“What You Have”

Several types of cards and tokens are currently being used for access control, from simple to sophisticated, offering a range of performance on various dimensions:

• Ability to be reprogrammed
• Resistance to counterfeiting
• Type of interaction with card reader: swipe, insert, flat contact, no contact (“proximity”)
• Convenience: physical form and how carried/worn
• Amount of data carried
• Computational ability
• Cost of cards
• Cost of reader

Regardless of how secure and reliable they may be due to their technology, the security provided by these physical “things” is limited by the fact that there is no guarantee the correct person is using them. It is therefore common to combine them with one or more additional methods of confirming identity, such as a password or even a biometric.

The magnetic stripe card is the most common type of card, with a simple magnetic strip of identifying data. When the card is swiped in a reader the information is read and looked up in a database. This system is inexpensive and convenient; its drawback is that it is relatively easy to duplicate the cards or to read the information stored on them.

The barium ferrite card (also called a “magnetic spot card”) is similar to the magnetic stripe card but offers more security without adding significant cost. It contains a thin sheet of magnetic material with round spots arranged in a pattern. Rather than scanning or swiping, the card is simply touched to the reader.

The Weigand card is a variation of the magnetic stripe card. A series of specially treated wires with a unique magnetic signature is embedded in the card. When the card is swiped through the reader, a sensing coil detects the signature and converts it to a string of bits. The advantage of this complex card design is that the cards cannot be duplicated; the disadvantage is they cannot be reprogrammed either. With this technology the card need not be in direct contact with the reader; the head of the reader can therefore be encapsulated, making it suitable for outdoor installation. Unlike readers for proximity cards and magnetic-stripe cards, Weigand readers are not affected by radio frequency interference (RFI) or electromagnetic fields (EMF). The robustness of the reader combined with the difficulty in duplicating the card makes the Weigand system extremely secure (within the limits of a “what you have” method), but also more expensive.

The bar-code card carries a bar code, which is read when the card is swiped in the reader. This system is very low-cost, but easy to fool — an ordinary copy machine can duplicate a bar code well enough to fool a bar-code reader. Bar-code cards are good for minimum-security requirements, especially those requiring a large number of readers throughout the facility or a large volume of traffic traversing a given access point. This is not so much a security system as it is an inexpensive access monitoring method. (It has been said that bar-code access only serves to “keep out the honest people.”)

The infrared shadow card improves upon the poor security of the bar-code card by placing the bar code between layers of PVC plastic. The reader passes infrared light through the card, and the shadow of the bar code is read by sensors on the other side.

The proximity card (sometimes called a “prox card”) is a step up in convenience from cards that must be swiped or touched to the reader. As the name implies, the card only needs to be in "proximity" with the reader. This is accomplished using RFID (radio frequency identification) technology, with power supplied to the card by the card reader’s electromagnetic field. The most popular design works within a distance of about 10 cm. (four inches) from the reader; another design — called a vicinity card —works up to about a meter (three feet) away.

The smart card, the most recent development in access control cards, is rapidly becoming the method of choice for new installations. It is a card with a built-in silicon chip for onboard data storage and/or computation. Data is exchanged with the reader either by touching the chip to the reader (contact smart card) or by interacting with the reader from a distance, using the same technology as proximity and vicinity cards (contactless or proximity smart card). The chip, which is about a half inch in diameter, doesn’t necessarily have to be on a card — it can be attached to a photo ID, mounted on a key chain, or worn as a button or jewelry (such as the iButton® token). The general term for objects that carry such a chip is smart media.

Smart cards offer a wide range of flexibility in access control. For example, the chip can be attached to older types of cards to upgrade and integrate with pre-existing systems, or the cardholder’s fingerprint or iris scan can be stored on the chip for biometric verification at the card reader — thereby elevating the level of identification from “what you have” to “who you are.” Contactless smart cards having the “vicinity” range offer nearly ultimate user convenience: half-second transaction time with the card never leaving the wallet.