Overview
The purpose of any access control system is, quite simply, to control who goes where and when. The person in question maybe an employee, a contractor or a visitor. The level of access can and will vary depending on their status and access requirements or the location they are entering.
The access control "system" can be seen in different ways. For example: the door, the lock, the access control panel and the method of entry (e.g. token and reader) can be seen as a "system".
For the purposes of clarity, NPSA group the "system" into the following sub categories:
AACS
Automatic Access Control System (AACS) - this is the control panel, the decision maker. It is on this panel, or software, that the decision to allow entry is made. It is here that permissions are granted, where individuals are enrolled onto the system and given the rules of entry; for example, where they are allowed to enter and when.
Token & Readers
Token, Reader, Keypad - this is effectively the "key" to the door. The token is generally (not necessarily) a card. This card will be held to the reader. If the card has been activated and is a valid credential, then access will be granted. The token and reader alone will offer "single factor authentication". For additional security, a keypad is connected. This requires a Personal Identification Number (PIN) to be used alongside the token and reader - Multi-factor authentication.
BAACS
Biometric Automatic Access Control Systems (BAACS) - this uses a particular biometric (e.g. fingerprint) to gain access. Biometric authentication can be single factor (biometric only) or multi-factor) token and biometric. There are a number of biometric 'modalities' which can be used for access control (see NPSA BAACS Guidance).
It can be seen then, that there are three methods of verifying access control credentials:
For greater security it is common to combine these into:
Automatic Access Control Systems (AACS)
The AACS is the "brains" of the access control system. It is here that the decisions are made, enrolment takes place and the 'rules' applied. AACSs are capable of many functions - access zones, access times, anti-passback and so on - but all of these functions have one aim - controlling who goes where and when.The AACS guidance documents available from NPSA have explanations on functionality and deployment of Automatic Access Control Systems and NPSA has an evaluation process which results in successful systems being listed in the Catalogue of Security Equipment.
Automatic Access Control System AACS
An Automatic Access Control System or AACS is a security measure used to control who goes where, and when, around your site.
They integrate with the existing borders of your site, controlling access along those borders.
Only a user with the correct security credential can pass through an access point.
Access can be controlled permanently or can be scheduled to be an operation for specific time periods, allowing for access to be linked to your sites operational hours.
All interactions with the system are tracked and logged. Importantly, any unauthorized access attempts send an alert to the control room. This creates an archivable security record for your site.
Automatic Access Control Systems are simple set up consisting of a door, a lock, a security credential, and a central control panel.
A security credential is presented to a reader. This sends a signal to the central control panel, which authenticates that credential. If authenticated, the door lock is released. If authentication is not achieved, the door remains locked.
User security credentials are either what you have, what you know, or who you are, or a combination of any two.
What you have, a token and reader based system.
This can be a key card or key fob given to a user to grant access.
What you know, a pin code and keypad system where users enter secure passcode to gain entry.
Who you are, biometric verification. This system uses a user's biometric data to verify them. Current technologies include fingerprint, finger vein, palm print, palm vein, iris, or face for recognition.
Multifactor verification is achieved by combining two of these together and adds another level of access control.
Two factor authentication is advisable for when there is an increase in security level needed, for example, a site that has both public and restricted access areas.
The system can be programmed to respond to certain events, such as multiple unauthorized access attempts, access points being left open for more than a specific length of time, and to create anti-passback security.
It's paramount that access control systems are backed up with an uninterruptible power supply or UPS, which will keep the system running in the event of a power outage.
Automatic Access Control Systems are machines, therefore they're not at risk of any distraction, persuasion or physical threats. But as a machine, they are at risk from an external attack or of being hacked. Access to the system must be password protected and an AACS should not be connected to any other network within your site.
An AACS cannot defend itself against an attack made with the collusion of an insider threat. Therefore other security measures must be used to prevent and identify any potential attacks from inside.
It should also be remembered that it's the physical secure border that keeps the site safe, not the AACS. If there are security failings within your border, then intruders will be able to gain access.
As with all security measures, these systems are only as good as the people who are using them. A good security culture and training is required to ensure that your site remains secure.
Automatic Access Control Systems are not a replacement for security officers. NPSA would always recommend that an automatic access control system is deployed in conjunction with other security measures such as CCTV and Intruder Detection Systems, in order to build effective security across all of your sites.
Token, Reader & Keypad
In order to operate, the AACS requires a method of knowing who is trying to gain access to a location. One such method is to use a token, often a card, and a reader system. In short, the card is presented to the reader located by the entrance to the location. If the reader is authorised, or the credential valid, then access is granted. The problem is that it is the card that is authorised NOT the person (who can tell if the card has been stolen?). In order to strengthen the security a keypad and PIN are often used. The PIN is associated with the card and known only by the authorised user. Without the PIN, the card is useless for access to that particular location.
The token can be programmed for use at specific readers, limited to certain hours or given complete and total access depending on the clearance level, role or seniority of the holder, as examples.
The NPSA Token and Reader guidance documents have more information. NPSA has an evaluation process which results in successful systems being listed in the Catalogue of Security Equipment.
Token And Reader
An automatic access control system or A.A.C.S is a security measure used to control who goes where and when around your site. Only a user with the correct security credential can gain access.
One type of security credentials is a physical token and a reader system.
Tokens. Whereas a mechanical key has a code cut into it physically, a token such as a key card or key FOB uses digital code embedded into it. A reader communicates with a nearby token by sending radio waves out to it. These waves provide enough energy to power the token and allow the embedded code to be read. These waves can be of the old and less secure 125 kilohertz frequency or of the more secure 13.56 megahertz frequency.
The code contained on tokens must be encrypted. Tokens that contain un-encrypted code are extremely low in security value and should only be used by sites with minimal risk and security needs. The reader takes the encrypted code from the token, sending it to be decrypted by the access control system, where it's either authenticated or denied.
The decrypted code is then passed back to the access control system, using an encrypted protocol, for example, OpenSupervised Device Protocol or OSDP. Older, less secure protocols like WEIGAND should be avoided, as they are more easily copied. Decryption should not happen outside of the secure system. If decrypted by the reader device itself, an attacker may be able to intercept and copy this code.
A modern token can be thought of as being like a smartphone containing a number of apps. Apps can be added to the token for things other than access control, such as printing and cashless vending.
To prevent the access control information being compromised, it's important to secure it behind a specific access control key. The access control key should be separate to any other keys contained on the token. Each app should run as its own silo with access between apps impossible. Also, access control keys should be diversified across all the tokens in your system. If access control keys are the same across all tokens, then it will only take one token to be lost, stolen or copied to compromise your entire system.
Each token should have a unique ID or serial number that should not be related to its access control key. Random IDs should be used in the highest security sites. This is a feature that gives a random ID number to a token every time it interacts with the system. By randomizing the token's ID, this can prevent attackers tracking that ID and that user. When purchasing token and reader systems, it's important for sites to not allow manufacturers to hold on to token data as they could be copied or compromised without your knowledge.
It's encouraged to use multifactor verification at the most secure areas of your site. This is achieved by combining a token and reader system with biometric verification. Alongside the token, a user's biometric data is also verified before access is given.
A token and reader system is a way of adding security to your site. They should be used alongside other automatic access control systems, such as biometrics and deployed in conjunction with other security measures, such as CCTV and intruder detection systems, in order to strengthen your site security.
Biometrics Automatic Access Control Systems (BAACS)
It is possible, and common, to use a biometric for access control. This could be fingerprint, face or iris, among others. Briefly, the chosen biometric is presented to a reader (similar to the token) and if that biometric is authorised, access is granted. Biometric authentication tends to be slower than a token so may not be ideal in certain circumstances. Single factor authentication (biometric only) may be sufficient in some locations - perimeter perhaps - but may not be sufficient in other areas. For example, high security, low foot-fall areas such as control rooms or data centres may require 2-factor authentication. Generally, a token is presented to a reader and declares the identity of the user... the biometric is presented secondly. This allows the system to verify that the token and the biometric are connected and that entry is authorised. This is one to one verification. Biometrics are considered more secure than a PIN since it is harder (though not impossible) to lose biometric information.
The NPSA Biometrics guidance documents have more information. NPSA has an evaluation process which results in successful systems being listed in the Catalogue of Security Equipment.
Biometrics
An Automatic Access Control System or AACS is a security measure used to control who goes where, and when, around your site.
Only a user with the correct security credential can gain access. One type of security credential uses a user's own biometric data to verify them. This is biometric verification.
Biometric data is one of the most secure methods of identification as it's very difficult to replicate, spoof or steal.
Biometric verification works when a user presents their biometric data to a reader or sensor. This data is converted into a code, known as a biometric template. The biometric template is then set to be authenticated against the user's data held on the system. The user's actual biometric data is not stored on the system, only the biometric template is. If the user's biometric data is authenticated, the AACS is told to release the door lock and grant access.
There are a number of biometric verification technologies currently on the market.
Finger and palm print authentication, a user scans their finger or palm on a reader. The specific characteristics in the ridges and patterns on the finger or palm print are compared to the data held on file, and either authenticated or access is denied. Contactless fingerprint readers are available which may allow faster authentication but the implementation of these needs to be considered.
Finger and palm vein. Finger and palm vein technology works by shining a near-infrared light through the finger or palm of a user, capturing the vein pattern as an image. This is then used as authentication. Since the user's veins are sub-dermal, they are considered a more accurate authentication system than print recognition. They're not affected by wet or dry weather or the aging of the user, so are more reliable. They can also be less invasive as users may not have to make contact with the scanning surface to achieve verification.
Facial recognition. Facial recognition systems scan a user's face and compare the shape and position of their features against stored information in order to authenticate. Facial recognition can pass across a lot of data points and is considered very accurate and secure. Some systems may require eyeglasses to be removed and a user's image may need to be updated to reflect aging or any other changes.
Iris recognition scans a user's iris and converts their unique characteristics into an encrypted code. It's this code that is used to recognize the user. This is considered a very secure method of verification, and it's very difficult to copy a user's iris. But iris scanners can be rather slow since the user has to position and hold themselves exactly in front of the scanner.
Biometric verification benefits over token based systems as there's no physical key for a user to lose. The user is the token. Because of this, biometric security credentials cannot be transferred from one person to another and biometric data is much less susceptible to fraud or spoofing.
But in general, biometric authentication will be slower than entering a PIN or using a token based system and may cause congestion at access points. Because of this, biometric authentication is best deployed in the lower footfall, high security areas of your site.
As the biometric reader is on the insecure side of the access point, no biometric user data should be stored on this device. Instead, it should be held on a secure server, in a location away from the reader. It's important to store all user data securely in an area that cannot be easily accessed by unauthorized personnel.
At the most secure access points on your site, it's encouraged to use multifactor verification by deploying biometric verification in conjunction with a token based system. The key card is presented to a reader and then followed up with the biometric verification, allowing for a greater level of security.
Biometric verification adds a layer of security to your site that's difficult to defeat for all, but the most capable of attackers. It should be deployed in conjunction with other security measures, such as CCTV and Intruder Detection Systems, in order to build effective security across all of your sites.
Guidance
AACS Evaluation Schemes
NPSA runs various functional evaluation schemes for Automated Access Control products. This page describes the schemes and the process that manufacturers should follow for product submission.
