A Guide to Access Control Card Technologies

1 November 2018

Mifare EntroPass Secure Credentials

What is Access Control?

Access control is concerned with the physical security of an area. The area can be within a building, the building itself and/or a site on which the building resides. An access control system provides a managed process by which entry or exit into or out of a space is granted or denied by verifying the credential for an individual person against the an access control database on a IT server or PC.

The process of verification requires a credential to be presented to a reader. The information within the credential is then checked against the database. If verified, the door controller is instructed to open the door. If denied, the door remains locked and closed.

Examples of Access Control Credentials

A credential may take one of the following forms:

  • Keypads: a four to six digit numeric pin code
  • Physical: access cards, key-fobs, security tags, tokens and smartphone apps
  • Biometric: fingerprint, facial, iris, retina, voice and hand geometry

The most common form of credential is an access card or key-fob.

Multi-Factor Authentication

Where a combination is required e.g. card and pin or fingerprint and pin, this is known as multi-factor authentication. Within retail, chip and pin has become a very common method of payment. This is an example of multi-factor authentication.

Smartphones and Contactless

Contactless payment, up to a spending limit of £30, is gaining acceptance as is payment via a smartphone or smartwatch with apps such as Apple Pay, Google Pay or Samsung Pay. Smart payments use NFC technology. NFC stands for Near-field Communication and is a set of communication protocols that allows two electronic devices,  one usually being a smartphone or smartwatch, to communicate within a short distance (4cm) of each other.

Smartphones can also be used within some access control systems and for this they rely on the NFC protocol. The smartphone will have a compatible access control App installed on it which will store the relevant information required for access. This type of credential is becoming popular within certain markets and segments e.g. the hotel and hospitality industries (market) and student accommodation and university campus buildings (segment).

An alternative to NFC for smartphones is Bluetooth technology. Whilst NFC has a very limited distance, Bluetooth can reach up to 9m. The longer distance (and wider field) for Bluetooth makes it less suitable for access control for security reasons.

Whilst the use of smartphones seems a sensible application for access control there are issues. The application relies on a person carrying their mobile phone with them and their battery being charged. The mobile may not be one issued by the company or organisation and the owner, if using their own mobile, may not want to use their phone but to keep it and its content private. Mobile phones can malfunction, break and be stolen leading to potential security concerns.

Whilst the mobile phone provides a middleware platform it does not suit every company or organisation in relation to practicality or security concerns. For this reason many organisations with an access control system prefer to operate with either access card, key-fob and biometric technologies or some combination of these.

Smart Cards and Access Control

Card readers are by far the most common technology adopted. The technology behind biometric readers is advancing rapidly and the introduction of 3D facial recognition makes these more reliable and appealing than before, but their use comes at a higher cost than a typical card reader.

Card reader development is driven in part by card technology innovation and the level of security required. Magnetic stripe technology (the black stripe on a traditional access card or credit card) was developed by IBM and introduced in the early 1970s. A magnetic card cannot store a great amount of information and is required to be physically placed on or through a magnetic card reader in order for the information to be read.

Proximity cards, also referred to as ‘Prox cards’ have an embedded chip and use radio frequency identification (RFID) technology (at 125kHz) and can be active or passive types. The standard proximity card type in use in access control is the passive type with no internal power source (lithium-ion battery).

When the card is presented close to a reader (contactless) the card chip is energised via the reader field and ‘handshakes’ with the reader to establish communication. Once established the credential is checked. The card holder may then have to enter a second stage of authentication (e.g. enter a pin code) for access to be granted and the door opened. If access is denied the reader normally issues a short alarm beep. Both events are recorded by the access control management software.

The chip within a Proximity card has one function and that is to provide the identification number of the card so that it can be authenticated. Proximity cards are popular within the access control industry due to their price and low-tech. MIFARE cards have further levels of security and functionality.

MIFARE Card Types

MIFARE is the NXP Semiconductors-owned trademark of a series of chips widely used in contactless smart cards . The brand name (derived from the term MIKRON FARE Collection and created by the company MIKRON) covers proprietary solutions based upon various levels of the ISO/IEC 14443 Type A 13.56 MHz contactless smart card standard.

The four types of MIFARE card include:

MIFARE Ultralight: a low-cost IC (Integrated Circuit) useful for high volume applications including public transport, loyalty cards and event ticketing. Sub-types: MIFARE Ultralight Nano,, MIFARE Ultralight EV1 and MIFARE Ultralight C.

MIFARE Classic: employs a proprietary protocol compliant to parts 1–3 of ISO/IEC 14443 Type A, with an NXP proprietary security protocol for authentication and ciphering. Sub-type: MIFARE Classic EV1 (other sub-types are no longer in use).

MIFARE Plus: a drop-in replacement for MIFARE Classic with certified a security level (ES-128 based) and backwards compatible with MIFARE Classic. Sub-types MIFARE Plus S, MIFARE PLus SE and MIFARE Plus X.

MIFARE DESFire: a contactless IC complying to parts 3 and 4 of ISO/IEC 14443-4 Type A with a mask-ROM operating system from NXP. The DES in the name refers to the use of a DES (Data Encryption Standard) two-key 3DES, three-key 3DES and AES encryption; while Fire is an acronym for Fast, innovative, reliable, and enhanced. Sub-types: MIFARE DESFire EV1 and MIFARE DESFire EV2.

MIFARE DESFire smart cards provide identification, authentication and can store a wider range of information than Proximity cards. The information they hold is encrypted to prevent it being communicated before the MIFARE card and relevant card reader have ‘shaken hands’ and authenticated each other.

The main differences between a MIFARE and a Proximity card are:

  • Frequency: MIFARE is 13.56MHz and Proximity is typically 125kHz
  • Serial numbers: MIFARE have a factory programmed and unique 32-bit serial randomly selected number which does not include a facility number. Proximity cards are typically 26-bit and can include a facility code.
  • Memory: MIFARE cards have a memory to store data of typically up to 8Kb allowing the card to be used as a vending machine cash card, canteen payment card or pre-paid membership card. Proximity cards do not have a memory feature.
  • Credentials: a MIFARE card can store multiple credentials for added security when authenticating with a card reader and access control management software package.

Remsdaq supplies its own MIFARE Plus-technology card called ‘EntroPass’. This smart card uses has 128-bit Advanced Encryption Standard (AES) for authentication, data integrity, and encryption and is a highly secure MIFARE Security Level 3 credential. Each credential contains a unique 12-digit number, protected by diversified keys to further enhance, secure and protect from credential cloning.

When upgrading legacy access control systems it is important to consider what level of security is required from the new system in terms of credentials and readers. There are many choices to make which should be checked against a checklist covering physical security, budget, ease of use and overall manageability.