Keypads For Access Control TutorialBy: Brian Rhodes, Published on May 31, 2018
Keypad readers present huge risks to even the best access systems. If deployed improperly, keypads let people through locked doors almost as if they were unlocked.
However, despite the drawbacks, keypads are still one of the most common choices in access today.
With this note, we examine the weaknesses of keypads including:
- Revealing Buttons
- Snooping Eyes
- PIN Sharing is Easy
Inside we offer advice on how to deploy them securely and examine a type of keypad that overcomes glaring weaknesses.
The function of keypads in access control is dead simple. The door or gate remains locked until the user enters a valid combination string, usually a sequence of numbers. Most access control applications assign each user their own number, called Personal Identification Number (PIN). Unless the user enters a valid combination, the opening remains locked.
If these input readers are so terrible, why do people use them? The single biggest 'pro' in using keypads is that no external credential is required. There are no cards or fobs to buy, fingerprints to enroll, and template records to manage. A user is given an access code that is presumably memorized or included in other documents, and nothing else is required.
The lack of external credential results in a lower operating cost relative to 'credential based' systems.
Despite being one of the oldest and most used access readers, keypads have huge vulnerabilities. Worse still, it takes no special tools or skills to exploit these problems. While individual units may be better, or even worse, than others at these shortcomings, the biggest problems are:
- Revealing Buttons
- Snooping Eyes
- PIN Sharing is Easy
In the sections below, we examine these issues and address how they undermine even the best access control platform and most secure locks.
Keypad buttons wear and collect dirt over time. This is a huge problem, because only the buttons needed to gain access are the ones typically showing proof of use. Take the two examples below:
The left unit has buttons that pick up dirt and grime from user's fingers. At first glance, only four buttons show this soil, but even the most inexperienced intruder would likely associate the physical location of the keypad with a common characteristic of the area, the US Post Zipcode.
Simple guessing and less than 5 minutes of challenges will open this 'secured' door. Soiled buttons, even when representing a 'random' number, reduce the potential combinations from tens of thousands to a few hundred, and likely combinations (address/phone/apartment numbers) may take seconds to narrow down.
Likewise, wear is obvious in the example on the right. Instead of grime, notice the keypad buttons are constructed of stainless steel. Despite the extra expense of a unit built with 'cleaner' buttons, you will notice the unused buttons are dull while the buttons most often touched are shiny. In this case, guessing the most likely combinations are almost instantaneous.
Even when evidence of prior combinations is not obvious, users can be watched entering their codes.
Unless a user is deliberate in shielding their fingers and the keypad while entering a PIN, even a casual observer can note and memorize the code. A more determined intruder may even use long range optics or even 'exotic' thermal cameras to snoop out valid combinations:
PIN Sharing is Easy
Even if 'passive' means of gaining a code are difficult, a huge vulnerability almost impossible to mitigate are users sharing codes outright. It may seem like an easy solution for an inconvenient circumstance, but sharing a unique PIN with just one other person means that 'access control' is lost.
Even worse are examples where valid and general codes are written on labels or stickers, adhered to the unit in plain sight, and totally undermine having electronic access codes at all:
Overcome the Weaknesses
Regardless of the vulnerabilities, keypads are installed in droves in modern access control systems. With careful attention and active management, the inherent risk can be minimized. The steps include:
Clean and Maintain Units
Wipe away oils, grime, and even 'temporary' impacts like snow. Installing keypads inside of hinged enclosures [link no longer available] may help, but physically inspecting the buttons, keeping them clean with a mild solvent (rubbing alcohol or ammonia), and inspecting the buttons for damage and wear will go a long way in preserving security.
However, all the additional effort results in a maintenance cost not typically needed by other credential types like contactless cards or biometrics.
Routinely Change PINs
One of the biggest failures of keypad is that PIN assignments never change. Over time, the user's sense of responsibility to keep the number secure slips.
The best and most authoritative method of remedying loose control of PINs are simply to change them on a routine basis. The frequency of changes depends on the population of users, for systems with less than 100 PINs, changing twice yearly helps refreshes the value in user's minds.
Another key method of beefing up keypad security is to combine them with more than one credential. For example, requiring users carry both credential cards AND PIN combinations has the added effect of ensuring that neither lost/stolen cards OR shared codes can be individually used. We examine using multiple credentials together in: Multi-Factor Authentication Primer.
However, the penalty for adding addition factors manifests itself in additional time to credential through openings and issuing/maintaining secondary credentials.
Some keypads are more secure than others. A version called 'scramble pads' or 'random pads' do not display numerical digits in a predictable "1-9,0" orientation, but instead randomize the values every time they are used. The randomness mitigates the 'button wear' vulnerability, and evenly distributes wear among all buttons. Two common types are shown below:
Advantages of these units are the randomized orientation of digits each time a user punches in a code, cannot be viewed unless directly in front of the unit. However, they are very expensive (~$900 - $1200, compared to <$200 for 'non scramble' types) and not always supported by the EAC system.
[Note: This guide was originally written in 2013, but substantially updated in 2018.]