Access Control Continued: biometrics and other forms of access authorization


In a previous post, we explored access control options by looking at types of electric locks, specifically at the component which physically keeps the door locked. However, this is only half of what access control consists of. Each of these lock components need to be configured with a ‘systems operation device’, a mechanism which authorizes access and allows the lock on the door to be opened.


In this post, we will therefore provide an overview of the types of access control operation devices on the market and the points of consideration around them. Due to the recent and ongoing debate about using biometrics as a form of authorization, this article will include a particular focus on this form of technology. 



Read on to find out more! 


In access control, there are three fundamental methods for verifying authorized access:


  • Something you know: such as a password, a PIN, or a code
  • Something you have: such as a key, an access card (or badge) or a mobile device 
  • Something you are: a physical trait, such as a fingerprint, also known as biometrics.


For a full guide to access control and how to best ensure it keeps your site safe and secure, download this white paper:

ICD's Guide to Access Control.pdf
Adobe Acrobat Document 672.7 KB

Something you know

Authentication as ‘something you know’ is typically a password, PIN or code which, if entered correctly, will grant the user access. Often used in access control, this method of verification is also commonly adopted in banking and to verify access to accounts such as email or other online accounts. 


Such verification is both easy and convenient to use although can pose issues or inconvenience if a password or PIN is forgotten. 


The primary risk of breach of security with this method of authorization comes from a violated password. Passwords and PINs may be hacked or cracked, be shared (intentionally or not) or be leaked, any of which would give access to unauthorized personnel. To help avoid (but not eliminate) this problem, ideally passwords should be changed regularly. However, this can make remembering the correct password more of challenging.


This type of authentication is more often seen in access control solutions for private properties or smaller companies rather than in companies or organizations with a large number of employees and a large number of access control points. The reason for this is that this option can becomes increasingly complicated and impractical and even less secure if multiple passwords are used or the same password is used for multiple doors or personnel. There are therefore limitation in the scalability of the solution. 


Something you have

Authentication which is ‘something you have’ is most often an access card (or badge) or a key. Keys are typically used for access control in private residences and rarely used for doors at large sites. This is due to the additional capabilities and the practicalities of using key cards, as described below.


Key cards are ideal for most corporate site solutions as they are scalable and easy to manage via an access control management platform in which employees can be added and removed. Moreover, the solution is flexible as access limited to certain levels or times for different employees.


Although this access via card readers presents a risk if the card lost or stolen, this risk may be significantly reduced or eliminated if reported immediately. If reported, access with that card can be removed through the management platform, essentially rendering the card useless.


Key card technology is difficult to forge as the technology used is sophisticated, including microchips and radio technology which are embedded within the card itself.


Another more recent addition to this type of access authorization is using a mobile phone to gain access like a key card. Mobile contactless credentials act as ‘virtual keys’ which can be can be stored in a mobile handset and used to unlock doors by swiping the mobile like a key card. One of the major advantages of this option is that access can be instantly delivered to a person's handset remotely; no physical handover is required.


Something you are - biometrics

In comparison to other forms of access authorization, the use of biometrics in access control is a more recent phenomenon.


Biometrics describes a physical feature unique to a person which can therefore be used to identify that person. Types of biometric authentication include fingerprints, irises, facial recognition through contours and features, hand geometries, vein patterns, voice patterns and DNA information.


In addition to being adopted for access control, recent years have seen a surge in debate about using biometrics for other forms of identification and authorization. For example Apple incorporated a fingerprint reader feature in their new iPhone 6 which can be used to authorize payments from your bank account via your mobile. It was also announced last week that MasterCard has partnered with Norwegian company Zwipe and are working towards being able to offer credit card payments via fingerprint scanning by November 2015. Another more extreme example is of a New York based company that wants to introduce biometrics which will be able to grant access to a building through analyzing the way a resident walks


The risks

Biometrics appear to be an ideal solution for authorization verification as the physical traits used are unique to each person. However, biometrics are not exempt from risk.


Somebody's physical identity can too be compromised (basic kits to replicate and fake fingerprints can be bought online), and once such information has been compromised, it will always be compromised. Unlike a password or PIN, one's biometric identity cannot be changed. As early as 2006, Deloitte and Touche were ringing the alarm bells warning that faking biometrics was a real threat. In fact, soon after the release of Apple's iPhone 6, reports were published that the phone’s biometric identification can be faked. It’s not easy, but it is possible.


Risk associated with different forms of biometrics varies, some forms of biometric authorization are more secure than others:  


Type of biometrics Security Cost Size of device
Fingerprint recognition Medium     Low Small
Finger vein patterns High
Medium Small to medium
Palm vein patterns High Medium
Facial recognition Low Medium Medium to large
Iris recognition High Medium to high Large

The reality

A recent survey of security integrator companies by IPVM, an impartial third party in the security industry, found that the demand for biometric solutions in security is actually still quite low. The most popular type of biometrics opted for from the above was fingerprint recognition at 49%, but 44% of integrators chose to use no biometrics at all.


The possible reason for this apparent reluctance to implement biometrics in access control is because many professionals think that the technology is largely under-developed and needs further technological progress. Moreover, some companies hold back from adopting biometrics for fear of conflicting with local privacy restrictions or of infringing on the personal privacy of employees or personnel.

The ideal high security authentication solution

A common solution when there is a strong need for high levels of security is to use multiple types of authentication methods.


For example, at ICD we recommend that some companies or sites use a combination of key card access with a PIN code where an extra layer of security is required. This solution is convenient as it can be tailored to end user's needs by adjusting the settings in the management platform. For example, if such a device is installed at the main entrance of an office, the authentication can be set to card only during the day when the office has is busy with employees and there is constantly someone at the reception desk. With key card access only during these hours it is not only more convenient for employees, but in addition, the risk is not increased since an intruder will be noticed by any on-site staff. For after office hours or on weekends or holidays, the device can be set to require both a key card and a pin code to provide the extra layer of security necessary when no company personnel are on-site. Anyone who may have found or stolen the key card will therefore not be able to enter the site with the card alone.


An area of a site could also be equipped with a combination of key card and biometrics for higher security. This solution is common in areas where an extremely high level of security is required such as bank vaults, nuclear power plants and data centers. For an example of a project in which ICD implemented palm reading biometrics with a PIN code at such a location, read this case study.


It is not uncommon for a site to implement several different types of access control solutions across areas of differing levels of security. It is therefore to important to evaluate the level of security a site needs as well as considering  the type of authorization and lock component that is best suited for that specific site. 

For advice from one of our experts regarding any of the above mentioned solutions or others, please feel free to get in touch via