Keypads For Access Control Tutorial

By: Brian Rhodes, Published on May 31, 2018

Keypad readers present huge risks to even the best access systems. If deployed improperly, keypads let people through locked doors almost as if they were unlocked.

However, despite the drawbacks, keypads are still one of the most common choices in access today.

With this note, we examine the weaknesses of keypads including:

  • Revealing Buttons 
  • Snooping Eyes
  • PIN Sharing is Easy

Inside we offer advice on how to deploy them securely and examine a type of keypad that overcomes glaring weaknesses.

Operation Described

The function of keypads in access control is dead simple. The door or gate remains locked until the user enters a valid combination string, usually a sequence of numbers. Most access control applications assign each user their own number, called Personal Identification Number (PIN). Unless the user enters a valid combination, the opening remains locked.

Why Keypads?

If these input readers are so terrible, why do people use them? The single biggest 'pro' in using keypads is that no external credential is required. There are no cards or fobs to buy, fingerprints to enroll, and template records to manage. A user is given an access code that is presumably memorized or included in other documents, and nothing else is required.

The lack of external credential results in a lower operating cost relative to 'credential based' systems.

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

The Problems

Despite being one of the oldest and most used access readers, keypads have huge vulnerabilities. Worse still, it takes no special tools or skills to exploit these problems. While individual units may be better, or even worse, than others at these shortcomings, the biggest problems are:

  • Revealing Buttons 
  • Snooping Eyes
  • PIN Sharing is Easy

In the sections below, we examine these issues and address how they undermine even the best access control platform and most secure locks.

Revealing Buttons

Keypad buttons wear and collect dirt over time. This is a huge problem, because only the buttons needed to gain access are the ones typically showing proof of use. Take the two examples below:

The left unit has buttons that pick up dirt and grime from user's fingers. At first glance, only four buttons show this soil, but even the most inexperienced intruder would likely associate the physical location of the keypad with a common characteristic of the area, the US Post Zipcode. 

Simple guessing and less than 5 minutes of challenges will open this 'secured' door. Soiled buttons, even when representing a 'random' number, reduce the potential combinations from tens of thousands to a few hundred, and likely combinations (address/phone/apartment numbers) may take seconds to narrow down.

Likewise, wear is obvious in the example on the right. Instead of grime, notice the keypad buttons are constructed of stainless steel. Despite the extra expense of a unit built with 'cleaner' buttons, you will notice the unused buttons are dull while the buttons most often touched are shiny. In this case, guessing the most likely combinations are almost instantaneous.

Snooping Eyes

Even when evidence of prior combinations is not obvious, users can be watched entering their codes.

Unless a user is deliberate in shielding their fingers and the keypad while entering a PIN, even a casual observer can note and memorize the code. A more determined intruder may even use long range optics or even 'exotic' thermal cameras to snoop out valid combinations:

PIN Sharing is Easy

Even if 'passive' means of gaining a code are difficult, a huge vulnerability almost impossible to mitigate are users sharing codes outright. It may seem like an easy solution for an inconvenient circumstance, but sharing a unique PIN with just one other person means that 'access control' is lost.

Even worse are examples where valid and general codes are written on labels or stickers, adhered to the unit in plain sight, and totally undermine having electronic access codes at all:

Overcome the Weaknesses

Regardless of the vulnerabilities, keypads are installed in droves in modern access control systems. With careful attention and active management, the inherent risk can be minimized. The steps include:

Clean and Maintain Units

Wipe away oils, grime, and even 'temporary' impacts like snow. Installing keypads inside of hinged enclosures [link no longer available] may help, but physically inspecting the buttons, keeping them clean with a mild solvent (rubbing alcohol or ammonia), and inspecting the buttons for damage and wear will go a long way in preserving security.

However, all the additional effort results in a maintenance cost not typically needed by other credential types like contactless cards or biometrics. 

Routinely Change PINs

One of the biggest failures of keypad is that PIN assignments never change. Over time, the user's sense of responsibility to keep the number secure slips.

The best and most authoritative method of remedying loose control of PINs are simply to change them on a routine basis. The frequency of changes depends on the population of users, for systems with less than 100 PINs, changing twice yearly helps refreshes the value in user's minds.

Multifactor Authentication

Another key method of beefing up keypad security is to combine them with more than one credential. For example, requiring users carry both credential cards AND PIN combinations has the added effect of ensuring that neither lost/stolen cards OR shared codes can be individually used. We examine using multiple credentials together in: Multi-Factor Authentication Primer.

However, the penalty for adding addition factors manifests itself in additional time to credential through openings and issuing/maintaining secondary credentials. 

Scramble Keypads

Some keypads are more secure than others. A version called 'scramble pads' or 'random pads' do not display numerical digits in a predictable "1-9,0" orientation, but instead randomize the values every time they are used. The randomness mitigates the 'button wear' vulnerability, and evenly distributes wear among all buttons. Two common types are shown below:

Advantages of these units are the randomized orientation of digits each time a user punches in a code, cannot be viewed unless directly in front of the unit. However, they are very expensive (~$900 - $1200, compared to <$200 for 'non scramble' types) and not always supported by the EAC system.

[Note: This guide was originally written in 2013, but substantially updated in 2018.]

5 reports cite this report:

Designing Access Control Guide on Jan 30, 2019
Designing an access control solution requires decisions on 8 fundamental questions. This in-depth guide helps you understand the options and...
Forced Entry / Duress Access Tutorial on May 17, 2018
Even though access control normally keeps people safe, tragedies have revealed a significant issue. If users are forced to unlock doors for...
Startup Replacing Passwords With Patterns (Shayype) on Jun 28, 2017
This startup, Shayype [link no longer available], aims to eliminate passwords, replacing them with patterns. Problems with passwords are clear, as...
Favorite Access Control Credentials 2016 on Nov 07, 2016
When it comes to the most popular way to unlock an access controlled door, which credential type holds the favored spot among integrators? The...
Access Control Specification Guide on May 19, 2016
This 15 page report provides the most in-depth guidance on specifying Access Control systems you will find. Specifying Access Control correctly...
Comments (22) : Members only. Login. or Join.

Related Reports

Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see, especially because most look and feel the same. Even insecure 125 kHz...
Access Credential Form Factor Tutorial on Feb 10, 2020
Deciding which access control credential to use and distribute, including form factor, can be a difficult task. Knowing the limitations and...
Vehicle & Long Range Access Reader Tutorial on Jan 21, 2020
One of the classic challenges for access control are parking lots and garages, where the user's credential is far from the reader. With modern...
Hotel Access Control Explained on Dec 23, 2019
Hotel access control does not work like typical commercial access control because doors in hotels are not typically directly connected to a central...
Directory of Access Reader Manufacturers on Nov 27, 2019
Credential Readers are one of the most visible and noticeable parts of access systems, but installers often stick with only the brand they always...
Fingerprints for Access Control Guide on Sep 09, 2019
Users can lose badges, but they never misplace a finger, right? The most common biometric used in access are fingerprints, and it has become one...
How To Troubleshoot Wiegand Reader Problems - Inverted Wiring on Jul 16, 2019
Wiegand is the dominant method of connecting access readers, but problems can arise for installers. In fact, one of the most difficult reader...
Nortek Blue Pass Mobile Access Reader Tested on Jul 11, 2019
Nortek claims BluePass mobile readers are a 'more secure and easy to use approach to access', but our testing uncovered security problems and...
Proxy Access Control Tested on May 09, 2019
Silicon Valley Access Startup Proxy raised $13.6 Million in May 2019, focusing on mobile physical access control. Beyond the fund raising, Proxy...
Startup GateKeeper Aims For Unified Physical / Logical Access Token on Apr 04, 2019
This startup's product claims to 'Kill the Password' you use to keep your computers safe. They have already released their Gatekeeper Halberd...

Most Recent Industry Reports

Embedded Logix Thermal Temperature Detection System Examined on Apr 08, 2020
Embedded Logix has been producing thermal temperature measurement systems for industry and fire detection for over 10 years. Now, they are entering...
Micron 1 TB SD Cards Aim To Eliminate NVRs on Apr 08, 2020
Micron has boldly proclaimed their latest 1TB microSD "eliminates the need for network video recorders", targeting the growing market of...
US DoD Declares "Can No Longer Do Business" With Contractors Using Dahua, Hikvision, Huawei on Apr 08, 2020
The US Department of Defense has confirmed to IPVM that they fully support and intend to proceed with the NDAA 'blacklist clause' covering Dahua,...
IPVM's 12th Anniversary - Thank You! on Apr 07, 2020
IPVM is proud to celebrate it's 12 anniversary expanding our commitment to providing the industry independent and objective information on video...
Mobotix Thermal Body Temperature Detection Examined on Apr 07, 2020
Mobotix has jumped into the Coronavirus temperature detection market, but how do they compare to thermal incumbents like FLIR or ICI who have been...
Verkada Coronavirus Response: Free Temp Systems For Government and Health Care on Apr 07, 2020
Verkada has built a reputation on giving away things for free - free Yeti Tumblers, free trial cameras and now free temporary systems for...
Hikvision USA Refuses, Dahua USA Drives Forward With "Coronavirus Cameras" on Apr 07, 2020
Both have been federally banned, both sanctioned for human rights abuses but only one - Dahua - is taking aim at the booming "coronavirus cameras"...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the West in the past few years, China is now saying those vulnerabilities...
USA ICI Elevated Skin Temperature Detectors Examined on Apr 06, 2020
Infrared Cameras, Inc. (ICI) is aiming to help slow the spread of COVID-19 with "pinpoint accurate skin temperature measurement" using their...
Trade Groups Request NDAA Blacklist Delay Citing Coronavirus on Apr 06, 2020
Two trade groups representing government contractors have asked Congress to delay implementation of the NDAA's 'blacklist' clause from this August...