Silva Consultants | 06/14/15 01:58pm
All other things being equal, I would say that using an electronic access control system (prox cards) would provide better security because of: 1) the ability to tailor access privileges to specific times and days, 2) the ability to track when and where each card was used, and 3) the ability to quickly cancel the access privileges of cards that are lost or stolen, eliminating the need to rekey and issue new keys to everyone. Most access control systems are also capable of monitoring the doors and alerting staff when doors are forced or propped open.
That being said, good security requires so much more than just hardware or technology. Two important elements are good security procedures and ongoing security awareness training for employees. Without these, even the best electronic security systems can be rendered useless.
In my consulting practice, I have seen some facilities that have excellent security while using very little technology. On the other hand, I have seen many, many more facilities that use the latest video and access control technology, but still have very little actual security because of poor security procedures and acts of carelessness by employees.
So, I would argue that a facility that used a manual key system, but had excellent security procedures and training for employees, would probably have a higher level of security than a facility that had a prox access control system, but nothing in the way of security procedures or training for employees.
IPVMU Certified | 06/14/15 08:09pm
Neither are terribly secure. However, Prox still requires some special knowledge to spoof/copy, compared to a key that can be copied at any home improvement store indiscrimiantely.
Either form of credential is weak compared to multifactor authentication or smartcard encryption.
If I really wanted to promote security I wouldn't hang my hat on any single credential technology - key, prox, or smartcard. Most badguys are going to find a much easier way in to a facility than copying a key or proxcard. (Door prop, tailgating, crowbar, etc)
I am in complete agreement with Mike Silva when he writes:
"I would argue that a facility that used a manual key system, but had excellent security procedures and training for employees, would probably have a higher level of security than a facility that had a prox access control system, but nothing in the way of security procedures or training for employees."
Picking or impressioning a lock doesn't take physical possession of the key either. In fact, making a copy of a key doesn't require much more than a picture of a key.
Two pictures to be exact, and a thumbprint at the kiosk
"A casual photo from across the bar is absolutely not going to work," Marsh said. "What you do is you take the key off the key chain and you put it on a blank, white piece of paper, you scan the key from four inches away, you flip it over and you do the same thing. So you really have to have full possession of the key." - KeyMe CEO Greg Marsh
Bumping/picking is definitely a weakness, as you have previously explained. Though it requires at least some suspicious time spent (minutes?) at the door, as opposed to just a normal swipe.
Funny thing is, in this case, had it been a duplicate physical key, they would have not known who to suspect initially, and would probably have had to do a costly rekey in any event.
So I can see advantages/disadvantages to both. Curious, do you think that bumping is harder to learn than cloning?
Silva Consultants | 06/14/15 10:40pm
There is lots of talk about the ways that proximity cards can be remotely cloned, communications lines to controllers can be hacked, and biometric readers can be fooled in various ways. Manufacturers tend to play these vulnerabilities up in various ways, and urge that end-users replace their existing systems with the manufacturer's new system that is nearly impossible to defeat because "we use 1024 bit encryption, rolling code algorithms, blah blah blah....."
Yes, there is a multitude of ways that nearly every type of security technology can be defeated by a criminal, given enough skill, time, and the right equipment. And yes, there are certain types of end-users and certain types of facilities that should be concerned about these types of attacks and should take every reasonable step to prevent them.
But the vast majority of criminal acts are carried out by stupid people using remarkably unsophisticated techniques. It's my opinion that the risk of burglary using a remotely cloned proximity card is extremely low for 90% of all end-users. As Brian stated, it is far more likely that someone will tailgate into the building or force open a door or window than they are to use a cloned proximity card. On large buildings, it is also common to find doors that haven't closed properly or things like overhead doors left open even though they are unattended.
In a surprising number of cases, you can get into a secured building by simply asking - many untrained employees will knowingly let you in provided that you have a convincing story and are dressed appropriately.
At the end of the day, it is all about matching the types of security countermeasures used with the types of attackers that you expect. Facilities that contain extremely high-value assets certainly shouldn't rely on standard 125kHz 26 bit proximity cards, while using encrypted smart cards with biometric authentication would probably be overkill for an office supply warehouse.
A good restricted key system is hard to beat especially in a good access control system that at less busy times you need to use dual technology like a keypad code and card. All access starts with the quality of door and hardware. After hours with a card system you can program all access through a certain door not possible with a key system. Now days card systems can be programmed through active directory for access into the company network. this way your system can log off as you leave the building and not give access from the outside when you have entered the building.
I would agree with others that both key and prox have their advantages and disadvantages. With a key system you need a strong key management program. With prox you need a strong credential management process. I think which is better depends on a number of factors including:
- Size and number of facilities
- Number of employees/others with access privileges
- Resources available to manage key and/or prox system(s)
- Level of security required
With those things (and others) in mind, which is best becomes in part a matter of what the organization is trying to accomplish through their access control program and what resources they have available to manage the program.
If tight security with controlled access and access verification is the goal, I would say prox has an advantage in that it can be integrated into a larger system (VMS and access control) to provide more detailed information and recordings. With a key system on a large campus or complex or in instances where tight security is required, if someone loses a key or one is stolen, rekeying locks can get very expensive and a great deal of time and effort can be expended in the process of redistributing new keys. Lose a prox card? Disable it.
If light security is the goal (you just want to unlock the front doors during business hours and you have only a handful of employees) then a key system would likely meet the end user's needs. A prox system might be beneficial in such a circumstance, but are the nessecary resources and IT infrastructure/integration available, and are there resources available to manage the system? For a small company/organization, calling a locksmith might be the better solution.
That's my 25 cents worth. FWIW, our campus is moving from a majority physical key system to primarily prox. We have 40+ buildings totaling over 2.5 million sq. feet, 1300 employees, and 7600 students. Prox makes more sense for us from a management perspective, and we have integrated our prox and HR/student management systems to better manage our access security. We still use keys for a great deal of interior doors, but all exterior is or soon will be prox. Many high-security interior spaces are now on prox.