"Future-Proofing" Access Control GuideBy Brian Rhodes, Published Jul 30, 2015, 12:00am EDT
Its one of the most misused phrases around: "Future-proof". However, even without the crystal ball and wizards, designing access control to be "future proof" is much more pratical that the concept implies.
The features we tag as 'future proof' are:
- Smartcard Frequencies
- Door Controllers
- Third Party Controllers
While we explain why these products or features should be avoided:
- ONVIF C
- 125 kHz Cards
- Combo Readers and Controllers
- Mobile Credentials
Inside, we explain the pros or cons of each technology and how following these guidelines can save you thousands or more.
In the sections below, we describe the access technologies to adopt and avoid for the best results for years to come.
First, here are the technologies to use in your access system, and why you should:
- OSDP: A new approach that resolves longstanding security vulnerabilities between controllers and readers is OSDP. The protocol is billed as a replacement for Wiegand by offering advantages like encryption, two-way communication, and accomodates more credential data, faster. (For more detail, see our Wiegand vs OSDP note) Moreover, while the protocol is still new, adoption by industry majors has been widespread with leading companies on both the reader and controllers side already adopting it.
- 13.56 MHz Credentials: While not new, the market has been slow to migrate to the higher frequency, more secure 'smartcard' frequency format. However, as time progresses, the availability of older formats becomes more difficult and expensive [link no longer available], security risks aside. With mainstream vendors like HID building new readers that primarily use 13.56 MHz formats, avoiding costly changeovers mean adopting the format now.
- Decentralized Controllers: In the past, the most common architecture for access was to use one panel to control four or more doors, sometimes as many as 32 in one enclosure or even eliminating door controllers entirely (see our Eliminating Control Panels? Viscount review for one example). However, with the emphasis and availability of IP networks within modern facilities, adding a 'smart controller' at the edge is not a challenge and offers savings to endusers in reducing cable and installation labor to a few feet rather than homerun to central closets.
- 3rd Party Hardware: While 'proprietary' cannot be eliminated outright from access, restrictions can be lessened by adopting hardware controllers that can be used in multiple systems. Options for interoperable devices are limited to the three major providers and controllers we list in our Axis vs HID vs Mercury Access Controllers note. An enduser with hardware from one of these providers typically has multiple management platform options to chose from if the current choice is failing to get the job done or goes out of business.
And here are the technologies to steer clear of and the reasons why:
- ONVIF Profile C: Despite grabbing attention early, ONVIF's access interoperability guideline has fizzled with no significant adoptions since Axis released their A1001 two years ago. The current outlook for ONVIF and other interoperability standards is grim with little market traction, detailed in our Access Interoperability: Going Nowhere note.
- 125 kHz Credentials: Steer clear of older, much exploited, unencrypted contactless credentials using the 125 kHz frequency. Despite YouTube being full of videos revealing how to use $50 cloning kits widely available online, many endusers and integrators still are adopting it is the key to their systems. In our most recent Favorite Access Control Credentials survey, a whopping 36% still call the type their preferred option. However, with costs for 125 kHz cards and readers typically equal or more than 13.56 MHz products, there is little reason to continue using them.
- Combo Controllers: While decentralized controllers make good sense, the idea can be taken too far, as is frequently the case by combining the controller with the reader. The major weakness of the approach is the vulnerability when hanging the units on the unsecured side of the door leaving the opening - and subsequent area security - at great risk to intrusion threats. We detail the risk in our Access Control: Combo Reader / Controllers Tutorial note.
- Mobile Based Credentials: Few access technologies have gotten the hype of smartphone credentials. The slick imagery of access users waving their smartphones in front of a reader instead of a stale, boring ID card may make for great tradeshow buzz, but shifting to mobile is expensive and raises big operational problems, like how willing smartphone users will be letting employers manage device settings, how credentials are provisioned, and whether or not users need to carry cards anyway for picture IDs. We examine these major isses in our NFC: Not Ready for Primetime note, but they also apply to BLE (Bluetooth Low Energy) for Access as well.
The exact dollar figure impact of these decisions is sunstantial, and savvy designers and end users can save thousands by 'buying right' upfront.
For example, a 'forklift upgrade' of proprietary controllers instead of reusing existing 3rd Party Hardware can amount to over $1000 per door when costing the additional controllers and installation labor. The cost of upgrading a reader to work with 13.56 MHz smartcards can be $200 per reader and $10 per card for each user when existing 125 kHz options are discontinued by the vendor [link no longer available].
Back to Top