeco hard a few years back with such an exploit.

There is lots of talk about the ways that proximity cards can be remotely cloned, communications lines to controllers can be hacked, and biometric readers can be fooled in various ways. Manufacturers tend to play these vulnerabilities up in various ways, and urge that end-users replace their existing systems with the manufacturer's new system that is nearly impossible to defeat because "we use 1024 bit encryption, rolling code algorithms, blah blah blah....."

Yes, there is a multitude of ways that nearly every type of security technology can be defeated by a criminal, given enough skill, time, and the right equipment. And yes, there are certain types of end-users and certain types of facilities that should be concerned about these types of attacks and should take every reasonable step to prevent them.

But the vast majority of criminal acts are carried out by stupid people using remarkably unsophisticated techniques. It's my opinion that the risk of burglary using a remotely cloned proximity card is extremely low for 90% of all end-users. As Brian stated, it is far more likely that someone will tailgate into the building or force open a door or window than they are to use a cloned proximity card. On large buildings, it is also common to find doors that haven't closed properly or things like overhead doors left open even though they are unattended.

In a surprising number of cases, you can get into a secured building by simply asking - many untrained employees will knowingly let you in provided that you have a convincing story and are dressed appropriately.

At the end of the day, it is all about matching the types of security countermeasures used with the types of attackers that you expect. Facilities that contain extremely high-value assets certainly shouldn't rely on standard 125kHz 26 bit proximity cards, while using encrypted smart cards with biometric authentication would probably be overkill for an office supply warehouse.

A good restricted key system is hard to beat especially in a good access control system that at less busy times you need to use dual technology like a keypad code and card. All access starts with the quality of door and hardware. After hours with a card system you can program all access through a certain door not possible with a key system. Now days card systems can be programmed through active directory for access into the company network. this way your system can log off as you leave the building and not give access from the outside when you have entered the building.

I would agree with others that both key and prox have their advantages and disadvantages. With a key system you need a strong key management program. With prox you need a strong credential management process. I think which is better depends on a number of factors including:

  • Size and number of facilities
  • Number of employees/others with access privileges
  • Resources available to manage key and/or prox system(s)
  • Level of security required

With those things (and others) in mind, which is best becomes in part a matter of what the organization is trying to accomplish through their access control program and what resources they have available to manage the program.

If tight security with controlled access and access verification is the goal, I would say prox has an advantage in that it can be integrated into a larger system (VMS and access control) to provide more detailed information and recordings. With a key system on a large campus or complex or in instances where tight security is required, if someone loses a key or one is stolen, rekeying locks can get very expensive and a great deal of time and effort can be expended in the process of redistributing new keys. Lose a prox card? Disable it.

If light security is the goal (you just want to unlock the front doors during business hours and you have only a handful of employees) then a key system would likely meet the end user's needs. A prox system might be beneficial in such a circumstance, but are the nessecary resources and IT infrastructure/integration available, and are there resources available to manage the system? For a small company/organization, calling a locksmith might be the better solution.

That's my 25 cents worth. FWIW, our campus is moving from a majority physical key system to primarily prox. We have 40+ buildings totaling over 2.5 million sq. feet, 1300 employees, and 7600 students. Prox makes more sense for us from a management perspective, and we have integrated our prox and HR/student management systems to better manage our access security. We still use keys for a great deal of interior doors, but all exterior is or soon will be prox. Many high-security interior spaces are now on prox.