Multi-Factor Access Control Authentication Guide

By: Brian Rhodes, Published on Dec 10, 2018

Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting them to certain individuals.

Multi-factor authentication is used when the end-user is concerned about who can use access control credentials. In this guide, we explain the concept and the elements involved, including:

What Does Multi-Factor Authentication Mean?
What Benefits Multi-Factor Offers
The Four Factor Types Available
Which Factors Are Common For Access Control
What Drawbacks Multi-Factor Authentication Have
Why Single Factor Authentication Is Still Common

*** * ******** *** your ***********? *** ** the ****** ******** ****** access ******* ** ****** credentials ** **** ** use ** ****, *** restricting **** ** ******* individuals.

*****-****** ************** ** **** when *** ***-**** ** concerned ***** *** *** use ****** ******* ***********. In **** *****, ** explain *** ******* *** the ******** ********, *********:

**** **** *****-****** ************** Mean?
**** ******** *****-****** ******
*** **** ****** ***** Available
***** ******* *** ****** For ****** *******
**** ********* *****-****** ************** Have
*** ****** ****** ************** Is ***** ******

[***************]

Multi-Factor ************** *******

*** ******* ***** **** more **** *** ********** must ** ********* ** order ** **** ******. However, *** *********** *** 'layered' ** * *** that **** ********** **** other.

Four ************ *******

*** ********** ************** '*******' cannot ** *** ** the **** ***** *** are ********* ********** ******* types ** ***********. *** 'factor ******' *** ******** cited **:

********* *** **** ***: * **********/********** ******* administratively ** *** ****. Typically ** ****** ******* badge, *****, ** ***. Also ******** * ********** key, ********** **, ** passport.
********* *** **** *****: ********* * **** or ******** **** ******* by *** ****. ********* a *** ******, *** also ******* '******** *********' or '**** * ****** Security *****' *************.
********* *** **** **: ********* ******** **** the **** ** **** to *******. ********* ****** or **** ****** *** used, *** ***** ******** possible ********* **** ***********, heartbeats, ******/**** *****, *** even ****.
******* ******* ******** *** User: ***** ******* **********, another ***** ********** *** and ******* *** *** user. **** ***** ** a ****** ***** ** even * ************ **** grants ****** ***** ** familiarity.

Multiple ******* ********** ************

**** ** ***** ** securing ******, *********** **** a ***** ****. **** it ***** ** ******** credentials *** ******** **** the ***** ****** *** using ****, ******** ******* are ****** **** ** the ******** ******* *** weak.

* ******** ******* ** many *** ***-****** ***** and **** **** *** automatic ****** ********. **** credential, **** **** *****, is **** *** ****** defeated ** ****** *** malicious ***.

*******, **** ** ******** do *** ******* ********* embedded *****, ***** *** card ** ********* ******** with * ********* ***.

** *** ****, *** only *** ***** ***** required ** ** ******, but *** ******* *** required ** ** *******. This ***** ************ ****** factors ******** ** ********* them **** ******** ****** of **************.

Multi-Factor *******

** * **** ***** reader ******** ********* *****, fingerprint *****, *** ****** codes *** '*****-******' *******, two ** **** *********** would ** ******** *** entry, *** **** ********* credential ****** *** ********** for *** **** ** present ** *** ****.

*** ***** ***** ***** an ******* ** * typical '***** ******' ****** device:

*** ******* **** ******* support ****. *** *******, this *****-****** ****** ****************** ********* **** ***/** voice ************** ******* ** the **** ****** ***********:

Different *****

*** ****** ****** ** applied ******* **** ********* to ** ***-****'* ******** concerns. ***** ****** ********* about *** ******** *** of **** *********** *** require *** *******, ***** high-security ************* *** ******* three ** ****. ** define *** ******* ***** tiers *****:

Two *******

**** ***** * *********** of '********* *** **** ***' *** '********* ** *****', **** ** ****** Control ****** **** *** accompanying *** ******. **** if *** **** ***** the ****, ** ************ finder ****** *** ** to **** ****** ****** they **** **** * code, ***** ** ***** only ** *** ****.

******* *********** ********** ****** are **** *********, ** is **** ****** ** see *********** ** ***** physiological ******* **** **'********* *** **** **' ** *** ****** authentication.

Three *******

**** ******** ******** ** even ****** ***** ** validation, ***** ******* *** required. **** ***** **** is * *********** ** biometrics, *** *****, *** access ******* ***********, *** become ************* **** ****** to ********* *** ****** than ****** '****** ******' authentication.

** * ****** ** both **** *** **** to *** **** ***** of **************, ** ** used ** ******** **************, military, *** ******** ********** but *** ********* *** commercial ***-*****.

Guard/Verification ******

*** ******* ***** ** authentication ** ***** **** at ******** *** ***** sensitive *********, ***** ****** checkpoints *** **** ** conjunction **** *** ***** factors. ******* **** ******* takes *** **** **** and ** *** **** labor *********, ** ********* is *** ******** ****** the ******** **** ** very **** *** ******** manpower ** *********.

Multi-Factor ************** *********

******* ******** ****** ************ of *****, *****-****** ************** has *********.

*** ******* *********** *** is *** ********** **** required ** ******* ** manipulate *** ********** **********. Especially *** ******** ***** high ***** ******* *** needed, ****** **** **** to ******* **** *** additional ****** ***** *** more **** * *** seconds *** **** ****, potentially ****** ** ** many ******* **** *** course ** *** *****.

******* ********* ****** ** the ********* ***** ** multiple ****** ******* **** simple, ****** ****** ***** like *********** *******. * combination *****-****** ****** ** often $*** - $*,*** more **** * ******-****** unit ******* $*** - $300. **** *** ****** of **** * ***** system **** * - 4 *****, ***** *****-****** readers *** ******** ***** by *********.

Single ****** ***** ******

* ******** ** ********** access ******* ******* *** 'single ******' **************, *** this ** ********** *** the *********** ******** ** most ***-*****. *** ****** credential **** ** **** is **** ** *** identity ** *** ******, and *** ****** ******** (ie: *******, *****) ** recorded *** **** ******.

*** *********** *** ******* the **** ****** '****** factor' **********. ** ***** verification ** *** ****** is ******** **** *** key *** **** ******. While ********* ******** ** high-tech ********** ****** ***********, mechanical **** ***** ******* an ******** '***** *****' of ******** *** **** millions ** **********.

*** ***** *******, ***** multiple ******* ** ****** identity *** ** **** to *******. ******* ******* supporting ***** ****** *** more *********, *** ****** manned ************ ***** ** overhead *** ****** ********* without ******** *************, ****** factor ******* *** ******** method ****. *******, **** risks **********, ***** ** an ********** ********** ** strengthen ********.

Comments (18)

Undisclosed #1

12/11/18 01:45am

**** ****'* ******* **** this ** *** *** mobile ******. *********** *** provide *********, *** & gesture ** *** **** you *** ** **** you ****. *** ***** is **** *** ****. There *** ******* ********* that ***** **** *** with **** ****** *********** implementations.

*** ** **** ********* the **** *** ****** biometric *******, *** ********* allow *** ************* *** ability ** ******* *** by *****/******, ****/**** *** schedule.

Undisclosed Integrator #2

In reply to Undisclosed #1 | 12/11/18 01:17pm

**** *** ****** ***'* like ******** *** ***** phones. *** *** **** so **** **** ***** for ******* ***** ******* without ****** *** **** you **** ** ****** have ****** *******, ** activate *** **** *** a ****.

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #1 | 12/11/18 04:58pm

******, *******, ** ****** devices *** * ******** medium, *** **** *** '********* *** **** *****'**** ***** ****** ******* would.

** ** ****, **'* an ********* ** *** existing ******* *********, *** isn't *********** *** ** additional.

*** **** **** ****, if *'* *** *******, then ********* ** **** add **. **'* ** interesting ************** ** ***, I'm **** *** ************ that ** ** * new ****.

Undisclosed #1

12/11/18 01:21pm

****** **** *** ******** makes *** *** **** phone ******* * ******, but ***** *** *************** where *** ***'* **** need ** **** **** phone *** ** **** pocket *** ****** ***** you *** **** **** request ** *** ******** the **** ** * more ******* ***.

Undisclosed Integrator #2

In reply to Undisclosed #1 | 12/11/18 01:56pm

****, *** ** ** it's *** **** **** more ******. *** ** you ***'* **** ** take **** ***** ***, then ***** ** ** app *** ************* ****** (either ********* ** ***) always ***** ******* **** at ***** **% ** people **** ******** *****, and **** ** ***** will ******* ** ** upper **********. :)

*** ********* ** *** has ****** **** ********* people's **********, ****** *** expectations.

Fabian Muyawa

LONTECH SYSTEMS
IPVMU Certified | 12/11/18 02:54pm

***** ** ** ***** Video **** ** ** integrated **** ****** ******* in *** **** ** maglocks **** ******** ******* and ** **** ******* tied ** ********** ***** to ****** *** *** accessed * ****.

**** **** ******* ** be * ******* **** of **********.

Undisclosed Integrator #2

In reply to Fabian Muyawa | 12/11/18 04:16pm

******, ** ** ****, video ** **** **** would ** *** "************", not ******. ********* ** was *** ******* ****** using *** ********** ** gain ******. ****** ** is * ****** ***** station ***** ***** ** see *** ** ** the **** ******* ******.

Brian Rhodes

IPVMU Certified | In reply to Fabian Muyawa | 12/11/18 05:02pm

** ***** *** **** the ****** **** - '******* ******* ******** *** User'. ** ***** ** somewhat ***** ** ** this **** ******** *** cameras (****** ***** **** outside *** ***, ** the ***** *** ** poor *******, ***) *** I ***** ** ***** fall **** **** ********.

Undisclosed #3

12/11/18 04:11pm

****** ********** *************** *** clearly ** *** **** as **** * ******* end ***** **** ********** and **** ***** ***** to ******** **** ****** to ***** ***** ****, data ******* ** ****** doors. ******* *****...******** & habit ******. ** ** use *** ****** *** *** personal ***, ** ***'* mind ******* ** ** App, *** **** ** is ******** ** *** company ** ************ * person ** *** ****** and *** ****** ** the ******, ********** ** change ** ***** ** pilots. ** *** ***** hand, *'* *** ***** to **** ** ***** on * ******* *** day.

Fabian Muyawa

LONTECH SYSTEMS
IPVMU Certified | In reply to Undisclosed #3 | 12/12/18 10:44am

********* **, *** **** implementation ******* ** **** integrate **** **** ***** intercoms

John Bredehoft

Idemia | 12/11/18 07:09pm

**** *** ****** ****** need ** ** * person? *** *******, ** someone **** *** ******* badge, ***, *** ********* appeared ** *** **** at *:****, ***** ** AI ********* ****** **** this ******** ** ********** with *** *** ****** usually *******?

** ***** **** ** more ** * ********** biometric, *** **** ********** as "********* *** ***"?

Undisclosed End User #4

12/12/18 03:40pm

*** ***** ************/******* ******* verifies **** **** *****'* *********** need ** ** ***** intensive. *** ********, ********* Command ****** *** * feature ***** *** *** set ** '**********' ** doors, ***** *** ***** at *** ******* ****** gets ******** ******** *** badged at *** ****, *** give *** ***** * set ****** ** **** to ***** ** **** the *******. ** *** show * **** ****** **** with ******** * *** audio, ** **** ** any ******** **** ******, such ** ******, **** you ******* ** **. As **** ** *** already **** * ****** monitoring *** ****** ******* system and ***'* *** ** on ***** **** **** constant ******* ** *** be **** **********.

************ ***** *** **** you *** ******* ********* so ***** ***** ** be * ********* *********** badging ******** ** **** a ****, ** * "host" **** ********** ***** to ***** ***** *** a "*******" **** ********** to ** **** ** scan ***** ***** *** get * ***** *****.

Undisclosed Integrator #5

04/24/19 03:00am

* ********** ******** ******* and * *** **** your *** ******, ******’* it ** ******* ** have ** ****** ******** for *** **** **** if ******* *** *** allowed ** ** ** work ****** *** ***** a *** **** *** set *** ****** ** email ** ***** ** the ******** ******* ***** would ******* *** **** holder *********** *** *** the ***** ** ****** if ** ** *** actual ****** **** ******.

Brian Rhodes

IPVMU Certified | In reply to Undisclosed Integrator #5 | 04/24/19 03:07am

******’* ** ** ******* to **** ** ****** schedule *** *** **** door ** ******* *** not ******* ** ** at **** ****** *** after * *** **** and *** *** ****** to ***** ** ***** to *** ******** ******* which ***** ******* *** card ****** *********** *** yes *** ***** ** verify ** ** ** the ****** ****** **** holder.

****, *** ***** *** many ***** ****** ** needed *** *********** **** falls ******* ** ****** schedules. (******* ****/********, ***)

****, **** ********** ****** do *** **** ******** staff ******** ********** ****** systems ** ***** ************ for ************.

** *******, ****** ****** ******* ****** *** Schedules ** * ***** **** regardless!

Undisclosed #1

04/24/19 01:41pm

** **** ** *** eveyone's *************. ** **** in * **-******* *****, the ***** **** ****** control. *** ** *** doors ** ********** ***** had * **** ******* the **** ****. ** you'd ***** ******** ********** would *** ** *** a **** ** **. Nope, **** ******** *** other ***... Access control defeat device

**** **** **** **** included *** ************...

Scott Fischer

Lorica Consulting LLC
IPVMU Certified | 10/21/19 07:05pm

* ******* ******** *** fourth ************ ****** *** updating *** **** ** follows:

1. ********* *** **** ***

2. ********* *** **** *****

3. ********* *** **** **

4. ******* *** **** ** ****

*** ******** ********* "******* ******* ******** *** User"******** ******* ***** ********** IDs *** ******* *** the **** *** ****** access ***** ** ***********. I ******* *** ***** or ************ ****** ** this ******* ** ******** acting ** *** **** capacity ** * *****-****** reader (*********** *** ********** based ** **** **** have, ****, ** ***). The ***** ** ************ is ********* *** * "verification ******" ** *** same ***** ** *** other ***** ***** ** the ****.

******** *** *** ****** to "******* *** **** ** with"********** ************** ** ******** user ************** ************ (*.*. the "***** ******") ***** two (** ****) ********** individuals *** ******** ****** access ** * ******** or ****** ** *******.

Undisclosed #6

In reply to Scott Fischer | 10/21/19 07:32pm

Someone *** **** ** ****

** *** ******** ** an *************** ****** **** another ************* **** ****, or ******?

** ** *** ** authenticated *******, ***’* **** just * ******* ** the “******* *******...”?

Scott Fischer

Lorica Consulting LLC
IPVMU Certified | 10/21/19 08:03pm

********** ** *********** #*:

********* *** ** **** authorized ***** ****** ******** access ** ** ******* of "******* *** **** is ****". *** *******, Person * ****** ***** a ********** **** ****** another ********** ********** (****** B ** * ** D ***.) ** **** present (***** ** *** additional ********** ******). **** individual **** ** ******** separately ***** ** *** pair ***** ******* ******. Either *** ****** ** gain ****** ***** ***** not ** **** ** gain ****** **** ****** they *** **********.

* ***** ******** ****** to ****** * ** the **** ** * card ****** ******** ****** to ****** *. **** both ****** *** ******** of ****** * *** grant ****** ***** ** his/her ************* *****."******* *** **** ** with"******** ********** ****** * to **** ** ********** Person * **** **** prior ** *** ***** (or **** ******) ******** access. *** ***** (** card ******) ******** *** verification **** ****** * and ****** * *** both ********** *********** *** that ******** **** **** the ******** ** ** granted ******.

Read this IPVM report for free.

This article is part of IPVM's 6,367 reports, 855 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Related Reports

Low-Tech Access Control: Master Keying Explained on Jan 09, 2020

Mechanical keys are one of the most fundamental forms of access control. 'Master Keying' can allow individually different credential keys to...

Fail Safe vs. Fail Secure Tutorial on Oct 02, 2019

Few terms carry greater importance in access control than 'fail safe' and 'fail secure'. Access control professionals must know how these...

Maglock Selection Guide on May 16, 2019

One of the most misunderstood yet valuable pieces of electrified hardware is the maglock. Few locks are stronger, but myths and confusion surround...

Favorite Access Control Credentials 2018 on Mar 22, 2018

In this 2018 access integrator statistics result, which credential type holds the favored spot to unlock access doors? More than 150 integrators...

Access Control - Restricted Keys Guide on Mar 15, 2018

Not all doors, even in larger facilities, can justify using electronic access control. And even for doors that do have electronic access control,...

Risks Of Managing End User Passwords (Statistics) on Dec 05, 2017

Integrators know admin passwords for nearly all end-user systems, according to IPVM statistics. But how do they manage them? How do they ensure...

Integrators Know Admin Passwords For Nearly All End-User Systems (Statistics) on Nov 01, 2017

With cybersecurity concerns rising, more scrutiny is being applied to various elements of security implementation. One of those is who knows the...

Hikvision VMS Password Recovery Vulnerability - Emailing Admin Passwords In Plain Text on Aug 28, 2017

Hikvision iVMS-4200 suffers from a vulnerability that allows anyone local, without authentication, to generate a code that Hikvision will respond...

Hikvision Security Code Cracked on Aug 08, 2017

Hikvision's 'security code' feature has been cracked and a program generating security codes is being distributed online. IPVM has obtained and...

Uniview Weak Local / Strong Remote Password Policy Tested on Mar 14, 2017

With the continuing onslaught of cyber-security breaches (see Dahua backdoor recently discovered, Hikvision defaulted devices getting hacked)...

Most Recent Industry Reports

Verkada: "IPVM Should Never Be Your Source of News" on Jul 02, 2020

Verkada was unhappy with IPVM's recent coverage declaring that reading IPVM is 'not a good look' and that 'IPVM should never be your source of...

Vintra Presents FulcrumAI Face Recognition on Jul 02, 2020

Vintra presented its FulcrumAI face recognition and mask detection offering at the May 2020 IPVM Startups show. Inside this report: A...

Uniview Wrist Temperature Reader Tested on Jul 02, 2020

Uniview is promoting measuring wrist temperatures whereas most others are just offering forehead or inner canthus measurements. But how well does...

Dahua USA Admits Thermal Solutions "Qualify As Medical Devices" on Jul 02, 2020

Dahua USA has issued a press release admitting a controversial point in the industry but an obvious one to the US FDA, that the thermal temperature...