Upgrading Your Campus Security with Smart Card Readers? Think Again

Understanding multi-factor authentication and how it can work for your campus

• By Larry Reed
• April 01, 2019

Today, schools’ doors are primarily secured by traditional metal lock ‘n keys and low frequency (aka 125 kHz) card-based access control systems. With the recent media hype about low frequency card readers being easily hacked, schools are now being encouraged to upgrade their low-frequency card readers to higher frequency 13.56 MHz (also known as smart card technology) which are far more difficult to hack. But will smart card technology really improve a school’s security? Are there “smarter” alternatives?

This article discusses the security flaws of smart card technology and how layering security achieves a far safer school environment and better ROI.

Evolution of Access Control Technology

Where did it all begin and where are we today?

Traditional metal lock ‘n key systems. Still today, most doors in schools are secured with a metal lock ‘n key door handle. The primary reason is because metal keys are very cheap and light weight which makes them easy to carry. However, metal keys are also very easy to copy and share with unauthorized parties. It’s also near impossible to know who exactly is in possession of the keys.

If discovered there was an impropriety in the school, lock ‘n key systems don’t provide a door-entry audit trail. So, its near impossible to determine who is guilty of the impropriety (unless you have a surveillance camera pointed at every door in the school and don’t mind searching through hours of recorded video). So how do you address the problem of unauthorized parties copying keys and not having a door-entry audit trail?

Barcode and Magnetic stripe badge readers. These type credentials are cheap while being more difficult to copy than metal keys. Since barcode and magnetic stripe readers work with electronic access control systems, an audit trail is produced which allows security personnel to identify who accessed a door and when. However, just like metal keys, barcode and mag stripe badges can still be shared with unauthorized parties.

Another drawback is that barcode and mag stripe technology is a “friction” technology. The barcode and mag stripe are physically in contact with a reader head each time the badges are read. This leads to the barcodes and stripe becoming worn and unable to be read. The badges become a terrific consumable for the badge supplier but a major headache and recurring expense for the school. So, what comes next?

Low-frequency radio frequency identification (RFID) badges. These type credentials are friction-less and therefore far more durable than the barcode and mag stripe badges. RFID badges have an embedded antenna which emits a radio frequency containing the badge’s unique number. The school’s access control system maintains a database which associates each badge with a user. If the user has door access permission, the door will unlock when the user’s badge is recognized. Due to its low cost and audit trail capability, low-frequency RFID is the most prevalent access control technology used by schools today. However, recently low frequency RFID duplicators have popped up on e-commerce websites. For just $10, anyone can purchase an RFID badge duplicator and make copies of low frequency 125 kHz badges. So, what comes next?

High frequency radio frequency identification (RFID) badges. High-frequency RFID (aka smart card) technology transmits at 13.56 MHz and is extremely difficult to copy/hack. An undeniable advantage of the new smart card technology is the cards (badges) contain a computer chip with storage. Instead of only having a badge number, additional user information can be stored on the badge (i.e. employee name, photo, department, etc.). But is the availability of a low frequency card duplicator truly a security threat to schools?

The makers of high frequency 13.56 MHz RFID technology would certainly have you believing low frequency RFID is a major security threat which needs to be addressed immediately. However, metal keys are far easier to copy yet they’ve been used for decades. Metal keys are used to secure doors in most every home in the world. So, are homeowners all over the world panicking that their metal keys will be copied by intruders planning on breaking into their homes? This is highly doubtful.

The makers of smart card technology are in the business of selling card access readers. In order to sell more card readers, they must create sufficient fear, uncertainty and doubt (FUD) so that customers will upgrade their low frequency RFID readers to smart card technology. If a school has sufficient budget to upgrade their low frequency RFID readers, then why not utilize the highest security technology available today? Consider biometrics.

Biometric Access Control

High-frequency RFID is certainly more difficult to hack than low-frequency RFID, but high-frequency RFID badges can still be lost, stolen, forgotten or misused by unauthorized parties. Conversely, a biometric credential can only be used by the actual person. A finger, face, vein or retina-pattern is unique for every person on earth. Biometrics assures the person attempting door access is who they claim to be. Therefore, a biometric reader is far superior to any badge reader, regardless what frequency it transmits or how much encryption it utilizes. So, can security systems utilizing biometric be further improved upon?

Two-factor authentication. Any one single credential (i.e. password, PIN, badge, fingerprint, face, vein-pattern, iris pattern, etc.) can be compromised. So, what’s the best solution? Two-factor authentication. Most everyone today withdraws money from ATMs by using their bank debit card. So, what prevents a thief who steals someone’s bank card (one credential) from accessing the person’s money? The thief doesn’t know the person’s PIN (second credential). Banks secure their customers’ money by implementing a two-factor authentication money withdrawal system. This added security gives banking customers the confidence to deposit their money in the banks checking accounts.

Likewise, in schools, biometric readers which also have a keypad and/or RFID badge reader is advisable. The least expensive option would be a fingerprint and keypad- only reader. However, if the school is concerned PIN codes will be shared amongst unauthorized users, the school can use fingerprint readers with an integrated RFID badge reader. If the schools have no need for the available storage on high-frequency smart cards, the schools can save money by using a fingerprint reader with a low-frequency 125 kHz badge reader. So, what’s the next level of security which can be achieved?

Multi-factor authentication. It’s highly unlikely any unauthorized party can compromise a fingerprint AND a PIN, or a fingerprint AND a badge. However, for those who are extremely concerned with security, today on the market you can purchase door access readers containing multiple biometric sensors. For instance, ZKTeco designs a single device containing both a fingerprint and a face reader, while also having a keypad and integrated RFID reader (i.e. up to four-factor authentication). For customers preferring convenience, the reader’s face recognition camera provides true hands-free door access control. So, does layering security end at the door? It doesn’t have to.

Layered Security Begins at the Furthest Entry Point

Parking facility. In today’s world, intruders most often arrive by driving a vehicle. If your school has a parking facility, it makes sense first limiting access to your parking facility. License plate recognition (aka LPR) technology can associate a license plate with an authorized user. If the plate is recognized, the parking gate opens and the user’s access is recorded (i.e. audit trail). An alternative to LPR is UHF (ultra-high frequency) tags adhered to the car’s license plate or windshield. ZKTeco has UHF readers which can detect tags from up to 200 feet away.

Reception area. Before you enter an airport terminal, your baggage must first pass through the x-ray scanner. Surprisingly, smaller affordable baggage x-ray scanners on now available on the commercial market for schools to consider installing. While scanning baggage, visitors should also be scanned. Surprisingly, affordable walkthrough metal detectors are also now available to the public, as well. Especially considering all the public shootings taking place in schools and places of worship, the presence of walkthrough metal detectors can act as an excellent deterrent for anyone considering committing acts of violence by using dangerous concealed metal objects.

After visitors successfully pass through x-ray and metal scans, an excellent additional layer of security is a turnstile. Schools can program turnstiles not to release unless a visitor successfully passes through both x-ray and metal scans. So, any other security layers which should be addressed?

Visitors. We’ve addressed how to restrict and record access for authorized users and deny access to unauthorized users. But what about authorized visitors? In the past, most companies receiving visitors would use a pen and paper sign-in sheet. But since pen and paper produces no irrefutable audit trail, many companies are now switching to electronic visitor management systems (aka VMS). When visitors present their credentials, they are electronically entered into the receiving company’s VMS in which an audit trail is produced. However, relying on the visitor to produce their credentials is a risky proposition.

Imposters with phony ID credentials can gain unauthorized access to an office and perpetrate a crime. To prevent imposters from entering the premises, modern VMS systems now incorporate user authentication. For instance, ZKTeco’s VAMS (Visitor Authentication & Management System) enables the meeting host to create a secret QR code which is forwarded to their visitor via a text message or e-mail. Upon arriving at the host’s office, the visitor simply displays the secret QR code on their phone to the host’s security personnel. Once the QR code is scanned and verified, the visitor is permitted access. Without a valid QR code, visitor access is denied.

Support Multi-Authentication

There is no silver bullet when it comes to security. Where there is a will there is a way. A determined bad guy can defeat any one layer of security. Therefore, its essential to layer your security. True, smart card technology is harder to hack than low-frequency RFID. But regardless the frequency or encryption, cards can be lost, stolen or forgotten. Instead, invest in devices which support multi-authentication (i.e. fingerprint and/or face and/or card and/or PIN readers).

Lastly, don’t stop at the door. Secure your parking facility and then look inwards towards your building’s main entry points. Consider affordable baggage X-ray scanners, walkthrough metal detectors, turnstiles and visitor management systems (with user authentication). Choose security solutions which are scalable, integrated and can be managed under a single platform. Get educated on modern security technology and don’t fall for the fear, uncertainty and doubt (FUD).

This article originally appeared in the March/April 2019 issue of Campus Security Today.