Multi-Factor Access Control Authentication Guide

By Brian Rhodes, Published Dec 10, 2018, 10:42am EST

Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting them to certain individuals.

Multi-factor authentication is used when the end-user is concerned about who can use access control credentials. In this guide, we explain the concept and the elements involved, including:

  • What Does Multi-Factor Authentication Mean?
  • What Benefits Multi-Factor Offers
  • The Four Factor Types Available
  • Which Factors Are Common For Access Control
  • What Drawbacks Multi-Factor Authentication Have
  • Why Single Factor Authentication Is Still Common

Multi-Factor ************** *******

*** ******* ***** **** more **** *** ********** must ** ********* ** order ** **** ******. However, *** *********** *** 'layered' ** * *** that **** ********** **** other.

Four ************ *******

*** ********** ************** '*******' cannot ** *** ** the **** ***** *** are ********* ********** ******* types ** ***********. *** 'factor ******' *** ******** cited **:

  • ********* *** **** ***: * **********/********** ******* administratively ** *** ****. Typically ** ****** ******* badge, *****, ** ***. Also ******** * ********** key, ********** **, ** passport.
  • ********* *** **** *****: ********* * **** or ******** **** ******* by *** ****. ********* a *** ******, *** also ******* '******** *********' or '**** * ****** Security *****' *************.
  • ********* *** **** **: ********* ******** **** the **** ** **** to *******. ********* ****** or **** ****** *** used, *** ***** ******** possible ********* **** ***********, heartbeats, ******/**** *****, *** even ****.
  • ******* ******* ******** *** User: ***** ******* **********, another ***** ********** *** and ******* *** *** user. **** ***** ** a ****** ***** ** even * ************ **** grants ****** ***** ** familiarity.

Multiple ******* ********** ************

**** ** ***** ** securing ******, *********** **** a ***** ****. **** it ***** ** ******** credentials *** ******** **** the ***** ****** *** using ****, ******** ******* are ****** **** ** the ******** ******* *** weak.

* ******** ******* ** many *** ***-****** ***** and **** **** *** automatic ****** ********. **** credential, **** **** *****, is **** *** ****** defeated ** ****** *** malicious ***.

*******, **** ** ******** do *** ******* ********* embedded *****, ***** *** card ** ********* ******** with * ********* ***.

** *** ****, *** only *** ***** ***** required ** ** ******, but *** ******* *** required ** ** *******. This ***** ************ ****** factors ******** ** ********* them **** ******** ****** of **************.

Multi-Factor *******

** * **** ***** reader ******** ********* *****, fingerprint *****, *** ****** codes *** '*****-******' *******, two ** **** *********** would ** ******** *** entry, *** **** ********* credential ****** *** ********** for *** **** ** present ** *** ****.

*** ***** ***** ***** an ******* ** * typical '***** ******' ****** device:

*** ******* **** ******* support ****. *** *******, this *****-****** ****** ****************** ********* **** ***/** voice ************** ******* ** the **** ****** ***********:

Different *****

*** ****** ****** ** applied ******* **** ********* to ** ***-****'* ******** concerns. ***** ****** ********* about *** ******** *** of **** *********** *** require *** *******, ***** high-security ************* *** ******* three ** ****. ** define *** ******* ***** tiers *****:

Two *******

**** ***** * *********** of '********* *** **** ***' *** '********* ** *****', **** ** ****** Control ****** **** *** accompanying *** ******. **** if *** **** ***** the ****, ** ************ finder ****** *** ** to **** ****** ****** they **** **** * code, ***** ** ***** only ** *** ****.

******* *********** ********** ****** are **** *********, ** is **** ****** ** see *********** ** ***** physiological ******* **** **'********* *** **** **' ** *** ****** authentication.

Three *******

**** ******** ******** ** even ****** ***** ** validation, ***** ******* *** required. **** ***** **** is * *********** ** biometrics, *** *****, *** access ******* ***********, *** become ************* **** ****** to ********* *** ****** than ****** '****** ******' authentication.

** * ****** ** both **** *** **** to *** **** ***** of **************, ** ** used ** ******** **************, military, *** ******** ********** but *** ********* *** commercial ***-*****.

Guard/Verification ******

*** ******* ***** ** authentication ** ***** **** at ******** *** ***** sensitive *********, ***** ****** checkpoints *** **** ** conjunction **** *** ***** factors. ******* **** ******* takes *** **** **** and ** *** **** labor *********, ** ********* is *** ******** ****** the ******** **** ** very **** *** ******** manpower ** *********.

Multi-Factor ************** *********

******* ******** ****** ************ of *****, *****-****** ************** has *********.

*** ******* *********** *** is *** ********** **** required ** ******* ** manipulate *** ********** **********. Especially *** ******** ***** high ***** ******* *** needed, ****** **** **** to ******* **** *** additional ****** ***** *** more **** * *** seconds *** **** ****, potentially ****** ** ** many ******* **** *** course ** *** *****.

******* ********* ****** ** the ********* ***** ** multiple ****** ******* **** simple, ****** ****** ***** like *********** *******. * combination *****-****** ****** ** often $*** - $*,*** more **** * ******-****** unit ******* $*** - $300. **** *** ****** of **** * ***** system **** * - 4 *****, ***** *****-****** readers *** ******** ***** by *********.

Single ****** ***** ******

* ******** ** ********** access ******* ******* *** 'single ******' **************, *** this ** ********** *** the *********** ******** ** most ***-*****. *** ****** credential **** ** **** is **** ** *** identity ** *** ******, and *** ****** ******** (ie: *******, *****) ** recorded *** **** ******.

*** *********** *** ******* the **** ****** '****** factor' **********. ** ***** verification ** *** ****** is ******** **** *** key *** **** ******. While ********* ******** ** high-tech ********** ****** ***********, mechanical **** ***** ******* an ******** '***** *****' of ******** *** **** millions ** **********.

*** ***** *******, ***** multiple ******* ** ****** identity *** ** **** to *******. ******* ******* supporting ***** ****** *** more *********, *** ****** manned ************ ***** ** overhead *** ****** ********* without ******** *************, ****** factor ******* *** ******** method ****. *******, **** risks **********, ***** ** an ********** ********** ** strengthen ********.

Comments (25)

IMHO what's missing from this is MFA via mobile device. Smartphones and provide biometric, pin & gesture as the what you are or what you know. The phone is what you have. There are several companies that offer this now with some really interesting implementations. 

All of them eliminate the need for costly biometric readers, and typically allow the administrator the ability to require MFA by group/person, door/area and schedule.

 

True but people don't like fumbling for their phones. And you have so many apps vying for battery usage already without having one more you have to either have always running, or activate and wait for a read.

Phones, tablets, or mobile devices are a delivery medium, but they use 'Something the User Knows' like fixed keypad readers would.

In my mind, it's an extension of the existing factors available, but isn't necessarily new or additional.  

But with that said, if I'm not correct, then certainly we will add it.  It's an interesting implementation of MFA, I'm just not rationalized that it is a new type.

Agreed when the solution makes you rub your phone against a reader, but there are implementations where you don't even need to take your phone out of your pocket and others where you can make your request as you approach the door in a more natural way.

True, and to me it's not that much more effort. But if you don't have to take your phone out, then there is an app and communication method (either bluetooth or NFC) always using battery that at least 10% of people will complain about, and many of those will usually be in upper management. :)

The challenge is and has always been modifying people's priorities, habits and expectations.

Where do we place Video when it is integrated with access control in the case of maglocks with embedded cameras and or cctv cameras tied to particular doors to verify who has accessed a room.

Does this qualify to be a another form of credential.

Fabian, in my mind, video in that case would be for "verification", not access. Verifying it was the correct person using the credential to gain access. Unless it is a manned guard station using video to see who is at the door wanting access.

It could fit into the fourth type - 'Someone Trusted Verifies the User'.  It might be somewhat risky to do this only remotely via cameras (others could hide outside the FoV, or the image may be poor quality, etc) but I think it could fall into that category.

Mobile credential implementations are clearly on the rise as over 1 million end users have registered and used their phone to securely gain access to their hotel room, data centers or office doors. Biggest issue...behavior & habit change. If we use our phones for our personal use, we don't mind opening up an App, but when it is required by the company to authenticate a person to the device and the device to the system, resistance to change is noted in pilots. On the other hand, I'm not going to wear my phone on a lanyard all day.

Precisely so, and this implementation appears to also integrate with some video intercoms

Does the fourth factor need to be a person? For example, if someone with the correct badge, PIN, and biometric appeared at the door at 7:48am, could an AI algorithm deduce that this behavior is consistent with how the person usually behaves?

Or would that be more of a behavioral biometric, and thus classified as "something you are"?

The Guard Verification/Someone trusted verifies user type doesn't necessarily need to be labor intensive.  For instance, Gallagher Command Centre has a feature where you can set up 'challenges' on doors, where the guard at the command centre gets notified somebody has badged at the door, and give the guard a set amount of time to grant or deny the request.  It can show a live camera feed with optional 2 way audio, as well as any Personal Data Fields, such as photos, that you program it to.  As long as you already have a person monitoring the access control system and don't put it on doors that gets constant traffic it can be very manageable. 

Additionally there are ways you can program Gallagher so there needs to be 2 different cardholders badging together to open a door, or a "host" type cardholder needs to badge first for a "visitor" type cardholder to be able to scan their badge and get a green light.

I understand everyone opinion and I see what your all saying, wouldn’t it be simpler to have an access schedule for the main door if persons are not allowed to be at work before and after a set time and set the system to email an alert to the relevant persons which would contain the card holder information and yes the video to verify if it is the actual access card holder.

 wouldn’t it be simpler to have an access schedule for the main door if persons are not allowed to be at work before and after a set time and set the system to email an alert to the relevant persons which would contain the card holder information and yes the video to verify if it is the actual access card holder.

Sure, but there are many times access is needed and appropriate that falls outside of normal schedules. (Working late/weekends, etc)

Also, many facilities simply do not have security staff actively monitoring access systems or video surveillance for verification.

In general, strong Access Control Levels and Schedules is a great idea regardless!

Ok this is for eveyone's entertainment. We work in a co-working space, the doors have access control. One of the doors in particular often had a rock holding the door open. So you'd think building management would try to put a stop to it. Nope, this appeared the other day...Access control defeat device

Note that they even included the instructions...

I suggest changing the fourth verification factor and updating the list as follows:

1. Something the user has

2. Something the user knows

3. Something the user is

4. Someone the user is with

The original statement "Someone Trusted Verifies the User" suggests another human positively IDs and vouches for the user and grants access based on familiarity. I suggest the guard or receptionist listed in this example is actually acting in the same capacity as a multi-factor reader (identifying the individual based on what they have, know, or are). The guard or receptionist is therefore not a "verification factor" in the same sense as the other three items on the list.

Changing the 4th factor to "Someone the user is with" references implementation of multiple user authentication requirements (i.e. the "buddy system") where two (or more) authorized individuals are required before access to a location or system is granted.

Someone the user is with

so the presence of an unauthenticated person with another authenticates them both, or either?

or if one is authenticated already, isn’t that just a version of the “Someone trusted...”?

Responding to Undisclosed #6:

Requiring two or more authorized users before granting access is an example of "Someone the user is with". For example, Person A cannot enter a restricted area unless another authorized individual (Person B or C or D etc.) is also present (could be any additional authorized person). Each individual must be verified separately prior to the pair being granted access. Either one trying to gain access alone would not be able to gain access even though they are authorized.

A guard granting access to Person A is the same as a card reader granting access to Person A. They both verify the identity of Person A and grant access based on his/her authorization level. "Someone the user is with" requires authorized Person A to have an authorized Person B with them prior to the guard (or card reader) granting access. The guard (or card reader) performs the verification that Person A and Person B are both authorized individuals and that together they meet the criteria to be granted access.

interesting article

An insightful article.

Interesting - an eye-opening for me in Multi-Factors Access Control Authentication

Could the fourth factor be something as simple as a smart ring or smart watch that is coded different then a card credential

It sounds to me that is more likely an additional 'Something the User Has' factor. Redundant factors aren't necessarily bad, but they are not (theoretically) as strong as a different type of authentication factor, i.e.: 'Something the User Is', etc.

If you have an iris reader will eye contacts interfere or cause false scans

Many iris readers will read through eye glasses or contacts. The iris is not modified by these accessories and scans under the surface/behind features like contacts.

Read this IPVM report for free.

This article is part of IPVM's 6,743 reports, 909 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports