Contactless Access Credentials & Egress
THE business landscape changing so dramatically over the past few months — possibly irrevocably — the task for many in security, including for consultants, integrators, dealers and manufacturers. As businesses and organizations begin to reopen, many are rethinking the way they budget for security, including access control, video surveillance and intrusion Alarm.
It’s amazing that a microscopic virus from China could virtually bring the world to a standstill. The 2020 global pandemic has reshaped the way people work, learn and play on every conceivable level. In addition to the devastating impact on global health and safety, COVID-19 has infected the health of the global economy.
The growing call to return to work will surely accelerate many of the physical (not social) distancing, sterilization and occupancy issues that we are currently facing. Hopefully, modern medicine will rise to the challenge sooner than later with a COVID-19 vaccine, but this may take some time even with accelerated testing and approvals.
Contactless credentials are the most common component used in an access control system and while many look alike externally, important differences exist. “Contactless credentials and touchless access control can help reduce the number of surfaces that people touch on campus and can help reduce contact transmission” said Arindam Bhadra founder SSA Integrate.
Credentials Overview
While other credential options exist, the most common choice is RFID 'contactless' types. Nearly 90% of systems use contactless cards or fobs built as unpowered devices that are excited and read when brought close to a reader unit. This 'wireless power' process is called resonant energy transfer.
In Proximity Reader technology the reader itself emits a field collected by the card, eventually reaching enough of a charge that temporarily powers a wireless data transfer between the two. The image below details typical internal components of the type, where the wire antenna collects energy, the capacitor stores it, and when full discharges ICC chip (credential) data back through the antenna to the reader:
In general, all contactless credentials work this way but the exact parameters like operating frequency, size of credential data, encryption, and format of the data greatly vary in the field. In the sections that follow, we examine these parameters in depth.
Contactless Credentials Dominated by
Giants
One of the biggest differences in contactless credentials is the format of the data it contains, typically determined by the manufacturer. Upwards of three-quarters of contactless credentials use formats developed or licensed by HID Global and NXP Semiconductor.
HID Overview
Since the market began migrating away
from 'magstripe' credentials in the early 1990's, HID Global gained
marketshare with its 125 kHz "Prox" offerings. Now part of
ASSA ABLOY, HID has become the most common security market credential
provider, and OEM of products for access brands including Lenel, Honeywell, and
Siemens. The company's best-known formats include:
· "Proximity": an older
125 kHz format, but still regularly used and specified even in new
systems
· iClass: an HID Global specific 13.56 MHz 'smartcard'
HID is the most common choice for credentials in the US. Because of commanding market share, HID is able to license the use of its credential formats to a variety of credential and reader manufacturers. Even when marketing general 'ISO 14443 compliant' offerings, HID strictly follows "Part B" standards (vs Part "A" - described in more detail later).
NXP Overview
Formerly Phillips
Semiconductor, Europe-based NXP offers a number of 'contactless'
credential components used in a number of markets - security, finance, and
industrial. With widespread adoption of ISO standards in credential
specifications, NXP offers a catalog of types built to spec, including:
· MIFARE PROX: NXP's 125 kHz format built
on early drafts of ISO standards, but not as widely adopted as HID's
"Proximity" lines
· MIFARE/DESFire: an ISO Standards-based NXP
'smartcard' format, also operating on 13.56 MHz the 'DESFire' moniker was
introduced in the early 2000s to distinguish the format from 'MIFARE Classic'
credentials. DESFire credentials feature stronger encryption that required
higher performing chips. The 'Classic' format fell under scrutiny for
being vulnerable to snoop attacks, and DESFire countered this threat.
Because these improvements were made only to credentials, and existing MIFARE
readers could still be used, the new format became known as 'MIFARE/DESFire'.
Unlike HID, NXP's credential formats
are 'license-free' and the according standards are available for production use
for no cost. NXP manufacturers all ISO 14443 product to "Part A"
standards. NXP's market share is largest outside the US, mostly attributed to
the early (starting in ~1990's) adoption of HID Global formats inside the US,
but the brand's formats are often the primary ones used in Europe and Asia for
physical access control.
US vs the World
Because of NXP Semiconductor’s
strength in EMEA and the lack of licensing, MIFARE, DESFire, and the associated
derivatives are popular outside the US.
However, HID Global's strongest markets are in the Americas, especially in the US. Despite the additional cost of licensing compliant credentials and readers, the company also produces products that use the unlicensed NXP formats and has equal or greater operability as a result.
125 kHz vs 13.56 MHz
The credential's RF frequency factors
a key role in its performance. Because readers can only scan credentials
operating at specific matching frequencies, this attribute is the first to
consider. If frequency and format do not match, credentials are simply not
read. The chart below shows the frequency of popular formats:
Perhaps the biggest difference between 125 kHz and 13.56 MHz frequencies is credential security. 125 kHz formats do not support encryption and are easily snooped or spoofed. However, 13.56 MHz formats are encrypted (usually 128 bit AES or greater) and credential data can only be read by a device that is specifically given the key to do so.
Deciphering Credential Types
One of the most challenging jobs for
integrators and end users alike is simply identifying which credential a system
is using. The market is crowded with hundreds of options with no guarantees of
compatibility for items that all appear to be a blank white card. The image
below details four different credential types with dramatically different
performance and security characteristics, yet they all look the same to the
untrained eye:
For contactless types, you must know
three attributes that are not typically clearly printed or overtly labeled on
the credential:
· Format Name: This designates how and how much
data the credential transmits, usually defined by an ISO standard for Wiegand
formats. For example H10301 is the typical 26 bit format, H10304 is HID's
Wiegand 37 bit, and so on. The best way to confirm the format used by a card is
to locate a box label of existing cards (See image below 'Card Format Details')
to interpret the raw hexadecimal output as a specific format. If card boxes are
not available, researching the credential type used by checking the format used
in the Access Control Management Software application, typically in the
cardholder and reader configuration settings.
· Facility Code: This attribute is NOT printed on the
card in most cases. This piece of information is also typically found on box
labels but can be decoded using the same online calculators for format name. In
certain cases, access systems must be configured to accept specific facility
codes and some low-end systems may limit acceptable codes to one specific
number. Without knowing this code, credentials are not sure to work.
· Card ID/Serial Number (CSN/UID): In many cases, the ID number is embossed or printed on the card. This number is the 'unique ID' that ties a user to a specific badge. While concurrent numbers are not an issue, redundant numbers are, and the same Card ID and Facility Coded credential cannot be issued twice in the same system. The image below shows.
Interestingly, the Sales Order/Batch Number information printed on the card is often not used by the access system at all and is only printed to assist in researching the origin of the card as shipped to a specific distributor, end user, or dealer.
In some cases, a card vendor or
distributor will 'read' an unknown card for a fee, but turn around times may
take several business days.
Often, the box for
cards currently in production is often the quickest, easiest way to gather
all three pieces of this information, if not a reordering part number, as shown
below:
The ISO/IEC 14443 Division
Very little separates HID's iClass from NXP's MIFARE offerings, and if not for ambiguous interpretation of an ISO standard, they would 'look' the same to most readers. However, because early versions of the standard left room for differentiation, HID and NXP designed their 'compliant' standards with a different encryption structure.
The end result is both versions of credential claim 'ISO 14443 Compliance', but are not entirely interchangeable. To reconcile this difference, ISO revised 14443 to include parts 'A and/or B' to segregate the two offerings. The default, basic serial number of cards is readable in both A & B parts, but any encoded data on the card is unreadable between the two because the original standard left room for implementation ambiguity.
In general, because there is no licensing cost in using 'Part A' standards, many low-cost, non-US target market, and new reader products start here. However, readers marketed specifically in the US or from vendors with a broader global market license use 'Part B' compliance common to HID.
For example, this TSDi reader
supports 14443-A, but not 14443-B, meaning in practical terms in does not
support HID's 13.56 MHz iClass formats, but does support NXP's 13.56 MHz
MIFARE/DESFire formats:
In contrast, HID iClass readers
support both 'A' and 'B' along with the non-ISO specific 'CSN' such that either
type of credentials will work with these readers:
13.56 MHz Smartcard Interoperability
While the 'Part A & B' division
in ISO 14443 separates formats from being the same, it does not always mean
they are unusable with each other. Portions of ISO 14443 are the same in both
parts, including the 'Card Serial Number'. For some access systems, this is the
unique number that identifies unique users, and because this number is not
encoded, it will register in 'non-standard' readers:
· CSN/UID String: Essentially the card's unique
identifier is readable because it is not stored in the deep 'encrypted' media.
Many simple EAC platforms use only this number to define a user, and instead
use the internal database to assign rights, schedules, and privileges.
· Encoded Read/Write: However, the vast majority of storage within the card is encrypted and unreadable unless compliant readers are used. Especially for access systems using the credential itself for storage (e.g.: Salto, Hotel Systems) and for multi-factor authentication (e.g.: biometrics) high security deployments, the simple CSN is not sufficient.
The CSN Loophole
In terms of security, not all credential details are encrypted. The 'Card Serial Number' (defined by ISO standards) for 13.56 MHz cards can often be read regardless of underlying format, modulation method, or encryption. The CSN may be usable as a unique ID by the system, but the full data set of the credential will not be available.
For smaller systems with only a few doors and a hundred or fewer cardholders, using the CSN as the primary ID is common due to the ease of enrollment in using CSNs as unique badge numbers. However, for high-security sites where access identity encryption is required by standard or when credentials are used for multiple integrated systems, using CSNs to identify issued cardholders is often not approved. Rather, the card's encrypted data is required instead.
Form Factor
Credential shapes are not just
limited to cards or fobs. The size and method of hosting a credential can
include stickers, tokens, cell-phone cases, or even jewellery.
The form factor of the credential often is an important consideration in overall durability and service life. For example, while a white PVC card may be ideal to print an ID badge on and hang from a lanyard, it can easily be bent or broken in a rough environment. A key fob, while unsuitable for printing a picture on, is designed to be durable enough to withstand abuse, harsh environment exposures, and even submersion in water.
The right form factor choice should be dictated by the user and the user's environment, and generally, all major credential types have numerous form factor options to suit.
Touchless
Switches
Touchless wall switch makes opening a
door simple and germ free. Blue LED back-lighting highlights the switch at all
times, other than during activation. This provides a visual reference of the
switch’s location in low light conditions. Its low-profile design makes it
blend into your wall.
