|
Categories
Testimonials
HELPFUL! I can not overstate the value of the FingerTec system, it is a wonderfully simple system, yet the process help us organize our payroll and save time.... Best Time clock Bought this time clock about a month ago & never had such a good experience like this , Very simple Software & easy to use .I highly recommend it for... Best unit and best Tech Support I want to take this opportunity to express my opinion about FingerTec, both for the unit and for the USA support.
We, at Paola’s Restaurant in New... The Best Out There I was looking for a good reliable clock, I bought the TA200 my employees loved it, the clock was just great. Easy to setup, easy to use, and the tec... Reliability! If you are looking for hassle free biometric machine, the Face ID 2 is it! We could not be happier with the units that we purchased from Fingertec... |
FACE RECOGNITION MODELFACE ID 2 With one look, you are good to go! Biometric technology is now commercially viable and affordable. FingerTec® USA brings biometrics within your... $945.00  FACE ID 3 The Face ID 3 is our latest revolutionary release! Building on the facial recognition technology, theFace ID 3 uses high quality infrared cameras to... $749.00 FACE ID 4 Face ID 4, the all-new powerful facial recognition terminal from FingerTec provides solid identity verification through contactless biometrics... $699.00 $649.00 Save: 7% off |
- About FingerTec
- Biometric Products
- FAQ's
- Face Recognition
- Access Control
- Time and Attendance
- News/Announcements
- What is Biometrics
Effective Biometric Fingerprint Technology for Less Than You Think
Founded in 2000, FingerTecUSA's goal has been to enhance security and efficiency for businesses using ultra-modern Biometric Fingerprint technology. The science of biometrics has advanced considerably in recent years, and this progress has helped make these technologies more affordable than ever before. What was once the domain of government agencies and large companies is now accessible by small and medium-sized businesses who want to buttress their safety and productivity with quality products from FingerTecUSA.
Why Biometric Security Is the Best Identity Access Solution
Most identity access systems are based on one of three principles - What Do You Have, What Do You Know, and Who Are You. "What Do You Have" refers to something a person carries, like a card or key. "What Do You Know" involves a passcode or PIN, while "Who Are You" requires some sort of physical evidence. Of these three, "Who Are You" is the most secure, and is what FingerTecUSA is all about. Face recognition and related systems all point to the same immutable truth - it's impossible for you to become someone else! And unlike cards or keys, you can never lose your fingerprints, irises or voice.
Use Identity Access, Time Clock Systems, and More to Help Your Business
Protect access to your business as never before with the incredible FingerTec M2 Access Control Model. This amazing device incorporates biometric finger and RFID/MIFARE card systems for verification, is equipped with USB for easy data transfer, can be programmed to trigger alarm systems, and is virtually weatherproof. Stop depending on outdated time card machines and streamline your workforce productivity with the FingerTec TimeLine 100. Whether you have 10 employees or 10,000, this machine can store your employees' information and is an indispensible tool for attendance tracking and monitoring. Shop with confidence at FingerTecUSA knowing that we stand behind our products with a one-year warranty and world class service. Our mission is to help our customers realize the full potential of face recognition and biometric fingerprint technology, keeping your company safe and running smoothly.
Biometric Time and Attendance Clocks
- TIME ATTENDANCE MODEL
- FACE RECOGNITION MODEL
- MULTIMEDIA MODEL
- ACCESS CONTROL MODEL
- RFID CARD MODEL
- DOOR LOCK MODEL
- ONLINE IDENTIFICATION
- SOFTWARE
- SUPPORT & TRAINING
- ACCESSORIES
Biometric fingerprint machines
Biometric system
time clock
time clocks
fingerprint time clocks
time clock systems
time attendance clocks
employee time clocks
biometric time and attendance machine
biometric clock time
biometric time clocks
electronic time clock
time clock software
time clock system
time clocks for small business
time clocks software
biometric time
payroll time clock
pc time clock software
time and attendance clock
payroll time clock software
employee time clocks
biometric time and
attendance
biometric clock time
biometric time clocks
electronic time clock
time clock software
time clock system
time clocks for small business
time clocks software
1. Is fingerprinting technology harmful to your
health?
There is no evidence to support that fingerprinting technology can impose a negative effect to your health. The methods of capturing fingerprint templates are safe, and non-intrusive to the users.
Yes, in fact it enhances your privacy by providing a combination of encryption and biometrics functionality. Fingerprinting technology works by YOU ARE YOU concept, thus requiring your presence in every transaction involving yourself. Not like token such as cards and keys, fingerprint cannot be duplicated, lend, or stolen.
As long as the epidermic layer (the outer layer) is not badly damaged, the wound will return to its original shape once the wound recovers. If otherwise, the left scar will be treated as unique characteristic of your finger.
No. The fingerprint image is not stored using the graphic format, instead the minutiea is captured and calculated using the algorithm concept before the mathematical data is stored as uniquely yours. The fingerprint obtained from other source will not be recognized as life finger is needed for verification.
1:1 is verification with PIN where users need to key-in their PIN before placing their finger on the device. The device compares the call-up template with the live finger to verify. 1:N is identification without PIN which means that the device will search among the database to find the template which suits the live finger being presented.
According to the biometric market research, the most popular biometrics is fingerprint. This is due to the fact that the methods of fingerprint verification is less intrusive, less complicated, the device is smaller, and users have more choices of fingers.
It is true that DNA can produce the most accurate form of biometrics. Nevertheless, the source of DNA is easily acquired, making DNA the most unsafe type of biometrics for security.
No! FingerTec only detects live finger, as the sensor detects the moisture and the temperature from a live finger for verification. Chopped or detached finger loses its heat and moist in a very short period of time, therefore cannot be used in FingerTec USA.
A user can use any of the ten fingers in FingerTec. Nevertheless, we recommend index and thumb as minutiae from these finger are easily captured as compared to the other fingers.
This is to avoid long verification time for users. For 1:N, the template is not call-up prior to the comparison with the live finger. The live finger will be compared to all the database until the matching template is found. Therefore, should the number of template increases, the searching time increases and this would lengthen the verification time.
That is not a problem. FingerTec is designed to suit different level of user's flexibility and requirements. If verification is a problem for you, we have already prepared other features such as ID pass through where you need to key in your ID only, or ID plus password, or we could lower the threshold settings.
Don't worry. FingerTec is equipped with back-up battery to prepare for any power failure case. Nevertheless, this back-up battery can last only for a few hours and steps need to be taken to ensure safety of your premises within these few hours should the power supply does not resume.
Yes, as long as the other security system is using Wiegand 26-bits language. Therefore, FingerTec can be used as a complimentary system on top of being the main security system for a place.
Yes you can by adjusting security threshold, and multi-verification features. FingerTec offers security threshold from 0 (the lowest) to 10 (the highest), while multi-verification needs two templates for verification instead of one. For places requiring tighter security, you may increase the security threshold or using the multi-verification feature.
The registered templates are stored in the respective readers. Nevertheless, these templates can be downloaded and compiled in the central monitoring system using FingerTec Management System Software. The data also can be uploaded to other required readers when needed to avoid work duplication.
The fingerprint templates in FingerTec can only be deleted by Administrator and Enroller. If the template is removed from any one of FingerTec readers, the stored templates in the FingerTec Management System will not be deleted. To delete all templates, you need to delete it from the FMS.
Not at all. FingerTec is a standalone unit which can also work in a network environment. Thus, it does not need the installation of a separate controller. FingerTec also does not cards or keys to operate and this lessen the hidden cost and maintenance of FingerTec. In the long run, FingerTec saves money in many ways.
There is no evidence to support that fingerprinting technology can impose a negative effect to your health. The methods of capturing fingerprint templates are safe, and non-intrusive to the users.
2. Does fingerprinting technology secure your privacy?
Yes, in fact it enhances your privacy by providing a combination of encryption and biometrics functionality. Fingerprinting technology works by YOU ARE YOU concept, thus requiring your presence in every transaction involving yourself. Not like token such as cards and keys, fingerprint cannot be duplicated, lend, or stolen.
3. Would I be able to log on with an injured finger?
As long as the epidermic layer (the outer layer) is not badly damaged, the wound will return to its original shape once the wound recovers. If otherwise, the left scar will be treated as unique characteristic of your finger.
4. Can fingerprint image be duplicated?
No. The fingerprint image is not stored using the graphic format, instead the minutiea is captured and calculated using the algorithm concept before the mathematical data is stored as uniquely yours. The fingerprint obtained from other source will not be recognized as life finger is needed for verification.
5. What is 1:1 (one-to-one) and 1:N (one-to-many) verification?
1:1 is verification with PIN where users need to key-in their PIN before placing their finger on the device. The device compares the call-up template with the live finger to verify. 1:N is identification without PIN which means that the device will search among the database to find the template which suits the live finger being presented.
6. Which is the most popular biometrics?
According to the biometric market research, the most popular biometrics is fingerprint. This is due to the fact that the methods of fingerprint verification is less intrusive, less complicated, the device is smaller, and users have more choices of fingers.
7. DNA is known as the most accurate form of biometrics, why is it not widely used for security?
It is true that DNA can produce the most accurate form of biometrics. Nevertheless, the source of DNA is easily acquired, making DNA the most unsafe type of biometrics for security.
8. Can a detached finger be used in FingerTec USA?
No! FingerTec only detects live finger, as the sensor detects the moisture and the temperature from a live finger for verification. Chopped or detached finger loses its heat and moist in a very short period of time, therefore cannot be used in FingerTec USA.
9. Which is the recommended finger to be used in FingerTec?
A user can use any of the ten fingers in FingerTec. Nevertheless, we recommend index and thumb as minutiae from these finger are easily captured as compared to the other fingers.
10. Why is it that I:N users be limited to certain number of users?
This is to avoid long verification time for users. For 1:N, the template is not call-up prior to the comparison with the live finger. The live finger will be compared to all the database until the matching template is found. Therefore, should the number of template increases, the searching time increases and this would lengthen the verification time.
11. What if FingerTec cannot verify my finger at all?
That is not a problem. FingerTec is designed to suit different level of user's flexibility and requirements. If verification is a problem for you, we have already prepared other features such as ID pass through where you need to key in your ID only, or ID plus password, or we could lower the threshold settings.
12. In case of a power failure, what happen to FingerTec?
Don't worry. FingerTec is equipped with back-up battery to prepare for any power failure case. Nevertheless, this back-up battery can last only for a few hours and steps need to be taken to ensure safety of your premises within these few hours should the power supply does not resume.
13. Can FingerTec integrate with other security systems?
Yes, as long as the other security system is using Wiegand 26-bits language. Therefore, FingerTec can be used as a complimentary system on top of being the main security system for a place.
14. Can I adjust the level of security using FingerTec?
Yes you can by adjusting security threshold, and multi-verification features. FingerTec offers security threshold from 0 (the lowest) to 10 (the highest), while multi-verification needs two templates for verification instead of one. For places requiring tighter security, you may increase the security threshold or using the multi-verification feature.
15. Where is the fingerprint templates stored if the registration done using FingerTec?
The registered templates are stored in the respective readers. Nevertheless, these templates can be downloaded and compiled in the central monitoring system using FingerTec Management System Software. The data also can be uploaded to other required readers when needed to avoid work duplication.
16. Can the registered fingerprint templates be easily deleted from FingerTec?
The fingerprint templates in FingerTec can only be deleted by Administrator and Enroller. If the template is removed from any one of FingerTec readers, the stored templates in the FingerTec Management System will not be deleted. To delete all templates, you need to delete it from the FMS.
17. Is FingerTec expensive as compared to the card system?
Not at all. FingerTec is a standalone unit which can also work in a network environment. Thus, it does not need the installation of a separate controller. FingerTec also does not cards or keys to operate and this lessen the hidden cost and maintenance of FingerTec. In the long run, FingerTec saves money in many ways.
Biometric Facial Recognition
The image may not always be verified or identified in facial recognition alone. Identix® has created a new product to help with precision. The development of FaceIt®Argus uses skin biometrics, the uniqueness of skin texture, to yield even more accurate results.
Surface Texture Analysis
The surface texture analysis (STA) algorithm operates on the top percentage of results as determined by the local feature analysis. STA creates a skinprint and performs either a 1:1 or 1:N match depending on whether you're looking for verification or identification.
The process, called Surface Texture Analysis, works much the same way facial recognition does. A picture is taken of a patch of skin, called a skinprint. That patch is then broken up into smaller blocks. Using algorithms to turn the patch into a mathematical, measurable space, the system will then distinguish any lines, pores and the actual skin texture. It can identify differences between identical twins, which is not yet possible using facial recognition software alone. According to FingerTecUSA, by combining facial recognition with surface texture analysis, accurate identification can increase by 20 to 25 percent.
FaceIt currently uses three different templates to confirm or identify the subject: vector, local feature analysis and surface texture analysis.
* The vector template is very small and is used for rapid searching over the entire database primarily for one-to-many searching.
* The local feature analysis (LFA) template performs a secondary search of ordered matches following the vector template.
* The surface texture analysis (STA) is the largest of the three. It performs a final pass after the LFA template search, relying on the skin features in the image, which contains the most detailed information.
By combining all three templates, FaceIt® has an advantage over other systems. It is relatively insensitive to changes in expression, including blinking, frowning or smiling and has the ability to compensate for mustache or beard growth and the appearance of eyeglasses. The system is also uniform with respect to race and gender.
Poor lighting can make it more difficult for facial recognition software to verify or identify someone.
However, it is not a perfect system. There are some factors that could get in the way of recognition, including:
* Significant glare on eyeglasses or wearing sunglasses
* Long hair obscuring the central part of the face
* Poor lighting that would cause the face to be over- or under-exposed
* Lack of resolution (image was taken too far away)
FingerTecUSA is the #1 facial recognition systems company. While most work the same way FaceIt does, there are some variations. For example, a company called Animetrix, Inc. has a product called FACEngine ID® SetLight that can correct lighting conditions that cannot normally be used, reducing the risk of false matches. Sensible Vision, Inc. has a product that can secure a computer using facial recognition. The computer will only power on and stay accessible as long as the correct user is in front of the screen. Once the user moves out of the line of sight, the computer is automatically secured from other users.
Due to these strides in technology, facial and skin recognition systems are more widely used than just a few years ago. In the next section, we'll look at where and how they are being used and what's in store for the future.
The image may not always be verified or identified in facial recognition alone. Identix® has created a new product to help with precision. The development of FaceIt®Argus uses skin biometrics, the uniqueness of skin texture, to yield even more accurate results.
Surface Texture Analysis
The surface texture analysis (STA) algorithm operates on the top percentage of results as determined by the local feature analysis. STA creates a skinprint and performs either a 1:1 or 1:N match depending on whether you're looking for verification or identification.
The process, called Surface Texture Analysis, works much the same way facial recognition does. A picture is taken of a patch of skin, called a skinprint. That patch is then broken up into smaller blocks. Using algorithms to turn the patch into a mathematical, measurable space, the system will then distinguish any lines, pores and the actual skin texture. It can identify differences between identical twins, which is not yet possible using facial recognition software alone. According to FingerTecUSA, by combining facial recognition with surface texture analysis, accurate identification can increase by 20 to 25 percent.
FaceIt currently uses three different templates to confirm or identify the subject: vector, local feature analysis and surface texture analysis.
* The vector template is very small and is used for rapid searching over the entire database primarily for one-to-many searching.
* The local feature analysis (LFA) template performs a secondary search of ordered matches following the vector template.
* The surface texture analysis (STA) is the largest of the three. It performs a final pass after the LFA template search, relying on the skin features in the image, which contains the most detailed information.
By combining all three templates, FaceIt® has an advantage over other systems. It is relatively insensitive to changes in expression, including blinking, frowning or smiling and has the ability to compensate for mustache or beard growth and the appearance of eyeglasses. The system is also uniform with respect to race and gender.
Poor lighting can make it more difficult for facial recognition software to verify or identify someone.
However, it is not a perfect system. There are some factors that could get in the way of recognition, including:
* Significant glare on eyeglasses or wearing sunglasses
* Long hair obscuring the central part of the face
* Poor lighting that would cause the face to be over- or under-exposed
* Lack of resolution (image was taken too far away)
FingerTecUSA is the #1 facial recognition systems company. While most work the same way FaceIt does, there are some variations. For example, a company called Animetrix, Inc. has a product called FACEngine ID® SetLight that can correct lighting conditions that cannot normally be used, reducing the risk of false matches. Sensible Vision, Inc. has a product that can secure a computer using facial recognition. The computer will only power on and stay accessible as long as the correct user is in front of the screen. Once the user moves out of the line of sight, the computer is automatically secured from other users.
Due to these strides in technology, facial and skin recognition systems are more widely used than just a few years ago. In the next section, we'll look at where and how they are being used and what's in store for the future.
Access control is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. An access control system, within the field of physical security, is generally seen as the second layer in the security of a physical structure.
Access control is, in reality, an everyday phenomenon. A lock on a car door is essentially a form of access control. A PIN on an ATM system at a bank is another means of access control. Bouncers standing in front of a night club is perhaps a more primitive mode of access control (given the evident lack of information technology involved). The possession of access control is of prime importance when persons seek to secure important, confidential, or sensitive information and equipment.
Item control or electronic key management is an area within (and possibly integrated with) an access control system which concerns the managing of possession and location of small assets or physical (mechanical) keys.
Physical access
Underground entrance to the New York City Subway system Physical access by a person may be allowed depending on payment, authorization, etc. Also there may be one-way traffic of people. These can be enforced by personnel such as a border guard, a doorman, a ticket checker, etc., or with a device such as a turnstile. There may be fences to avoid circumventing this access control. An alternative of access control in the strict sense (physically controlling access itself) is a system of checking authorized presence, see e.g. Ticket controller (transportation). A variant is exit control, e.g. of a shop (checkout) or a country. In physical security, the term access control refers to the practice of restricting entrance to a property, a building, or a room to authorized persons. Physical access control can be achieved by a human (a guard, bouncer, or receptionist), through mechanical means such as locks and keys, or through technological means such as access control systems like the Access control vestibule. Within these environments, physical key management may also be employed as a means of further managing and monitoring access to mechanically keyed areas or access to certain small assets.
Physical access control is a matter of who, where, and when. An access control system determines who is allowed to enter or exit, where they are allowed to exit or enter, and when they are allowed to enter or exit. Historically this was partially accomplished through keys and locks. When a door is locked only someone with a key can enter through the door depending on how the lock is configured. Mechanical locks and keys do not allow restriction of the key holder to specific times or dates. Mechanical locks and keys do not provide records of the key used on any specific door and the keys can be easily copied or transferred to an unauthorized person. When a mechanical key is lost or the key holder is no longer authorized to use the protected area, the locks must be re-keyed. Electronic access control uses computers to solve the limitations of mechanical locks and keys. A wide range of credentials can be used to replace mechanical keys. The electronic access control system grants access based on the credential presented. When access is granted, the door is unlocked for a predetermined time and the transaction is recorded. When access is refused, the door remains locked and the attempted access is recorded. The system will also monitor the door and alarm if the door is forced open or held open too long after being unlocked. Access control system operation
When a credential is presented to a reader, the reader sends the credential’s information, usually a number, to a control panel, a highly reliable processor. The control panel compares the credential's number to an access control list, grants or denies the presented request, and sends a transaction log to a database. When access is denied based on the access control list, the door remains locked. If there is a match between the credential and the access control list, the control panel operates a relay that in turn unlocks the door. The control panel also ignores a door open signal to prevent an alarm. Often the reader provides feedback, such as a flashing red LED for an access denied and a flashing green LED for an access granted. The above description illustrates a single factor transaction. Credentials can be passed around, thus subverting the access control list. For example, Alice has access rights to the server room but Bob does not. Alice either gives Bob her credential or Bob takes it; he now has access to the server room. To prevent this, two-factor authentication can be used. In a two factor transaction, the presented credential and a second factor are needed for access to be granted; another factor can be a PIN, a second credential, operator intervention, or a biometric input. There are three types (factors) of authenticating information:
something the user knows, eg a password, pass-phrase or PIN
something the user has, such as smart card
something the user is, such as fingerprint, verified by biometric measurement
Passwords are a common means of verifying a user's identity before access is given to information systems. In addition, a fourth factor of authentication is now recognized: someone you know, where another person who knows you can provide a human element of authentication in situations where systems have been set up to allow for such scenarios. For example, a user may have their password, but have forgotten their smart card. In such a scenario, if the user is known to designated cohorts, the cohorts may provide their smart card and password in combination with the extant factor of the user in question and thus provide two factors for the user with missing credential, and three factors overall to allow access. Credential
A credential is a physical/tangible object, a piece of knowledge, or a facet of a person's physical being, that enables an individual access to a given physical facility or computer-based information system. Typically, credentials can be something you know (such as number or PIN), something you have (such as an access badge), something you are (such as a biometric feature) or some combination of these items. The typical credential is an access card, key fob, or other key. There are many card technologies including magnetic stripe, bar code, Wiegand, 125 kHz proximity, 26 bit card-swipe, contact smart cards, and contactless smart cards. Also available are key-fobs which are more compact than ID cards and attach to a key ring. Typical biometric technologies include fingerprint, facial recognition, iris recognition, retinal scan, voice, and hand geometry. Access control system components
An access control point, which can be a door, turnstile, parking gate, elevator, or other physical barrier where granting access can be electronically controlled. Typically the access point is a door. An electronic access control door can contain several elements. At its most basic there is a stand-alone electric lock. The lock is unlocked by an operator with a switch. To automate this, operator intervention is replaced by a reader. The reader could be a keypad where a code is entered, it could be a card reader, or it could be a biometric reader. Readers do not usually make an access decision but send a card number to an access control panel that verifies the number against an access list. To monitor the door position a magnetic door switch is used. In concept the door switch is not unlike those on refrigerators or car doors. Generally only entry is controlled and exit is uncontrolled. In cases where exit is also controlled a second reader is used on the opposite side of the door. In cases where exit is not controlled, free exit, a device called a request-to-exit (RTE) is used. Request-to-exit devices can be a pushbutton or a motion detector. When the button is pushed or the motion detector detects motion at the door, the door alarm is temporarily ignored while the door is opened. Exiting a door without having to electrically unlock the door is called mechanical free egress. This is an important safety feature. In cases where the lock must be electrically unlocked on exit, the request-to-exit device also unlocks the door.
Access control topology
Typical access control door wiring
Access control door wiring when using intelligent readers
Access control decisions are made by comparing the credential to an access control list. This lookup can be done by a host or server, by an access control panel, or by a reader. The development of access control systems has seen a steady push of the lookup out from a central host to the edge of the system, or the reader. The predominate topology circa 2009 is hub and spoke with a control panel as the hub and the readers as the spokes. The lookup and control functions are by the control panel. The spokes communicate through a serial connection; usually RS485. Some manufactures are pushing the decision making to the edge by placing a controller at the door. The controllers are IP enabled and connect to a host and database using standard networks.
Types of readers Access control readers may be classified by functions they are able to perform:
Basic (non-intelligent) readers: simply read card number or PIN and forward it to a control panel. In case of biometric identification, such readers output ID number of a user. Typically Wiegand protocol is used for transmitting data to the control panel, but other options such as RS-232, RS-485 and Clock/Data are not uncommon. This is the most popular type of access control readers. Examples of such readers are RF Tiny by RFLOGICS, ProxPoint by HID, and P300 by Farpointe Data. Semi-intelligent readers: have all inputs and outputs necessary to control door hardware (lock, door contact, exit button), but do not make any access decisions. When a user presents a card or enters PIN, the reader sends information to the main controller and waits for its response. If the connection to the main controller is interrupted, such readers stop working or function in a degraded mode. Usually semi-intelligent readers are connected to a control panel via an RS-485 bus. Examples of such readers are InfoProx Lite IPL200 by CEM Systems and AP-510 by Apollo. Intelligent readers: have all inputs and outputs necessary to control door hardware, they also have memory and processing power necessary to make access decisions independently. Same as semi-intelligent readers they are connected to a control panel via an RS-485 bus. The control panel sends configuration updates and retrieves events from the readers. Examples of such readers could be InfoProx IPO200 by CEM Systems and AP-500 by Apollo. There is also a new generation of intelligent readers referred to as "IP readers". Systems with IP readers usually do not have traditional control panels and readers communicate directly to PC that acts as a host. Examples of such readers are PowerNet IP Reader by Isonas Security Systems, ID08 by Solus has the built in webservice to make it user friendly, Edge ER40 reader by HID Global, LogLock and UNiLOCK by ASPiSYS Ltd, and BioEntry Plus reader by Suprema Inc. Some readers may have additional features such as LCD and function buttons for data collection purposes (i.e. clock-in/clock-out events for attendance reports), camera/speaker/microphone for intercom, and smart card read/write support. Access control readers may also be classified by the type of identification technology.
Access control system topologies
Access control system using serial controllers
1. Serial controllers. Controllers are connected to a host PC via a serial RS-485 communication line (or via 20mA current loop in some older systems). External RS-232/485 converters or internal RS-485 cards have to be installed as standard PCs do not have RS-485 communication ports. In larger systems multi-port serial IO boards are used, Digi International being one of most popular options. Advantages: RS-485 standard allows long cable runs, up to 4000 feet (1200 m) Relatively short response time. The maximum number of devices on an RS-485 line is limited to 32, which means that the host can frequently request status updates from each device and display events almost in real time. High reliability and security as the communication line is not shared with any other systems.
Disadvantages:
RS-485 does not allows Star-type wiring unless splitters are used RS-485 is not well suited for transferring large amounts of data (i.e. configuration and users). The highest possible throughput is 115.2 kbit/s, but in most system it is downgraded to 56.2 kbit/s or less to increase reliability. RS-485 does not allow host PC to communicate with several controllers connected to the same port simultaneously. Therefore in large systems transfers of configuration and users to controllers may take a very long time and interfere with normal operations. Controllers cannot initiate communication in case of an alarm. The host PC acts as a master on the RS-485 communication line and controllers have to wait till they are polled. Special serial switches are required in order to build a redundant host PC setup. Separate RS-485 lines have to be installed instead of using an already existing network infrastructure. Cable that meets RS-485 standards is significantly more expensive than the regular Category 5 UTP network cable. Operation of the system is highly dependent on the host PC. In case the host PC fails, events from controllers are not retrieved and functions that required interaction between controllers (i.e. anti-passback) stop working.
Access control system using serial main and sub-controllers
2. Serial main and sub-controllers. All door hardware is connected to sub-controllers (a.k.a. door controllers or door interfaces). Sub-controllers usually do not make access decisions, and forward all requests to the main controllers. Main controllers usually support from 16 to 32 sub-controllers. Advantages: Work load on the host PC is significantly reduced, because it only needs to communicate with a few main controllers. The overall cost of the system is lower, as sub-controllers are usually simple and inexpensive devices. All other advantages listed in the first paragraph apply.
Access control system using serial main controller and intelligent readers
3. Serial main controllers & intelligent readers. All door hardware is connected directly to intelligent or semi-intelligent readers. Readers usually do not make access decisions, and forward all requests to the main controller. Only if the connection to the main controller is unavailable, the readers use their internal database to make access decisions and record events. Semi-intelligent reader that have no database and cannot function without the main controller should be used only in areas that do not require high security. Main controllers usually support from 16 to 64 readers. All advantages and disadvantages are the same as the ones listed in the second paragraph. Access control systems using serial controllers and terminal servers
4. Serial controllers with terminal servers. In spite of the rapid development and increasing use of computer networks, access control manufacturers remained conservative and did not rush to introduce network-enabled products. When pressed for solutions with network connectivity, many chose the option requiring less efforts: addition of a terminal server, a device that converts serial data for transmission via LAN or WAN. Terminal servers manufactured by Lantronix and Tibbo Technology are popular in the security industry. Advantages: Allows utilizing existing network infrastructure for connecting separate segments of the system.
Provides convenient solution in cases when installation of an RS-485 line would be difficult or impossible.
Disadvantages:
Increases complexity of the system.
Creates additional work for installers: usually terminal servers have to be configured independently, not through the interface of the access control software. Serial communication link between the controller and the terminal server acts as a bottleneck: even though the data between the host PC and the terminal server travels at the 10/100/1000Mbit/s network speed it then slows down to the serial speed of 112.5 kbit/s or less. There are also additional delays introduced in the process of conversion between serial and network data. All RS-485-related advantages and disadvantages also apply.
Access control system using network-enabled main controllers
5. Network-enabled main controllers. The topology is nearly the same as described in the second and third paragraphs. The same advantages and disadvantages apply, but the on-board network interface offers a couple valuable improvements. Transmission of configuration and users to the main controllers is faster and may be done in parallel. This makes the system more responsive and does not interrupt normal operations. No special hardware is required in order to achieve redundant host PC setup: in case the primary host PC fails, the secondary host PC may start polling network controllers. The disadvantages introduced by terminal servers (listed in the fourth paragraph) are also eliminated.
Access control system using IP controllers
6. IP controllers. Controllers are connected to a host PC via Ethernet LAN or WAN. Advantages: An existing network infrastructure is fully utilized, there is no need to install new communication lines. There are no limitations regarding the number of controllers (32 per line in case of RS-485).
Special RS-485 installation, termination, grounding and troubleshooting knowledge is not required.
Communication with controllers may be done at the full network speed, which is important if transferring a lot of data (databases with thousands of users, possibly including biometric records). In case of an alarm controllers may initiate connection to the host PC. This ability is important in large systems because it allows to reduce network traffic caused by unnecessary polling. Simplifies installation of systems consisting of multiple sites separated by large distances. Basic Internet link is sufficient to establish connections to remote locations. Wide selection of standard network equipment is available to provide connectivity in different situations (fiber, wireless, VPN, dual path, PoE)
Access control system using IP readers
7. IP readers. Readers are connected to a host PC via Ethernet LAN or WAN.
Advantages:
Most IP readers are PoE capable. This feature makes it very easy to provide battery backed power to the entire system, including the locks and various types of detectors (if used). IP readers eliminate the need for controller enclosures. There is no wasted capacity when using IP readers (i.e. a 4-door controller would have 25% unused capacity if it was controlling only 3 doors). IP reader systems scale easily: there is no need to install new main or sub-controllers. Failure of one IP reader does not affect any other readers in the system.
Security risks
Access control door wiring when using intelligent readers and IO module
The most common security risk of intrusion of an access control system is simply following a legitimate user through a door. Often the legitimate user will hold the door for the intruder. This risk can be minimized through security awareness training of the user population or more active means such as turnstiles. In very high security applications this risk is minimized by using a sally port, sometimes called a security vestibule or mantrap where operator intervention is required presumably to assure valid identification. The second most common risk is from levering the door open. This is surprisingly simple and effective on most doors. The lever could be as small as a screw driver or big as a crow bar. Fully implemented access control systems include forced door monitoring alarms. These vary in effectiveness usually failing from high false positive alarms, poor database configuration, or lack of active intrusion monitoring. Similar to levering is crashing through cheap partition walls. In shared tenant spaces the demisal wall is a vulnerability. Along the same lines is breaking sidelights. Spoofing locking hardware is fairly simple and more elegant than levering. A strong magnet can operate the solenoid controlling bolts in electric locking hardware. Motor locks, more prevalent in Europe than in the US, are also susceptible to this attack using a donut shaped magnet. It is also possible to manipulate the power to the lock either by removing or adding current. Access cards themselves have proven vulnerable to sophisticated attacks. Enterprising hackers have built portable readers that capture the card number from a user’s proximity card. The hacker simply walks by the user, reads the card, and then presents the number to a reader securing the door. This is possible because card numbers are sent in the clear, no encryption being used. Finally, most electric locking hardware still have mechanical keys as a failover. Mechanical key locks are vulnerable to bumping.
The need-to-know principle
The need to know principle can be enforced with user access controls and authorization procedures and its objective is to ensure that only authorized individuals gain access to information or systems necessary to undertake their duties. See Principle_of_least_privilege.
Computer security
In computer security, access control includes authentication, authorization and audit. It also includes measures such as physical devices, including biometric scans and metal locks, hidden paths, digital signatures, encryption, social barriers, and monitoring by humans and automated systems. In any access control model, the entities that can perform actions in the system are called subjects, and the entities representing resources to which access may need to be controlled are called objects (see also Access Control Matrix). Subjects and objects should both be considered as software entities and as human users[1]. Although some systems equate subjects with user IDs, so that all processes started by a user by default have the same authority, this level of control is not fine-grained enough to satisfy the Principle of least privilege, and arguably is responsible for the prevalence of malware in such systems (see computer insecurity). In some models, for example the object-capability model, any software entity can potentially act as both a subject and object.
Access control models used by current systems tend to fall into one of two classes: those based on capabilities and those based on access control lists (ACLs). In a capability-based model, holding an unforgeable reference or capability to an object provides access to the object (roughly analogous to how possession of your house key grants you access to your house); access is conveyed to another party by transmitting such a capability over a secure channel. In an ACL-based model, a subject's access to an object depends on whether its identity is on a list associated with the object (roughly analogous to how a bouncer at a private party would check your ID to see if your name is on the guest list); access is conveyed by editing the list. (Different ACL systems have a variety of different conventions regarding who or what is responsible for editing the list and how it is edited.) Both capability-based and ACL-based models have mechanisms to allow access rights to be granted to all members of a group of subjects (often the group is itself modeled as a subject). Access control systems provide the essential services of identification and authentication (I&A), authorization, and accountability where: identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in; authorization determines what a subject can do; accountability identifies what a subject (or all subjects associated with a user) did. [edit]Identification and authentication (I&A) Identification and authentication (I&A) is the process of verifying that an identity is bound to the entity that makes an assertion or claim of identity. The I&A process assumes that there was an initial validation of the identity, commonly called identity proofing. Various methods of identity proofing are available ranging from in person validation using government issued identification to anonymous methods that allow the claimant to remain anonymous, but known to the system if they return. The method used for identity proofing and validation should provide an assurance level commensurate with the intended use of the identity within the system. Subsequently, the entity asserts an identity together with an authenticator as a means for validation. The only requirements for the identifier is that it must be unique within its security domain. Authenticators are commonly based on at least one of the following four factors: Something you know, such as a password or a personal identification number (PIN). This assumes that only the owner of the account knows the password or PIN needed to access the account. Something you have, such as a smart card or security token. This assumes that only the owner of the account has the necessary smart card or token needed to unlock the account. Something you are, such as fingerprint, voice, retina, or iris characteristics. Where you are, for example inside or outside a company firewall, or proximity of login location to a personal GPS device.
Authorization
Authorization applies to subjects. Authorization determines what a subject can do on the system. Most modern operating systems define sets of permissions that are variations or extensions of three basic types of access:
List directory contents
The subject can change the contents of a file or directory with the following tasks:
Execute (X): If the file is a program, the subject can cause the program to be run. (In Unix systems, the 'execute' permission doubles as a 'traverse directory' permission when granted for a directory.) These rights and permissions are implemented differently in systems based on discretionary access control (DAC) and mandatory access control (MAC). [edit]Accountability Accountability uses such system components as audit trails (records) and logs to associate a subject with its actions. The information recorded should be sufficient to map the subject to a controlling user. Audit trails and logs are important for Detecting security violations Re-creating security incidents If no one is regularly reviewing your logs and they are not maintained in a secure and consistent manner, they may not be admissible as evidence. Many systems can generate automated reports based on certain predefined criteria or thresholds, known as clipping levels. For example, a clipping level may be set to generate a report for the following: More than three failed logon attempts in a given period Any attempt to use a disabled user account These reports help a system administrator or security administrator to more easily identify possible break-in attempts.
Access control techniques
Access control techniques are sometimes categorized as either discretionary or non-discretionary. The three most widely recognized models are Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role Based Access Control (RBAC). MAC and RBAC are both non-discretionary. [edit]Attribute-based access control In attribute-based access control (ABAC), access is granted not based on the rights of the subject associated with a user after authentication, but based on attributes of the user. The user has to prove so called claims about his attributes to the access control engine. An attribute-based access control policy specifies which claims need to satisfied in order to grant access to an object. For instance the claim could be "older than 18" . Any user that can prove this claim is granted access. Users can be anonymous as authentication and identification are not strictly required. One does however require means for proving claims anonymously. This can for instance be achieved using anonymous credentials or XACML (extensible access control markup language). [edit]Discretionary access control Discretionary access control (DAC) is an access policy determined by the owner of an object. The owner decides who is allowed to access the object and what privileges they have. Two important concepts in DAC are File and data ownership: Every object in the system has an owner. In most DAC systems, each object's initial owner is the subject that caused it to be created. The access policy for an object is determined by its owner. Access rights and permissions: These are the controls that an owner can assign to other subjects for specific resources. Access controls may be discretionary in ACL-based or capability-based access control systems. (In capability-based systems, there is usually no explicit concept of 'owner', but the creator of an object has a similar degree of control over its access policy.) [edit]Mandatory access control Mandatory access control (MAC) is an access policy determined by the system, not the owner. MAC is used in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects. Sensitivity labels: In a MAC-based system, all subjects and objects must have labels assigned to them. A subject's sensitivity label specifies its level of trust. An object's sensitivity label specifies the level of trust required for access. In order to access a given object, the subject must have a sensitivity level equal to or higher than the requested object. Data import and export: Controlling the import of information from other systems and export to other systems (including printers) is a critical function of MAC-based systems, which must ensure that sensitivity labels are properly maintained and implemented so that sensitive information is appropriately protected at all times. Two methods are commonly used for applying mandatory access control: Rule-based (or label-based) access control: This type of control further defines specific conditions for access to a requested object. All MAC-based systems implement a simple form of rule-based access control to determine whether access should be granted or denied by matching: An object's sensitivity label A subject's sensitivity label Lattice-based access control: These can be used for complex access control decisions involving multiple objects and/or subjects. A lattice model is a mathematical structure that defines greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object. Few systems implement MAC; XTS-400 is an example of one that does. The computer system at the company in the movie Tron is an example of MAC in popular culture. [edit]Role-based access control Role-based access control (RBAC) is an access policy determined by the system, not the owner. RBAC is used in commercial applications and also in military systems, where multi-level security requirements may also exist. RBAC differs from DAC in that DAC allows users to control access to their resources, while in RBAC, access is controlled at the system level, outside of the user's control. Although RBAC is non-discretionary, it can be distinguished from MAC primarily in the way permissions are handled. MAC controls read and write permissions based on a user's clearance level and additional labels. RBAC controls collections of permissions that may include complex operations such as an e-commerce transaction, or may be as simple as read or write. A role in RBAC can be viewed as a set of permissions. Three primary rules are defined for RBAC:
Role assignment: A subject can execute a transaction only if the subject has selected or been assigned a role. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. Transaction authorization: A subject can execute a transaction only if the transaction is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can execute only transactions for which they are authorized. Additional constraints may be applied as well, and roles can be combined in a hierarchy where higher-level roles subsume permissions owned by sub-roles. Most IT vendors offer RBAC in one or more products.
Physical access
Underground entrance to the New York City Subway system Physical access by a person may be allowed depending on payment, authorization, etc. Also there may be one-way traffic of people. These can be enforced by personnel such as a border guard, a doorman, a ticket checker, etc., or with a device such as a turnstile. There may be fences to avoid circumventing this access control. An alternative of access control in the strict sense (physically controlling access itself) is a system of checking authorized presence, see e.g. Ticket controller (transportation). A variant is exit control, e.g. of a shop (checkout) or a country. In physical security, the term access control refers to the practice of restricting entrance to a property, a building, or a room to authorized persons. Physical access control can be achieved by a human (a guard, bouncer, or receptionist), through mechanical means such as locks and keys, or through technological means such as access control systems like the Access control vestibule. Within these environments, physical key management may also be employed as a means of further managing and monitoring access to mechanically keyed areas or access to certain small assets.
Physical access control is a matter of who, where, and when. An access control system determines who is allowed to enter or exit, where they are allowed to exit or enter, and when they are allowed to enter or exit. Historically this was partially accomplished through keys and locks. When a door is locked only someone with a key can enter through the door depending on how the lock is configured. Mechanical locks and keys do not allow restriction of the key holder to specific times or dates. Mechanical locks and keys do not provide records of the key used on any specific door and the keys can be easily copied or transferred to an unauthorized person. When a mechanical key is lost or the key holder is no longer authorized to use the protected area, the locks must be re-keyed. Electronic access control uses computers to solve the limitations of mechanical locks and keys. A wide range of credentials can be used to replace mechanical keys. The electronic access control system grants access based on the credential presented. When access is granted, the door is unlocked for a predetermined time and the transaction is recorded. When access is refused, the door remains locked and the attempted access is recorded. The system will also monitor the door and alarm if the door is forced open or held open too long after being unlocked. Access control system operation
When a credential is presented to a reader, the reader sends the credential’s information, usually a number, to a control panel, a highly reliable processor. The control panel compares the credential's number to an access control list, grants or denies the presented request, and sends a transaction log to a database. When access is denied based on the access control list, the door remains locked. If there is a match between the credential and the access control list, the control panel operates a relay that in turn unlocks the door. The control panel also ignores a door open signal to prevent an alarm. Often the reader provides feedback, such as a flashing red LED for an access denied and a flashing green LED for an access granted. The above description illustrates a single factor transaction. Credentials can be passed around, thus subverting the access control list. For example, Alice has access rights to the server room but Bob does not. Alice either gives Bob her credential or Bob takes it; he now has access to the server room. To prevent this, two-factor authentication can be used. In a two factor transaction, the presented credential and a second factor are needed for access to be granted; another factor can be a PIN, a second credential, operator intervention, or a biometric input. There are three types (factors) of authenticating information:
something the user knows, eg a password, pass-phrase or PIN
something the user has, such as smart card
something the user is, such as fingerprint, verified by biometric measurement
Passwords are a common means of verifying a user's identity before access is given to information systems. In addition, a fourth factor of authentication is now recognized: someone you know, where another person who knows you can provide a human element of authentication in situations where systems have been set up to allow for such scenarios. For example, a user may have their password, but have forgotten their smart card. In such a scenario, if the user is known to designated cohorts, the cohorts may provide their smart card and password in combination with the extant factor of the user in question and thus provide two factors for the user with missing credential, and three factors overall to allow access. Credential
A credential is a physical/tangible object, a piece of knowledge, or a facet of a person's physical being, that enables an individual access to a given physical facility or computer-based information system. Typically, credentials can be something you know (such as number or PIN), something you have (such as an access badge), something you are (such as a biometric feature) or some combination of these items. The typical credential is an access card, key fob, or other key. There are many card technologies including magnetic stripe, bar code, Wiegand, 125 kHz proximity, 26 bit card-swipe, contact smart cards, and contactless smart cards. Also available are key-fobs which are more compact than ID cards and attach to a key ring. Typical biometric technologies include fingerprint, facial recognition, iris recognition, retinal scan, voice, and hand geometry. Access control system components
An access control point, which can be a door, turnstile, parking gate, elevator, or other physical barrier where granting access can be electronically controlled. Typically the access point is a door. An electronic access control door can contain several elements. At its most basic there is a stand-alone electric lock. The lock is unlocked by an operator with a switch. To automate this, operator intervention is replaced by a reader. The reader could be a keypad where a code is entered, it could be a card reader, or it could be a biometric reader. Readers do not usually make an access decision but send a card number to an access control panel that verifies the number against an access list. To monitor the door position a magnetic door switch is used. In concept the door switch is not unlike those on refrigerators or car doors. Generally only entry is controlled and exit is uncontrolled. In cases where exit is also controlled a second reader is used on the opposite side of the door. In cases where exit is not controlled, free exit, a device called a request-to-exit (RTE) is used. Request-to-exit devices can be a pushbutton or a motion detector. When the button is pushed or the motion detector detects motion at the door, the door alarm is temporarily ignored while the door is opened. Exiting a door without having to electrically unlock the door is called mechanical free egress. This is an important safety feature. In cases where the lock must be electrically unlocked on exit, the request-to-exit device also unlocks the door.
Access control topology
Typical access control door wiring
Access control door wiring when using intelligent readers
Access control decisions are made by comparing the credential to an access control list. This lookup can be done by a host or server, by an access control panel, or by a reader. The development of access control systems has seen a steady push of the lookup out from a central host to the edge of the system, or the reader. The predominate topology circa 2009 is hub and spoke with a control panel as the hub and the readers as the spokes. The lookup and control functions are by the control panel. The spokes communicate through a serial connection; usually RS485. Some manufactures are pushing the decision making to the edge by placing a controller at the door. The controllers are IP enabled and connect to a host and database using standard networks.
Types of readers Access control readers may be classified by functions they are able to perform:
Basic (non-intelligent) readers: simply read card number or PIN and forward it to a control panel. In case of biometric identification, such readers output ID number of a user. Typically Wiegand protocol is used for transmitting data to the control panel, but other options such as RS-232, RS-485 and Clock/Data are not uncommon. This is the most popular type of access control readers. Examples of such readers are RF Tiny by RFLOGICS, ProxPoint by HID, and P300 by Farpointe Data. Semi-intelligent readers: have all inputs and outputs necessary to control door hardware (lock, door contact, exit button), but do not make any access decisions. When a user presents a card or enters PIN, the reader sends information to the main controller and waits for its response. If the connection to the main controller is interrupted, such readers stop working or function in a degraded mode. Usually semi-intelligent readers are connected to a control panel via an RS-485 bus. Examples of such readers are InfoProx Lite IPL200 by CEM Systems and AP-510 by Apollo. Intelligent readers: have all inputs and outputs necessary to control door hardware, they also have memory and processing power necessary to make access decisions independently. Same as semi-intelligent readers they are connected to a control panel via an RS-485 bus. The control panel sends configuration updates and retrieves events from the readers. Examples of such readers could be InfoProx IPO200 by CEM Systems and AP-500 by Apollo. There is also a new generation of intelligent readers referred to as "IP readers". Systems with IP readers usually do not have traditional control panels and readers communicate directly to PC that acts as a host. Examples of such readers are PowerNet IP Reader by Isonas Security Systems, ID08 by Solus has the built in webservice to make it user friendly, Edge ER40 reader by HID Global, LogLock and UNiLOCK by ASPiSYS Ltd, and BioEntry Plus reader by Suprema Inc. Some readers may have additional features such as LCD and function buttons for data collection purposes (i.e. clock-in/clock-out events for attendance reports), camera/speaker/microphone for intercom, and smart card read/write support. Access control readers may also be classified by the type of identification technology.
Access control system topologies
Access control system using serial controllers
1. Serial controllers. Controllers are connected to a host PC via a serial RS-485 communication line (or via 20mA current loop in some older systems). External RS-232/485 converters or internal RS-485 cards have to be installed as standard PCs do not have RS-485 communication ports. In larger systems multi-port serial IO boards are used, Digi International being one of most popular options. Advantages: RS-485 standard allows long cable runs, up to 4000 feet (1200 m) Relatively short response time. The maximum number of devices on an RS-485 line is limited to 32, which means that the host can frequently request status updates from each device and display events almost in real time. High reliability and security as the communication line is not shared with any other systems.
Disadvantages:
RS-485 does not allows Star-type wiring unless splitters are used RS-485 is not well suited for transferring large amounts of data (i.e. configuration and users). The highest possible throughput is 115.2 kbit/s, but in most system it is downgraded to 56.2 kbit/s or less to increase reliability. RS-485 does not allow host PC to communicate with several controllers connected to the same port simultaneously. Therefore in large systems transfers of configuration and users to controllers may take a very long time and interfere with normal operations. Controllers cannot initiate communication in case of an alarm. The host PC acts as a master on the RS-485 communication line and controllers have to wait till they are polled. Special serial switches are required in order to build a redundant host PC setup. Separate RS-485 lines have to be installed instead of using an already existing network infrastructure. Cable that meets RS-485 standards is significantly more expensive than the regular Category 5 UTP network cable. Operation of the system is highly dependent on the host PC. In case the host PC fails, events from controllers are not retrieved and functions that required interaction between controllers (i.e. anti-passback) stop working.
Access control system using serial main and sub-controllers
2. Serial main and sub-controllers. All door hardware is connected to sub-controllers (a.k.a. door controllers or door interfaces). Sub-controllers usually do not make access decisions, and forward all requests to the main controllers. Main controllers usually support from 16 to 32 sub-controllers. Advantages: Work load on the host PC is significantly reduced, because it only needs to communicate with a few main controllers. The overall cost of the system is lower, as sub-controllers are usually simple and inexpensive devices. All other advantages listed in the first paragraph apply.
Access control system using serial main controller and intelligent readers
3. Serial main controllers & intelligent readers. All door hardware is connected directly to intelligent or semi-intelligent readers. Readers usually do not make access decisions, and forward all requests to the main controller. Only if the connection to the main controller is unavailable, the readers use their internal database to make access decisions and record events. Semi-intelligent reader that have no database and cannot function without the main controller should be used only in areas that do not require high security. Main controllers usually support from 16 to 64 readers. All advantages and disadvantages are the same as the ones listed in the second paragraph. Access control systems using serial controllers and terminal servers
4. Serial controllers with terminal servers. In spite of the rapid development and increasing use of computer networks, access control manufacturers remained conservative and did not rush to introduce network-enabled products. When pressed for solutions with network connectivity, many chose the option requiring less efforts: addition of a terminal server, a device that converts serial data for transmission via LAN or WAN. Terminal servers manufactured by Lantronix and Tibbo Technology are popular in the security industry. Advantages: Allows utilizing existing network infrastructure for connecting separate segments of the system.
Provides convenient solution in cases when installation of an RS-485 line would be difficult or impossible.
Disadvantages:
Increases complexity of the system.
Creates additional work for installers: usually terminal servers have to be configured independently, not through the interface of the access control software. Serial communication link between the controller and the terminal server acts as a bottleneck: even though the data between the host PC and the terminal server travels at the 10/100/1000Mbit/s network speed it then slows down to the serial speed of 112.5 kbit/s or less. There are also additional delays introduced in the process of conversion between serial and network data. All RS-485-related advantages and disadvantages also apply.
Access control system using network-enabled main controllers
5. Network-enabled main controllers. The topology is nearly the same as described in the second and third paragraphs. The same advantages and disadvantages apply, but the on-board network interface offers a couple valuable improvements. Transmission of configuration and users to the main controllers is faster and may be done in parallel. This makes the system more responsive and does not interrupt normal operations. No special hardware is required in order to achieve redundant host PC setup: in case the primary host PC fails, the secondary host PC may start polling network controllers. The disadvantages introduced by terminal servers (listed in the fourth paragraph) are also eliminated.
Access control system using IP controllers
6. IP controllers. Controllers are connected to a host PC via Ethernet LAN or WAN. Advantages: An existing network infrastructure is fully utilized, there is no need to install new communication lines. There are no limitations regarding the number of controllers (32 per line in case of RS-485).
Special RS-485 installation, termination, grounding and troubleshooting knowledge is not required.
Communication with controllers may be done at the full network speed, which is important if transferring a lot of data (databases with thousands of users, possibly including biometric records). In case of an alarm controllers may initiate connection to the host PC. This ability is important in large systems because it allows to reduce network traffic caused by unnecessary polling. Simplifies installation of systems consisting of multiple sites separated by large distances. Basic Internet link is sufficient to establish connections to remote locations. Wide selection of standard network equipment is available to provide connectivity in different situations (fiber, wireless, VPN, dual path, PoE)
Access control system using IP readers
7. IP readers. Readers are connected to a host PC via Ethernet LAN or WAN.
Advantages:
Most IP readers are PoE capable. This feature makes it very easy to provide battery backed power to the entire system, including the locks and various types of detectors (if used). IP readers eliminate the need for controller enclosures. There is no wasted capacity when using IP readers (i.e. a 4-door controller would have 25% unused capacity if it was controlling only 3 doors). IP reader systems scale easily: there is no need to install new main or sub-controllers. Failure of one IP reader does not affect any other readers in the system.
Security risks
Access control door wiring when using intelligent readers and IO module
The most common security risk of intrusion of an access control system is simply following a legitimate user through a door. Often the legitimate user will hold the door for the intruder. This risk can be minimized through security awareness training of the user population or more active means such as turnstiles. In very high security applications this risk is minimized by using a sally port, sometimes called a security vestibule or mantrap where operator intervention is required presumably to assure valid identification. The second most common risk is from levering the door open. This is surprisingly simple and effective on most doors. The lever could be as small as a screw driver or big as a crow bar. Fully implemented access control systems include forced door monitoring alarms. These vary in effectiveness usually failing from high false positive alarms, poor database configuration, or lack of active intrusion monitoring. Similar to levering is crashing through cheap partition walls. In shared tenant spaces the demisal wall is a vulnerability. Along the same lines is breaking sidelights. Spoofing locking hardware is fairly simple and more elegant than levering. A strong magnet can operate the solenoid controlling bolts in electric locking hardware. Motor locks, more prevalent in Europe than in the US, are also susceptible to this attack using a donut shaped magnet. It is also possible to manipulate the power to the lock either by removing or adding current. Access cards themselves have proven vulnerable to sophisticated attacks. Enterprising hackers have built portable readers that capture the card number from a user’s proximity card. The hacker simply walks by the user, reads the card, and then presents the number to a reader securing the door. This is possible because card numbers are sent in the clear, no encryption being used. Finally, most electric locking hardware still have mechanical keys as a failover. Mechanical key locks are vulnerable to bumping.
The need-to-know principle
The need to know principle can be enforced with user access controls and authorization procedures and its objective is to ensure that only authorized individuals gain access to information or systems necessary to undertake their duties. See Principle_of_least_privilege.
Computer security
In computer security, access control includes authentication, authorization and audit. It also includes measures such as physical devices, including biometric scans and metal locks, hidden paths, digital signatures, encryption, social barriers, and monitoring by humans and automated systems. In any access control model, the entities that can perform actions in the system are called subjects, and the entities representing resources to which access may need to be controlled are called objects (see also Access Control Matrix). Subjects and objects should both be considered as software entities and as human users[1]. Although some systems equate subjects with user IDs, so that all processes started by a user by default have the same authority, this level of control is not fine-grained enough to satisfy the Principle of least privilege, and arguably is responsible for the prevalence of malware in such systems (see computer insecurity). In some models, for example the object-capability model, any software entity can potentially act as both a subject and object.
Access control models used by current systems tend to fall into one of two classes: those based on capabilities and those based on access control lists (ACLs). In a capability-based model, holding an unforgeable reference or capability to an object provides access to the object (roughly analogous to how possession of your house key grants you access to your house); access is conveyed to another party by transmitting such a capability over a secure channel. In an ACL-based model, a subject's access to an object depends on whether its identity is on a list associated with the object (roughly analogous to how a bouncer at a private party would check your ID to see if your name is on the guest list); access is conveyed by editing the list. (Different ACL systems have a variety of different conventions regarding who or what is responsible for editing the list and how it is edited.) Both capability-based and ACL-based models have mechanisms to allow access rights to be granted to all members of a group of subjects (often the group is itself modeled as a subject). Access control systems provide the essential services of identification and authentication (I&A), authorization, and accountability where: identification and authentication determine who can log on to a system, and the association of users with the software subjects that they are able to control as a result of logging in; authorization determines what a subject can do; accountability identifies what a subject (or all subjects associated with a user) did. [edit]Identification and authentication (I&A) Identification and authentication (I&A) is the process of verifying that an identity is bound to the entity that makes an assertion or claim of identity. The I&A process assumes that there was an initial validation of the identity, commonly called identity proofing. Various methods of identity proofing are available ranging from in person validation using government issued identification to anonymous methods that allow the claimant to remain anonymous, but known to the system if they return. The method used for identity proofing and validation should provide an assurance level commensurate with the intended use of the identity within the system. Subsequently, the entity asserts an identity together with an authenticator as a means for validation. The only requirements for the identifier is that it must be unique within its security domain. Authenticators are commonly based on at least one of the following four factors: Something you know, such as a password or a personal identification number (PIN). This assumes that only the owner of the account knows the password or PIN needed to access the account. Something you have, such as a smart card or security token. This assumes that only the owner of the account has the necessary smart card or token needed to unlock the account. Something you are, such as fingerprint, voice, retina, or iris characteristics. Where you are, for example inside or outside a company firewall, or proximity of login location to a personal GPS device.
Authorization
Authorization applies to subjects. Authorization determines what a subject can do on the system. Most modern operating systems define sets of permissions that are variations or extensions of three basic types of access:
List directory contents
The subject can change the contents of a file or directory with the following tasks:
Execute (X): If the file is a program, the subject can cause the program to be run. (In Unix systems, the 'execute' permission doubles as a 'traverse directory' permission when granted for a directory.) These rights and permissions are implemented differently in systems based on discretionary access control (DAC) and mandatory access control (MAC). [edit]Accountability Accountability uses such system components as audit trails (records) and logs to associate a subject with its actions. The information recorded should be sufficient to map the subject to a controlling user. Audit trails and logs are important for Detecting security violations Re-creating security incidents If no one is regularly reviewing your logs and they are not maintained in a secure and consistent manner, they may not be admissible as evidence. Many systems can generate automated reports based on certain predefined criteria or thresholds, known as clipping levels. For example, a clipping level may be set to generate a report for the following: More than three failed logon attempts in a given period Any attempt to use a disabled user account These reports help a system administrator or security administrator to more easily identify possible break-in attempts.
Access control techniques
Access control techniques are sometimes categorized as either discretionary or non-discretionary. The three most widely recognized models are Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role Based Access Control (RBAC). MAC and RBAC are both non-discretionary. [edit]Attribute-based access control In attribute-based access control (ABAC), access is granted not based on the rights of the subject associated with a user after authentication, but based on attributes of the user. The user has to prove so called claims about his attributes to the access control engine. An attribute-based access control policy specifies which claims need to satisfied in order to grant access to an object. For instance the claim could be "older than 18" . Any user that can prove this claim is granted access. Users can be anonymous as authentication and identification are not strictly required. One does however require means for proving claims anonymously. This can for instance be achieved using anonymous credentials or XACML (extensible access control markup language). [edit]Discretionary access control Discretionary access control (DAC) is an access policy determined by the owner of an object. The owner decides who is allowed to access the object and what privileges they have. Two important concepts in DAC are File and data ownership: Every object in the system has an owner. In most DAC systems, each object's initial owner is the subject that caused it to be created. The access policy for an object is determined by its owner. Access rights and permissions: These are the controls that an owner can assign to other subjects for specific resources. Access controls may be discretionary in ACL-based or capability-based access control systems. (In capability-based systems, there is usually no explicit concept of 'owner', but the creator of an object has a similar degree of control over its access policy.) [edit]Mandatory access control Mandatory access control (MAC) is an access policy determined by the system, not the owner. MAC is used in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects. Sensitivity labels: In a MAC-based system, all subjects and objects must have labels assigned to them. A subject's sensitivity label specifies its level of trust. An object's sensitivity label specifies the level of trust required for access. In order to access a given object, the subject must have a sensitivity level equal to or higher than the requested object. Data import and export: Controlling the import of information from other systems and export to other systems (including printers) is a critical function of MAC-based systems, which must ensure that sensitivity labels are properly maintained and implemented so that sensitive information is appropriately protected at all times. Two methods are commonly used for applying mandatory access control: Rule-based (or label-based) access control: This type of control further defines specific conditions for access to a requested object. All MAC-based systems implement a simple form of rule-based access control to determine whether access should be granted or denied by matching: An object's sensitivity label A subject's sensitivity label Lattice-based access control: These can be used for complex access control decisions involving multiple objects and/or subjects. A lattice model is a mathematical structure that defines greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object. Few systems implement MAC; XTS-400 is an example of one that does. The computer system at the company in the movie Tron is an example of MAC in popular culture. [edit]Role-based access control Role-based access control (RBAC) is an access policy determined by the system, not the owner. RBAC is used in commercial applications and also in military systems, where multi-level security requirements may also exist. RBAC differs from DAC in that DAC allows users to control access to their resources, while in RBAC, access is controlled at the system level, outside of the user's control. Although RBAC is non-discretionary, it can be distinguished from MAC primarily in the way permissions are handled. MAC controls read and write permissions based on a user's clearance level and additional labels. RBAC controls collections of permissions that may include complex operations such as an e-commerce transaction, or may be as simple as read or write. A role in RBAC can be viewed as a set of permissions. Three primary rules are defined for RBAC:
Role assignment: A subject can execute a transaction only if the subject has selected or been assigned a role. Role authorization: A subject's active role must be authorized for the subject. With rule 1 above, this rule ensures that users can take on only roles for which they are authorized. Transaction authorization: A subject can execute a transaction only if the transaction is authorized for the subject's active role. With rules 1 and 2, this rule ensures that users can execute only transactions for which they are authorized. Additional constraints may be applied as well, and roles can be combined in a hierarchy where higher-level roles subsume permissions owned by sub-roles. Most IT vendors offer RBAC in one or more products.
What are Time and Attendance software systems?
Software to manage or monitor the time worked by employees for the purpose of efficiently processing payroll. These systems may be integrated with existing payroll processing software. Also, these systems may track labor distribution, building security, and personnel scheduling. These systems usually are able to give reports of overtime/docking of non-exempt employees.
What are advantages of time and attendance systems?
An automated time and attendance sysem can reduce the time needed to enter 'hours worked' data into payroll system. A time and attendance system can reduce errors in enforcement of company attendance policies. Types of Vendors?
Vendors can be categorized into three types:
Manufacturers - companies that manufacture timeclocks and sell time and attendance software to complement the hardware. Resellers - companies that sell the timeclocks and software developed by manufacturers and software vendors. The focus of these companies is in providing customized solutions and support that may not be available from the manufacuters. Specialized Software vendors - these companies focus on developing time and attendance software solutions. Enterprise Software vendors - these companies develop general HRIS applications that include time and attendance modules. In some coses the time and attendance software will be sold separately from the HRIS.
Software to manage or monitor the time worked by employees for the purpose of efficiently processing payroll. These systems may be integrated with existing payroll processing software. Also, these systems may track labor distribution, building security, and personnel scheduling. These systems usually are able to give reports of overtime/docking of non-exempt employees.
What are advantages of time and attendance systems?
An automated time and attendance sysem can reduce the time needed to enter 'hours worked' data into payroll system. A time and attendance system can reduce errors in enforcement of company attendance policies. Types of Vendors?
Vendors can be categorized into three types:
Manufacturers - companies that manufacture timeclocks and sell time and attendance software to complement the hardware. Resellers - companies that sell the timeclocks and software developed by manufacturers and software vendors. The focus of these companies is in providing customized solutions and support that may not be available from the manufacuters. Specialized Software vendors - these companies focus on developing time and attendance software solutions. Enterprise Software vendors - these companies develop general HRIS applications that include time and attendance modules. In some coses the time and attendance software will be sold separately from the HRIS.
COMING SOON!
In the meantime please read our Biometric News Blog
Biometrics are automated methods of recognizing a person based on a physiological or behavioral characteristic. Among the features measured are; face, fingerprints, hand geometry, handwriting, iris, retinal, vein, and voice. Biometric technologies are becoming the foundation of an extensive array of highly secure identification and personal verification solutions. As the level of security breaches and transaction fraud increases, the need for highly secure identification and personal verification technologies is becoming apparent.
Biometric-based solutions are able to provide for confidential financial transactions and personal data privacy. The need for biometrics can be found in federal, state and local governments, in the military, and in commercial applications. Enterprise-wide network security infrastructures, government IDs, secure electronic banking, investing and other financial transactions, retail sales, law enforcement, and health and social services are already benefiting from these technologies.
Biometric-based authentication applications include workstation, network, and domain access, single sign-on, application logon, data protection, remote access to resources, transaction security and Web security. Trust in these electronic transactions is essential to the healthy growth of the global economy. Utilized alone or integrated with other technologies such as smart cards, encryption keys and digital signatures, biometrics are set to pervade nearly all aspects of the economy and our daily lives. Utilizing biometrics for personal authentication is becoming convenient and considerably more accurate than current methods (such as the utilization of passwords or PINs). This is because biometrics links the event to a particular individual (a password or token may be used by someone other than the authorized user), is convenient (nothing to carry or remember), accurate (it provides for positive authentication), can provide an audit trail and is becoming socially acceptable and cost effective. More information about biometrics, standards activities, government and industry organizations and research initiatives on biometrics can be found through out this website.
Untitled 1
Computerized fingerprint scanners have been a mainstay of spy thrillers for
decades, but up until recently, they were pretty exotic technology in the real
world. In the past few years, however, scanners have started popping up all over
the place -- in police stations, high-security buildings and even on PC
keyboards. You can pick up a personal USB fingerprint
scanner for less than $100, and just like that, your computer's guarded by
high-tech biometrics.
Instead of, or in addition to, a password, you need your distinctive print to
gain access.
Biometric-based authentication applications include workstation, network, and domain access, single sign-on, application logon, data protection, remote access to resources, transaction security and Web security. Trust in these electronic transactions is essential to the healthy growth of the global economy. Utilized alone or integrated with other technologies such as smart cards, encryption keys and digital signatures, biometrics are set to pervade nearly all aspects of the economy and our daily lives. Utilizing biometrics for personal authentication is becoming convenient and considerably more accurate than current methods (such as the utilization of passwords or PINs). This is because biometrics links the event to a particular individual (a password or token may be used by someone other than the authorized user), is convenient (nothing to carry or remember), accurate (it provides for positive authentication), can provide an audit trail and is becoming socially acceptable and cost effective. More information about biometrics, standards activities, government and industry organizations and research initiatives on biometrics can be found through out this website.
Introduction to How Fingerprint Scanners Work
In this article, we'll examine the secrets behind this exciting development in law enforcement and identity security. We'll also see how fingerprint scanner security systems stack up to conventional password and identity card systems, and find out how they can fail.
Fingerprint Basics
Fingerprints are one of those bizarre twists of nature. Human beings happen to have built-in, easily accessible identity cards. You have a unique design, which represents you alone, literally at your fingertips. How did this happen?People have tiny ridges of skin on their fingers because this particular adaptation was extremely advantageous to the ancestors of the human species. The pattern of ridges and "valleys" on fingers make it easier for the hands to grip things, in the same way a rubber tread pattern helps a tire grip the road.
The other function of fingerprints is a total coincidence. Like everything in the human body, these ridges form through a combination of genetic and environmental factors. The genetic code in DNA gives general orders on the way skin should form in a developing fetus, but the specific way it forms is a result of random events. The exact position of the fetus in the womb at a particular moment and the exact composition and density of surrounding amniotic fluid decides how every individual ridge will form.
So, in addition to the countless things that go into deciding your genetic make-up in the first place, there are innumerable environmental factors influencing the formation of the fingers. Just like the weather conditions that form clouds or the coastline of a beach, the entire development process is so chaotic that, in the entire course of human history, there is virtually no chance of the same exact pattern forming twice.
Consequently, fingerprints are a unique marker for a person, even an identical twin. And while two prints may look basically the same at a glance, a trained investigator or an advanced piece of software can pick out clear, defined differences.
This is the basic idea of fingerprint analysis, in both crime investigation and security. A fingerprint scanner's job is to take the place of a human analyst by collecting a print sample and comparing it to other samples on record. In the next few sections, we'll find out how scanners do this.
Optical Scanner
A fingerprint scanner system has two basic jobs -- it needs to get an image of your finger, and it needs to determine whether the pattern of ridges and valleys in this image matches the pattern of ridges and valleys in pre-scanned images.There are a number of different ways to get an image of somebody's finger. The most common methods today are optical scanning and capacitance scanning. Both types come up with the same sort of image, but they go about it in completely different ways.
The heart of an optical scanner is a charge coupled device (CCD), the same light sensor system used in digital cameras and camcorders. A CCD is simply an array of light-sensitive diodes called photosites, which generate an electrical signal in response to light photons. Each photosite records a pixel, a tiny dot representing the light that hit that spot. Collectively, the light and dark pixels form an image of the scanned scene (a finger, for example). Typically, an analog-to-digital converter in the scanner system processes the analog electrical signal to generate a digital representation of this image. See How Digital Cameras Work for details on CCDs and digital conversion.
The scanning process starts when you place your finger on a glass plate, and a CCD camera takes a picture. The scanner has its own light source, typically an array of light-emitting diodes, to illuminate the ridges of the finger. The CCD system actually generates an inverted image of the finger, with darker areas representing more reflected light (the ridges of the finger) and lighter areas representing less reflected light (the valleys between the ridges).
Before comparing the print to stored data, the scanner processor makes sure the CCD has captured a clear image. It checks the average pixel darkness, or the overall values in a small sample, and rejects the scan if the overall image is too dark or too light. If the image is rejected, the scanner adjusts the exposure time to let in more or less light, and then tries the scan again.
If the darkness level is adequate, the scanner system goes on to check the image definition (how sharp the fingerprint scan is). The processor looks at several straight lines moving horizontally and vertically across the image. If the fingerprint image has good definition, a line running perpendicular to the ridges will be made up of alternating sections of very dark pixels and very light pixels.
If the processor finds that the image is crisp and properly exposed, it proceeds to comparing the captured fingerprint with fingerprints on file. We'll look at this process in a minute, but first we'll examine the other major scanning technology, the capacitive scanner.
Advantages of Fingerrint Scanning
There are several ways a security system can verify that somebody is an authorized user. Most systems are looking for one or more of the following:- What you have
- What you know
- Who you are
To get past a "what you have" system, you need some sort of "token," such as an identity card with a magnetic strip. A "what you know" system requires you to enter a password or PIN number. A "who you are" system is actually looking for physical evidence that you are who you say you are -- a specific fingerprint, voice or iris pattern.
"Who you are" systems like fingerprint scanners have a number of advantages over other systems. To name few:
- Physical attributes are much harder to fake than identity cards.
- You can't guess a fingerprint pattern like you can guess a password.
- You can't misplace your fingerprints, irises or voice like you can misplace an access card.
- You can't forget your fingerprints like you can forget a password.
Remote Support