The Evolution of Identity Credentials: New Ways of Controlling Access

Access control is defined as “the selective restriction of access to a place or other resource”. For an automatic access control system to function, it requires a means of identifying individuals to determine their access rights. The form of identification can be anything from a memorised password or PIN through to biometrics (ie the measurement of a human characteristic). Here, Amer Hafiz reviews the evolution of identity credentials in the sphere of access control.

Since the early days when access was granted (or not) once an authorised PIN was entered into a keypad, access control systems have evolved to support many forms of ‘physical’ credentials. Generally referred to as ‘pass cards’, these credentials have taken many forms.

Barcodes where an identity number is printed on the card in the form of a machine-readable series of variable width bars. Although more secure than a memorised number, a barcode can be easily copied or reproduced

Magnetic Stripe where a magnetic stripe on the card stores an identity number within a designated track. A special magnetic card reader is used to read the number from the track

Proximity Card where an electronic chip on the card holds the identity number and a built-in antenna enables a compatible proximity card reader to read the identity number using radio frequency technology. The card simply needs to be held within a few centimetres of the reader

Smart Card using a similar radio technology to that of proximity cards. Smart cards can hold a variety of data within the chip. The data may be read and/or written to the card using compatible readers/writers depending upon the application. For access control applications, an identity number can be stored on the card and read by a compatible access control card reader.

In each of these technologies, it’s necessary to issue a uniquely numbered card (or key fob) to each authorised individual. The unique number on the card serves as their identity on the access control system. Without the card, they would not be able to gain access to the restricted area(s). This makes it necessary for them to keep their identity cards with them whenever they need to move around the building or installation.

Advances in technology

Recent technological advances have made the need to carry identity cards unnecessary. Two completely different approaches have been used.

Biometric readers The first was the development of biometric readers, where the recognition of unique human characteristics such as fingerprints or retina patterns are used for identification, precluding the need for identity cards. To support these systems, authorised users must ‘enrol’ on the system whereupon their biometric data is read and stored in a database.

Whenever the user needs to access a restricted area, they must present themselves to a biometric reader at the access point (eg place their finger on a fingerprint reader). The data obtained is then compared to the database to find a match to determine their identity and check their access rights before granting entry.

Although this provides a high level of security and avoids the need to issue credentials, the readers are very expensive and the process of looking up complex data with a large database can be slow and limiting.

Virtual credentials The second alternative is to use smart phone-based ‘virtual credentials’ to replace physical cards and fobs. A virtual credential is a unique identity code that can be securely sent from a cloud-based server to an app on the user’s smart phone. Several virtual credentials can be stored on the smart phone for different access applications. A smart phone with its virtual credential can be used to gain access to restricted areas, making it unnecessary for the user to carry cards or fobs.

As most people now carry their smart phones everywhere they go, they are far less likely to lose their credentials or forget to keep them handy.

The app can present the credentials to readers using smart phones’ built-in communication technologies such as low power Bluetooth, NFC or QR code. The technology used would depend on the capabilities of the reader and the type of smart phone.

If Bluetooth is used, it can offer a further benefit as it may be used at distances of up to 15 metres from the reader, effectively replacing long-range, hands-free reader technologies.

Where might credentials go next?

Amer Hafiz

Amer Hafiz

In the short to medium term, identity cards will continue to be used with contactless smart cards gradually replacing older technology proximity cards. Virtual credentials on mobile devices will become far more widespread.

The ever-increasing levels of security being required will most likely lead to a wider use of facial recognition as the main biometric credential.

With advances in Bluetooth technology providing increased bandwidth, more information can be quickly retrieved from smart devices, making the combination of high-security biometrics and smart phone apps a real possibility for controlling access.

Amer Hafiz is Technical Director at Nortech Control Systems

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts