Digital and physical attacks remain on the rise. That makes the authentication methods that your organization uses to secure its assets and facilities more critical than ever.
Whether you’re looking to implement a new system or upgrade an existing one, choosing the right authentication methods for your business can be daunting. And thanks to technological advances over the last decade, there are more choices today than ever before. There’s no single best option, either. It depends on your specific organizational needs.
With all that in mind, Real Time Networks has compiled its Ultimate Physical Security Credentials Guide, up to date for 2019, to help you make an informed decision about which credentialing systems are best for you.
This guide explains everything you need to know about the three main categories of authentication systems, and goes into the advantages and disadvantages of each. Those three categories are:
- Knowledge-Based Authentication: Authenticate using something you know
- Physical Security Tokens: Authenticate using something you carry
- Biometric Authentication: Authenticate using yourself
Knowledge-Based Authentication (KBA)
The credentials used in KBA systems are things you know, most often either a passphrase or a PIN number. They are also commonly used as part of Multi-Factor Authentication systems, which add security at the expense of simplicity, by layering multiple different authentication methods together.
- Cheap and Scalable — No physical tokens means the cost of adding new users is effectively zero. So after up-front capital expenses, these systems can scale to accommodate more users at essentially no cost.
- Flexible — ‘Rotate’ security by requiring periodic changes to passphrases or PINs, also effectively for free.
- The Human Factor — Knowledge-based authentication has one major failure point that other methods don’t: human memory. New credentials are effectively free when labor is light. The more KBA add/change requests an organization needs, the higher the labor overhead can grow.
- Vulnerable — They are also the most vulnerable to remote attacks, or ‘social engineering’ where users are tricked into sharing their credentials. This makes KBA-controlled access appropriate for more budget-conscious or risk-tolerant venues.
Physical Security Tokens
These are items your personnel carry to authenticate themselves for access to your facilities or assets.
Think credit and debit cards. These identification cards have an embedded magnetic strip holding identification data that is swiped to be read by an access control system.
- Cheap — Magnetic swipe cards are the least expensive physical token option, usually just a few cents per card.
- Readily Available — The technology has been around for decades, replacement cards and associated materials are always in supply. Many security systems, such as key management systems, have integrations with access control card systems for authentication.
- Also Readily Available — Their availability is also a vulnerability, as criminals have just as ready access to materials for fakes as security professionals.
- Fragile — Plastic wear or strong magnetic fields can stop cards from properly authenticating.
- Vulnerable — The commoditization of swipe card systems and the ease with which they’re copied makes them appropriate only in lower security environments.
Smart Contact Tokens
Instead of encoding credentials on magnetic strips, this technology uses computer chips embedded in ID cards, fobs, or other small token devices. Cards are called either ‘smart’ or EMV cards, after the major credit card companies Europay, MasterCard, and Visa that jointly developed them. When embedded in metal contact tokens or fobs, they’re often called Dallas chips.
- Encrypted — Credential data sent from the card to the access control system is encrypted, or scrambled, making it hard for attackers to intercept.
- Dynamic — Embedding a computer chip allows the token itself to perform calculations each time it authenticates a user, making each transaction unique. That means even if an attacker can read the encrypted information, they can’t simply ‘replay’ it to gain their own access.
- Hard to Counterfeit — Smart tokens are not interchangeable, they must be encoded to work with specific systems, making them exceptionally hard to counterfeit.
- Cost — The embedded electronics and custom design do carry a higher price tag.
- Hard to Replace — For the same reason that they’re hard to counterfeit, smart tokens are also more difficult and expensive to legitimately reproduce.
Passive RFID Tokens
This is a specialized type of smart card that uses Radio Frequency Identification (RFID) to communicate wirelessly with access control systems. They are unpowered and have a short range, usually about 6” (15cm).
- Wireless — No line of sight necessary
- Multi-access —RFID Scanners can scan multiple tokens simultaneously, which can reduce wait times at busy access control points.
- Cost — Best suited for high security environments with little risk tolerance.
- Wireless Limitations — While wireless, transmission range is very short. And RFID technology cannot transmit through some common materials, including metal and water.
Active RFID Tokens
These tokens use the same RFID technology but are actively powered by on-board batteries, and often include on-board antennas to increase their transmission range.
- Longer range — From 4x all the way up to 300x the range of passive RFID, 18” (0.5m) to 165’ (50m), depending on the on-board antenna and batteries used.
- Broad Applications — Longer range makes Active RFID suitable for hands-free settings, like in motor pools.
- Smaller Readers — Actively powered tokens don’t rely on access readers for power, so readers can be made more discrete in high security environments.
- Shorter Lifecycle — On-board batteries and antenna both wear faster than their simpler passive counterpart tokens.
- Cost — A higher price point than Passive RFID.
- Size — Active RFID tags are usually larger and heavier than their unpowered counterparts.
- Can there be any interference issues with Active RFID technology?
Unlike physical tokens which can be lost, stolen, or forgotten, biometric credentials are characteristics of an individual that can be recorded and transmitted. They could be as simple as a signature, or as complex as a scan of someone’s iris.
The most widely used security biometric. The patterns of ridges and furrows on our fingertips are unique to every individual, and remain the same over our entire lives. Fingerprint authentication matches previously stored print records to the individuals scanned at access control points.
- Simple — Relatively, that is. Fingerprint biometrics use less expensive infrastructure, and generally have lower power consumption than other biometric systems.
- Widely Applicable — Only about 2% of the population lack suitable fingerprints, those usually due to skin damage or medical conditions.
- Hard to Fake — Biometric fingerprint scanners can’t be fooled by fingertip images, they use capacitive screens, like smartphones, which require direct skin contact.
- Subject to Wear — Fingerprint biometrics require physical contact, often with oily or dirty skin, which increases wear and maintenance on the readers. – can also affect accuracy of read and lead to inefficiencies
- Dependent on Person — Any cuts or other damage to recorded fingers will interfere with scanning.
Working on similar principles to fingerprint recognition, specialized programs compare the shape of a scanned individual’s face against a database of authorized personnel.
- Non-Contact — Facial recognition software doesn’t require direct contact or even close up image capture.
- Exceptionally Hard to Attack — Unlike physical token authentication measures, facial recognition systems are both difficult and costly for attackers to defeat, and usually must be attacked on premise, which by itself can be a deterrent.
- Environment Matters — Performs best in well-lit environments with subjects’ faces unobstructed.
- Dependent on Person — Can fail at a slightly higher rate than fingerprint recognition, as there are more conditions that may not match, such as a smile, frown, or a significant weight change. – actually our experience has been the contrary – fingerprint fails more often than facial. ? the point is valid though, perhaps wouldn’t compare with fingerprint
- Cost — The advantages of facial identification controls come at a slightly higher price point compared to swipe card or other commodity systems. So do fingerprint readers – but not mentioned above? PS our facial readers are same cost as fingerprint, so we normally push the facial readers because they are more accurate and less issues.
The iris is the colored area around the pupil of the eye. Much like fingerprints, irises have unique structures in each person, and remain stable throughout their lives. Specialized hardware can scan these structures and turn them into a digital pattern that can be matched for access control.
- Accuracy — Iris recognition is the most accurate of the commonly used biometric technologies, even working through contact lenses or glasses.
- Convenient — It can work from several inches to several feet away, and resolves in less than 2 seconds.
- Hard to Defeat — Easy for the system to detect deception (e.g. color contacts).
- Environment Matters — Much like facial recognition, accuracy can be affected by lighting and obstruction.
- Cost — Iris scanners tend to be more expensive compared to other biometric controls.
- Potential Failures — Medical conditions, like diabetes, can progressively alter irises and affect accuracy.
This system uses infrared light reflected off the back of the eye at close range to record and match someone’s unique blood vessel pattern.
- Highly Secure — Retinal scanning has a near zero failure rate, making it currently the most secure biometric.
- Highly Scalable — Record data is actually very small, so scaling and storage is convenient even for large organizations.
- Fast — Rapid identification is suitable for high-traffic environments.
- Cost — This enhanced security and performance does come at a higher price point.
- Inconvenience — Some users find retinal scanning uncomfortable and intrusive.
This security system matches your staff’s spoken passphrases—including accent and inflection—against high-definition digital records.
- Accessible — This system can be used by staff who may not be able to reach or access mounted eye and fingerprint scanners.
- Easy to Use — Less training required compared to most other biometric authentication systems.
- Fast — Rapid entry relative to typing equivalent passphrases.
- Prone to Interference — Only suitable in quiet environments. Background noise can interfere with authentication.
- Known Attack Vectors — Known passphrases can be recorded for attacker playback.
- Range of Costs — Higher definition systems with improved accuracy can be expensive.
Want Further Guidance?
As you can see, each authentication system carries its own advantages and disadvantages. Each has their place in business security, it’s just a matter of determining what makes sense in your own particular organization.
If you’re still unsure which technology is right for you, our security experts are more than happy to recommend a solution based on your exact budget and needs. Contact Real Time Networks today to schedule a free demo
About the Author
Shannon Arnold is the VP of Marketing and Strategic Partnerships at Real Time Networks.