Trends in Credentials
But that is changing. Developments in technology, government mandates and the convergence of security with IT have changed the game.
“Standard proximity, or 125 KHz technology is still pretty pervasive,” says Steve Dentinger, director of marketing at KeyScan, based in Toronto. “That technology has been in the market for years and there is such a base already deployed that it is still the core technology. But we are starting to see a fundamental shift to smart cards and readers, in part because of government standards such as HSPD-12 and FIPS 201.”
Still, in choosing any system, there are multiple factors, including performance, security, future proofing, technology preference and cost.
“The driving factor for any credential is the cost,” says John DiNapoli, vice president of marketing, Infinias LLC, Fishers, Ind. “The balance comes between cost and convenience.”
Ultimately, what the customer needs combined with what they can afford will drive the credentials choice. But to make things easier, SDM spoke with several manufacturers about the different types of credentials and what you need to know to make an informed recommendation to your customers.
Proximity“The numbers speak for themselves â€” proximity is still king at about two to one,” says Dave Adams, senior product marketing manager, HID, Irvine, Calif. “Low-frequency proximity cards are still the most popular. They have a low assurance of identity authentication but they still get the door open and they replace a brass key. They are often the most attractive and least expensive.”
Proximity has been used for a long time, and is likely not going to be replaced anytime soon. There are a lot of legacy systems in place and â€” for many customers â€” the convenience they offer is enough to sway the decision in their favor.
“Proximity credentials are kind of like a license plate,” says Jennifer Toscano, marketing manager for readers and credentials, Ingersoll Rand, Carmel, Ind. They employ a series of numbers that identify whether that card is allowed in or not, and can be tracked to the cardholder of record.
What proximity cards don’t do well is provide assurance that the person holding the card is a valid user, or that the card is unique (not a duplicate).
“With 125 KHz it is very easy to duplicate those cards,” Dentinger says. “There are ‘sniffer’ products that can actually read the card data off of the card and retransmit it.
“Also, since the technology has been around for so many years, the batch and card numbers have rolled around so many times that there are duplicate cards in the marketplace. A customer can specify a card number range, but that might be the same as the company down the street.”
Still, there is a comfort level with proximity that often overrides these concerns. “There is a little extra weight on the proximity side because people are more comfortable with it,” says Beth Thomas, senior product marketing manager, Honeywell, Louisville, Ky. “Every integrator has different technologies that they may specify, but if the end user doesn’t place a value on the security aspects, they may still go with prox.”
Are there scenarios where proximity is truly the best choice and not the default? Certainly there are.
“There is an offset when you migrate to a higher security platform,” Dentinger says. “Part of that is read range. A standard proximity reader and card can get up to 4 to 6 inches read range and there are some mid- and long-range readers that get up to 24 inches. That is important in ADA applications. for example. With smart cards the range is closer to 1 to 3 inches.”
Smart CardsMaking the leap from proximity to smart card credentials requires a higher level of tech savvy from both the end user and the integrator. But the payoff is big.
“Smart cards continue to grow and grow and grow,” Adams says. “Smart cards come in two different flavors. One is the memory card, which has been on the market for some time. It doesn’t have a true processor, but a large memory store for complex information. Then you have microprocessor cards, which is really where I am seeing smart cards going more and more. They are doing processes on the card, to either authenticate what the identity is or maybe even run a third-party application such as vending. The strength in microprocessor cards is in raising that level of trusted identity up another notch.”
Mas Kosaka, president and chief executive officer of PCSC, agrees. “The new smart card technologies offer customers the ability to ‘program’ card data, like numbers. Card numbers can be programmed into ‘secured data sectors’ of a smart card, providing usable card numbers.”
Because of their memory or processing power, smart cards open up possibilities that go beyond security, Dentinger adds. “You can put other applications on that card in addition to physical access control.”
Compared with proximity, or 125 KHz, a smart card can do everything it can do and much more. The real issue comes down to cost versus security needs.
“Proximity and basic smart cards (memory cards) are comparable cost-wise,” Adams explains. “Microprocessor cards are still a factor of two to three times higher than proximity.”
Dentinger agrees, but adds that the cost has dropped. “From a reader standpoint you are looking at a 10 to 12 percent increase for a smart card reader. But in terms of the credentials themselves, they have dropped dramatically for a single-technology card to where they are on par with standard 125 KHz cards. The entry-level smart card is very, very close, within two to five percent of proximity, so cost barriers have very quickly evaporated.”
Multiple memory size and processor speeds mean that there are a great variety of costs and features associated with a smart card. “At the lower end of the memory scale you can get smart cards for the same price as proximity,” Toscano relates.
However, the trade-off is security, Thomas says. “If you look at smart card technology, by and large when it is being used in a small- to medium-sized system they are using it the same way proximity was set up, using the factory default setting for both the readers and the cards.” That does not give the customer the greatest security benefit.
However, unlike proximity, smart cards and readers â€” much like computers â€” can be upgraded with more memory and processing power, provided you choose a system that will allow that in the future. “I would say, for the most part, when people want to go to smart cards today they want to future-proof their installation, or they are driven by government standards, or they may have a unique case like a college or university,” Thomas adds.
And that is why most manufacturers see smart cards as the credential of the future. “We are seeing a very strong push to smart cards, especially with pricing coming down,” Dentinger says. “Smart cards are in fact where the industry is going in terms of a physical access credential.”
Multi-Technology CardsAll is not either/or in the credential business, though. While entry-level smart cards and readers may be the best way for some applications to move forward, others are not ready, willing or able to start fresh with a whole new system. For that (large) group, there is a happy medium â€” the multi-technology card.
“Multi-tech cards are the easiest and simplest way to migrate people and companies off of these older technologies that really aren’t secure,” Adams says. “Multi-technology cards have exploded over the past few years.”
Universities have been on the leading edge of this trend, moving from proximity/magnetic stripe combinations to proximity/smart cards today.
“Most universities today use proximity, but they want smart cards in the future because they see the value of cashless spending,” Toscano describes.
The main debate in combining technologies into one system is whether to do it at the card level or the reader level. Both options exist and are very viable. But certain case scenarios lend themselves well to a multi-tech credential approach.
“A multi-tech card would be a good choice where the customer is using different systems with different technologies and they don’t want to replace all the systems at one time,” Toscano says. For example, when two or more companies merge together, it is often more cost effective to re-badge the population than to change out readers and systems.
“They may have several technologies in the field already and they are managing three systems when they could be managing one,” Adams describes. “Through the use of multi-technology cards you can tie them together and give an avenue to move forward to newer hardware technology.”
Ultimately, of course, the choice rests with the customer. But integrators who are both informed of the technology choices and aware of the end users’ needs will serve their customers well.
“Think about both now and long term,” Toscano advises. “What credential is appropriate today and for the next several years in the future? The systems integrator is all about providing value for their customer. It is more valuable if you can provide a solution that will protect them for a long period of time.”
Adams adds: “When you sell in this financial environment, customers want to migrate to newer technologies but then reality sinks in. Understand what they have so you can make the most cost-effective approach. They need a quick turn-around in their investment and they may have to spread it out over a couple of years. Learn what they have and learn what their business is and their cash flow. What can they afford now and what can they plan for in the future?”
Non-Card CredentialsSometimes a credential is not a card (or fob or key).
“When you think about credentials you typically jump to proximity or smart card or some combination of the two,” says Jennifer Toscano, marketing manager for readers and credentials, Ingersoll Rand. “But anything that can identify you to a system or device can be a credential.”
Biometrics, for example, uses the unique features that every person possesses (eyes, hands, fingerprints, retinas, veins).
“We see biometrics particularly in high-security applications,” Toscano says. “As they come down in price we will see more biometrics in convenience applications such as health clubs. Biometrics has a place in access control either as an alternative or as a complement. I don’t necessarily think a single credential is always the solution. Potentially multiple layers could be appropriate.”
Beth Thomas, senior product marketing manager, Honeywell, agrees. “Biometrics has always been an interesting application for access control. In the past it has been more of a niche application, but I actually see it getting more feet under it and becoming more broad-based where people feel more comfortable with it.”
This is particularly true when it is married with a smart card, adds Dave Adams, senior product marketing manager, HID.
“Biometrics will remain a niche,” he says, “but a very important reader and credential combination technology. When you tie biometrics to a card credential and PIN, now you have something that is publicly more acceptable: something you know, something you have and something you are. That combination is accepted and promoted as very high assurance of authentication.”
But biometrics is not the only non-card credential being talked about these days. With smart card technology essentially using a small computer processor, there are other scenarios that could apply in the not-too-distant future.
“Some new things I hear people talking about include transmitting a card number via cell phone,” says John DiNapoli, vice president of marketing, Infinias.
“I do see smart card technology growing in prevalence and possibly making a form factor jump in a few years,” Thomas adds. “Mobile phones use similar technology so I could see down the road where your credential could become an electronic entity and you would just present your cell phone at the door to get in.”