Designing Access Control GuideAuthor: Brian Rhodes, Published on Jan 08, 2015
Designing an access control solution requires decisions on 8 fundamental questions. This in-depth guide helps you understand the options and tradeoffs involved in designing an excellent access control solution.
The eight fundamental questions are:
- Are the Benefits Worth the Cost?
- What Do You Secure?
- What Forms of Authentication and How Many Do You Need?
- What Kind of Reader Should You Use?
- What Kind of Lock Should You Use?
- What Do You need at the Door Besides a Reader and Lock?
- How Do You Connect the Reader to the Network?
- What Type of Access Control Management System Should You Use?
This report focuses on selecting and designing electronic access control system (using cards, pins, biometrics, etc.) rather than key based ones.
Access Control Course
Our next IPVM access control course starts on January 20th. Learn more about IPVM Access Control Course and Certification Winter 2015.
While electronic systems are far more sophisticated and generally more secure, many people still use keys. The reason is simple: cost. Industry averages for electronic access control ranges $1500 to $5000 per door installed. Locksets, on the other hand, run between $50 to upwards of $500, depending on the level of security required.
While electronic systems provide many benefits over keys, they will cost thousands more per door than keys/locks. As such, you may determine the cost of electronic systems cannot be justified or that only certain doors are worth installing electronic access control.
What are the benefits?
To determine if electronic access control is worth the cost, understand if the following benefits apply to your use:
- An access control system simplifies management of access to the building. Keys do not need to be made and distributed to employees or contractors. Credentials (either permanent or temporary) are issued to the respective party, and that is it.
- The potential risk associated with a misplaced or stolen key is significantly reduced. Typically if a key to an exterior door is lost, best practice and common sense would mandate re-keying the facility, lest that key fall into criminal hands. Re-keying is typically a large expense. Lock cores cost between $30 and $75 or more, and locksmiths upwards of $50 per hour, so a four-door building can cost hundreds of dollars.
- Improved audit trail: With keys, no record is kept of who came and went through each door, and when. Intrusion detection and surveillance systems may provide some idea, but not as simply, or in as much detail.
- With keys, in many facilities, staff must manually lock and unlock doors at the beginning and end of business. This requires time and introduces the risk of forgetting or not properly locking a door. Doors controlled by an access control system, whether controlled by a card reader or not, may be automatically unlocked in the morning and locked at night on a schedule, or when the intrusion detection system is disarmed and rearmed.
What do You Secure?
After answering the why, the second question when planning an access control deployment is what. What assets are to be secured? Doors which are infrequently used, or by a very limited number of staff, such as closets, typical non-critical offices, and mechanical spaces, typically are not worth the expense of adding access control, unless a legitimate risk to high-value assets is expected.
Typical spaces we see access control applied:
- Exterior Doors: Typically, exterior doors are the first thing to be secured. This simplifies access to the building, so staff do not need keys, while keeping unauthorized persons out of all entrances except those intended. Visitors may be directed to a particular entrance where staff can receive them. Typically, this is done in one of two ways. (1) Remotely: In this scenario, visitors to the facility utilize an intercom (audio/video is most definitely preferred) to speak to reception or security staff, who then remotely release the door so they may enter. (2) In-person: In this scenario, visitors simply enter the building through an unlocked set of doors and speak to reception staff. In both instances, the visitor may be kept outside of the facility entirely, or they may be allowed access into the building into a lobby or vestibule, which is secured by a second access controlled door.
- Gates: Entry gates are commonly added to an access control system. This moves access to the perimeter, from the door, often desirable in high crime areas or high-security facilities. This is typically paired with surveillance and/or video intercom so staff may visually confirm who is requesting entry. The gate may then be remotely released for deliveries or visitors. Wireless interfaces make access control of gates easier, by avoiding trenching costs. The gate is usually controlled via interface to a gate operator or through specialized locks made for the application.
- HR and Accounting Areas housing confidential company records are often next to be secured.
- Inventory and Warehouse Areas: Storage rooms and warehouses are easy targets for both internal and external threats. Securing entrances to these areas reduces access, provides a log of activity, and introduces an extra obstacle for anyone intending to steal supplies or equipment.
- Data Closets: Along with network security becoming a bigger issue, access control of data centers and IDF’s has increased. Considering the server room is often the brains of an organization’s operation, this is a good practice. Specialized systems exist for securing cabinets in larger, often multi-user, data centers.
- Classrooms: With computers being a common target of theft in schools, locking classrooms is often desirable. Installing electrified locks on each classroom also provides lockdown capability, so in emergencies security staff may lock down the entire campus with a single action.
- Cabinets: Specialized locks for use on cabinets have are available so that access control may be moved to the specific asset instead of the door.
- Key Control Cabinets: Many organizations, even those who use EAC extensively, still need to manage a certain quantity of keys, whether for vehicles, cabinets, or other purposes. Often, these keys are kept in a cabinet or on a backboard, which are conspicuous and an easy target for any criminal. Simply using a securely mounted cabinet with an electrified lock reduces this risk. More elaborate systems for key management exist as well, providing control and audit trail down to the level of the individual key.
What forms of authentication and how many do you need?
A key goal of access control is to selectively let people in. To do so, you need to choose a technique for people to prove that they have legitimate access to an entrance. This proof generally falls under the common mantra, something you know, have or are. Lets look at the practical options used in real-world security systems:
- Something you Know: This is the most common technique in accessing computers and second most in accessing doors. The best examples of this are passwords or pincodes. Since they are so easy to share and steal from an authorized user (it is essentially free to replicate them), most physical access control systems stay away from using this as the only means of authentication.
- Something You Have: This is the most common technique used in physical access and best represented by the card or fob. The user carries this physical token with them and presents it at the entrance. It is generally considered stronger than pincodes because they are harder to reproduce. On the other hand, it is possible to reproduce and the risk that the card is shared is still a threat.
- Something You Are: This is the least common technique used in security but generally considered the strongest. Good examples include fingerprint, face, vein and hand geometry. These are fairly hard to fake (Hollywood movie counterexamples notwithstanding). However, biometrics are still quite rarely used statistically. Even for the ones that are considered to work well, the price increase over cards makes it hard for most to justify.
You can use these in combination. Indeed, this approach, called 'multi-factor authentication' is very popular among security practitioners. You can have dual or triple mode authentication where users are required to use a pin and a card or a card and fingerprint or all three together. If both or all do not pass, entrance is denied. The big plus for this approach is that it makes it much harder for an illegitimate user to get in. The big downside is that it becomes inconvenient to users who will be locked out if they forget one and will take more time and hassle to get in each time they check in. Because of this, the number of factors of authentication usually increases with the overall level of security or paranoia of the facility (e.g., condos are single factor, military bases can be triple, etc.).
What kind of lock should I use?
There are a variety of locks that may be used on access controlled doors, all having their application.
- Electric strike: The electric strike replaces the strike plate in the door’s frame (the metal plate the door latches into), and will unlock when power is applied to it.
- Electromagnetic lock: The most common lock used for access control, electromagnetic locks, or mag locks, or simply “mags”, consist of a coil of wire around a metal core, which produces a strong magnetic field when energized. The mag lock is mounted on the door frame, normally, and the door is fitted with a plate which matches up with it. Under locked conditions, the magnet is kept energized, holding the plate to it. When the door is unlocked, power is cut, and the door releases. Mag locks are easier to install than other types of locks, since everything is surface-mounted, but they have certain trade offs required for convenience and life safety, which we will touch upon later.
- Electrified hardware: The most unobtrusive method of electrically locking a door, electrified hardware puts the locking mechanism inside the door hardware itself. These may come in either mortise or cylinder lockset forms, or in exit panic hardware. Either form retracts the latch when power is applied, unlocking the door. These locks may also build request-to-exit and DPS into the hardware, requiring even fewer devices at the door.
What kind of reader should You Use?
Readers allow users to request doors to be unlocked and come in a wide variety of options.
Keypad: A very simple form of access control, in which the user enters his or her PIN number at a keypad device to open the door. Keypads suffers from the inherent security flaws of PINs described above. See our: Worst Readers Ever post for more details.
Card Readers: There are numerous card technologies currently in use in the industry, both contact and contactless.
- Contact readers include magnetic stripe, Wiegand, and barcode. Of the three magnetic stripe is the only technology still widely used today. Barcode finds some use, mostly in legacy systems, but is so easily duplicated - one simply has to copy the barcode - it has fallen out of favor. Magnetic stripe readers are still regularly used on college campuses and in other facilities, especially where cards are used for purposes other than simply access. Mag stripe was common for cashless payment, but many of those applications are being filled by smart cards today. Contact readers are easily damaged by vandals, by inserting foreign objects, or even gum, into the slot. This is one of the reasons contactless proximity cards have become more common.
- Contactless readers include standard prox, contactless smart card, and other technologies, some proprietary to a specific manufacturer. HID prox readers are by far the most widely implemented technology in access control, with almost every manufacturer supporting, and many reselling them. Regardless of which specific reader you use, the technology is basically the same for purposes of this discussion: the reader emits a field which excites a coil on the card, which then transmits an embedded number to the reader. Smart card technology has had somewhat limited acceptance due to higher pricing when it was introduced. With prices falling in line with those of standard prox, however, we recommend all new installations use smart card technology. We will contrast the two technologies in a future report. Also, a word of warning when selecting readers: proprietary card and reader technology will almost always require that all readers be changed and cards reissued should a facility change access control systems in the future. For this reason, we recommend against using them, instead favoring standard technologies.
Biometrics: For access control purposes, we typically see one of three or four biometric readers used: Fingerprint, iris, hand geometry, and retina, with fingerprint readers being by far the most common. No matter which reader you choose, there are several drawbacks to consider:
Access time is typically longer than when a card is used. In high-throughput areas, this may be a problem. You would not want to require an incoming shift of workers in a factory to filter through biometric readers for building access, for example.
Biometric readers generally require an additional weatherproof enclosure. This adds expense and slows access time more. Additionally, many of these enclosures require an employee to manually open and close them, which increase risk of human error. Failing to close a weatherproof enclosure after use may damage the reader.
Compared to card readers, biometric readers are expensive. While a card reader may be found online for $150-200, biometric readers routinely are priced over $800. This is offset somewhat by eliminating the expense of cards, but it must be taken into account.
What type of reader should I use?
Whichever technology is chosen, form factor must be taken into account. Readers come in a variety of form factors, from miniature to oversized, depending on the application. Miniature readers may be used to be aesthetically pleasing on an aluminum-framed door, for example, while a 12” square reader may be positioned at the parking garage entry for better read range. Generally speaking, the distance at which a card can be read increases wit the size of the reader. Standard read range is between one and four inches.
How do you connect readers to the network?
While readers need to located near entrance points, they must be connected to a network so that information on who is accessing and who is allowed can be updated and communicated with operators. Making this more challenging, readers are generally all over the place, distributed throughout a facility. Because of this, you need to determine how those readers are going to be connected back to the network.Two fundamental options exist:
- Connect readers via IP or Serial
- Connect readers via wireline or wireless
Traditional systems used wireline serial connections to link readers to control panels. Even today, this is still statistically the most common way to do things. On the other hand, a significant portion of innovation in access control systems is coming from IP and/or wireless connectivity.
What else do I need at the door?
- Activation of this sensor signals the access control that someone is exiting. If the door opens (the DPS switch reports open state) without a RTE being sent first, the access control system interprets it as a forced door alarm. Motion sensors are typically preferred for request-to-exit devices, for convenience. There are considerations that must be made when using mag locks, however. In the US, life safety code requires that there be a means to physically break power to the mag lock. This is done in case the access control system should fail. If the system no longer received request-to-exit signals, or failed to unlock a maglock when it did, there would be no way to open the door. For this reason, you will often see a request-to-exit motion sensor along with a pushbutton used with mag locked doors. The motion sensor for everyday use, and the pushbutton being used in case of emergency or system failure.
The devices above require power, of course, so power supplies are another consideration when designing an access control system. There are three methods by which door devices may be powered:
- A power supply centralized with the access control panel. This is the simplest method, requiring the least high voltage to be run and thus reducing cost. However, voltage drop may become an issue, so calculations must be performed to take this into account. Our Powering Video Surveillance training discusses voltage drop and power budget calculations in depth.
- A power supply local to the door. This is common in cases where electrified hardware is used. The power draw of an electrified device is normally much greater than a mag lock or electric strike, so local power is installed, to avoid voltage drop issues. The downside of this is that it adds another point of failure, as opposed to a single central power supply.
- Power over Ethernet. A relatively recent development to the industry, power over Ethernet is being utilized to power single-door (or in some cases two-door) controllers, which in turn supply power to all the attached devices. In our experience, this is normally enough to power typical strikes and mag locks, but not latch retraction devices. Power draw also varies by manufacturer, so care must be taken to make sure enough power exists to operate the selected lock.
No matter which method you use for powering devices at the door, fire alarm interface may need to be considered. Typically, doors in the path of egress are required to allow free egress in the case of fire. Note that this does not necessarily mean they must unlock, a common misconception. Doors equipped with electric strikes are not required to unlock if they also are equipped with panic hardware. Mag locks are, however, in almost all cases required to unlock. Remember this when considering locks for your access control system, as simply pulling a fire alarm pull station may leave the building completely vulnerable if mag locks are used.
We also recommend using supervised power supplies for access control applications. These power supplies supply contact closure upon AC fault conditions, or battery fault if backup power is being used, alerting the access control system that power to the door is lost. This allows more proactive monitoring, instead of waiting for a user to discover that a door does not open, or in the case of a mag lock, that it does not lock.
Discussion of devices at the door would be incomplete without mentioning integrated access devices. These devices build the reader, lock, DPS, and RTE into the hardware of the door. They may be either wired or wireless, network-based or open platform. They reduce labor costs by eliminating the need to install multiple devices, but do require more specialized skills. Replacing locksets and panic hardware can be tricky and requires training. In the case of wired devices of this sort, the door must also be “cored”, which means a hole is drilled through the entire width of the door so cables may be run through it from the hinge side, requiring specialized gear. Wireless locksets of this sort greatly reduce the amount of cabling that must be run, but do present their own issues. We will be covering wireless access in more detail in another report.
What Type of Access Control System Should I Use?
Three types of management exist for access control systems:
- Embedded: Also called web-based or serverless, the access control system is managed wholly through the access control panel, via web page interface or occasionally software. Typically functionality is limited in this method, due to the limitations of what can be done in a standard browser (without added plugins, Flash, ActiveX, etc.), which will work on all platforms: Windows, Mac, Linux. Enrollment and logging functions are easily available, but real-time monitoring is more of a challenge. Cost is reduced, since no server must be supplied.
- Server-based: The more common method, puts administration, management, and monitoring of the access control system on a central server. Client software installed on management or monitoring PC’s connects to this server to perform necessary functions.
- Hosted: Relatively new to the industry, hosted access control systems are managed by a central server which manages multiple end users’ systems from “the cloud”. (See our review of Brivo, for an example hosted access control system) The only hardware required on site is the access control panel with an internet connection. User interface is usually through a web portal, making hosted access a combination of web-based and server-based management. The hosting company must manage the system as a traditional server-based system would be managed, but to a user, all interface is via the web.
When selecting an access control system, consider what features you will need at the present time, and consider where the system will go in the future. Some questions to ask:
- Does it use standard card readers? While HID and NXP are well-known as access control industry juggernauts being OEM’d or supported by the vast majority of manufacturers, not every system utilizes compatible readers. Some manufacturers support only proprietary readers which would typically need to be replaced should the system be changed to a different vendor’s product in the future. Others utilize different cabling topologies, which usually require less cable to each door, typically a single cable, with all the devices at the door connecting to an intelligent reader or small controller. If future-proofing is a concern, as it typically is and should be, select systems which utilize standard wiring schemes.
Another consideration when discussing “openness” of a system is whether the selected manufacturer uses open platform control panel hardware or their own proprietary panels. If the system runs on open hardware, most, if not all, of the head end panels may be reused when changing to a competitive system. Mercury Security is the largest supplier of OEM hardware to the access control industry, with manufacturers such as Lenel, Honeywell, RS2, and more using their hardware. HID’s network-based Edge and VertX platform are seen second-most often. Even Axis has entered the 3rd party market with the A1001. Selecting a system that utilizes open hardware can save an organization thousands of dollars when changing to a different system in the future.
In the case of a small organization with a handful of doors, open platform hardware may be a non-issue. If the required featureset is small, and the likelihood of moves and expansions is low, a proprietary web-based platform will suffice. However, for enterprise-level systems, non-proprietary hardware is highly recommended to avoid becoming trapped by a single vendor.
- Do you require integration to other systems? Integration of surveillance systems (or other systems) with an access control system has grown in popularity in the past few years. For our purposes, we are specifically discussing software-based integration. Integrations via inputs and outputs, or RS-422 command strings, have been in use for many years and are very functional, but nowhere near the level of a true software integration. Some features you may expect via software integrations:
- Integrating surveillance with access control allows access events to be presented to an operator with corresponding video. This reduces investigation and response time of the guard force. Integrated systems may also slew PTZ cameras in the direction of a forced door or access denied event.
- Integrating intrusion detection with access control allows for arming and disarming of the system via card swipe. Sometimes this is based on the first person in/last person out, using people counting features of the access control system. We feel cardswipe arming/disarming is a security risk, however, as a lost card now unlocks the door and disarms the building, leaving the facility-wide open for any thief. Integrating the intrusion detection system also allows for arming and disarming from the access management software, as well.
- It should be noted that these integrations are rarely very “open”. Most commonly, the video management, intrusion detection, and access management systems must be from the same manufacturer. At best, an access control system will support a handful of video platforms. Intrusion integration has historically been strictly limited to the same manufacturer.
- While intrusion and surveillance integrations are the most common, other systems may be integrated to the access control system as well, depending upon the capabilities of the ACS platform. If the intent is to use the ACS as a full security management platform, displaying and correlating all alarms, fire alarm, building automation, perimeter detection, or other systems may also be considered for integration. The capabilities of some access management system are beginning to approach those of true PSIM platforms, though typically without the procedure element common to PSIM.
- Many systems, especially web-based varieties, feature only integration to video, if any integration exists at all. This is especially common among the smaller access-control-only manufacturers. Integration to third-party systems is usually not a free feature of the software, either, and buyers should beware of licensing fees before making purchasing decisions. The only integration commonly free is with a manufacturer’s own video management or DVR systems.
- How will the system be used? If all the system must do is unlock doors when a card is presented, simply to replace keys, make sure that the enrollment features of the system are simple to use. Chances are that live monitoring will not be crucial in a system such as this. Access logs should be simple to review, as well.
- If the system will be used in a live-monitored scenario, it should offer all relevant information in a streamlined fashion, without clutter. Typically this will consist of an event list, in which all system events scroll through as they occur. Map views may also be useful, depending on the facility. This way an operator may see exactly where an alarm is occurring, speeding response. Cameras and other integrated system devices are also commonly shown on the map for ease of use.
Outside the typical door access scenario, there are some special use cases of access control we may run into:
- Elevators: There are two methods of restricting access to an elevator (1) Call the elevator car upon a valid card read, instead of pushing a button. This method puts a single reader outside the elevator. A user presents his or her credential to call the car. Once in the elevator, the user has access to any floor he or she chooses. This is a simpler and less costly method of restricting access, since only a single card reader must be installed, but may not be applicable in all scenarios, if access to individual floors is desired. (2) Allow selection of individual floors based on the credential presented. In this scenario, when the user enters the elevator, the floors he or she is restricted to are lit, and floors they’re not allowed access to remain unlit. They will only be allowed to take the elevator to floors they’re given access to. There are multiple drawbacks to this method, although it may be unavoidable if this sort of security is required. First, it requires a card reader be mounted in the car, which requires interfacing with the elevator’s traveller cable, or wireless transmission be used. Second, it requires an input and output for each floor to activate and deactivate each of the buttons, which may be labor intensive depending on how many floors there are in the building.
- Harsh Environments: When utilizing access control in harsh environments, all of the devices in the system must typically be intrinsically safe, also called explosion proof. What this means is that the device will not spark and potentially create an explosion. While there are card readers specifically produced for these environments, typically they consist of a standard card reader mounted in an explosion-proof instrument enclosure, readily available from electrical distributors, and easily fabricated in the field.
- Mustering: A function of certain access control systems, mustering counts employees exiting the building via a designated reader or group of readers. So, in case of emergency, security and safety staff may see how many employees and visitors, in some systems, are still in the facility. Specialized wireless readers may also be used for mustering, In this case, the security officer carries a reader and has employees swipe their credentials as they reach the mustering point.
Most Recent Industry Reports
The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.