Access Control Technologies – CompTIA Security+ SY0-501 – 4.3

There are many physical and digital methods of providing access control. In this video, you’ll learn about proximity cards, biometrics, token generators, and more.

<< Previous Video: Access Control Models Next: Account Types >>


Proximity cards are commonly used to gain access to doors, or door locks. You can see by moving the card close to the proximity reader, you’re able to read the information on the card, and then the system can either allow or disallow access through that lock.

This card is a passive device. There’s no power source inside the card. It is able to be powered inductively from the reader that is next to the card. This card also does not usually store a lot of data. Usually, it’s a single identifier, and that identifier is then compared to a much larger database to determine whether you can gain access to that door or not.

Here’s a cross reference of one of these cards. You can see the large antenna in the card that is used to gather power and send information to the proximity reader. And the small chip is on the inside of the card that contains the ID number.

Smart cards are more intelligent integrated circuit cards that can either be used in a contact mode, or as a contact-less card. It’s very common to see these on credit cards, usually have the small contacts on the card that you would slide into a credit card reader. But you also see these used on smart cards for access control that you would connect to a laptop, or another type of computer.

Usually, you would have to have the physical card with you, slide it into the device to provide that type of authentication. This usually also contains a digital certificate, so that you can cryptographically identify who is using this particular card. It’s usually used in conjunction with another type of authentication factor. You would usually slide in the card, and then you’d have to either put in a personal identification number, or a pass phrase, so that you know the person who is using that card is really the appropriate person.

We’re increasingly using biometric factors as methods of access control. A fingerprint scanner is one that you might find on a door, or on a laptop computer itself. We are also seeing more and more retinal scanners, because the retina has a very unique and unchanging nature that makes it a very good source of biometric data.

There are also iris scanners that can examine the texture and the color of your iris. There’s voice recognition biometric readers– you talk to the device to gain access– and facial recognition would be a way to identify the shape or other characteristics of your face.

Providing access control with biometric data isn’t always a perfect science. One way to measure how well biometrics are working are by using a false acceptance rate, or an FAR. This is the likelihood that an unauthorized user would be able to gain access with biometrics that don’t belong to them. This would obviously be a very bad situation.

On the reverse side is the false rejection rate, or FRR. This is the likelihood that somebody is providing biometrics, but those biometrics are being rejected, even though it is truly an authorized user.

One way that you can start to compare different biometric systems is comparing the crossover error rate, or CER. This is the rate at which the false acceptance rate and the false rejection rate are both equal. You would generally try to adjust the sensitivity of the biometric system, so that the false acceptance rate and the false rejection rate are both equal values.

Token generators can be a very useful access control method. These can provide a pseudo-random token that you would use along with a username, password, and other types of authentication methods. Usually, you would carry around a physical hardware token generator like this one, or you might want to have a piece of software loaded onto your mobile phone, which makes it very powerful and very convenient to use.

Some token generators use a predefined list of tokens. These would be one-time passwords that you would use them once, and then you never use them again. You use these passwords once every session, so next time you authenticate, you would use the next token in your list.

We refer to these one-time use tokens as HOTP, or HMAC-based One-Time Password algorithm. This uses a secret key and a counter to be able to create these one-time codes. This allows us to have a different hash, or different token in use every time we need to authenticate, and usually have a combination of hardware and software working together to be able to have this HOTP access control method.

Instead of using an incremental counter, some people prefer to use the time of day as the counter. This would be a TOTP, or Time-based One-Time Password algorithm. There’s a secret key that’s configured ahead of time, and then the time stamp for this device is synchronized using Network Time Protocol. Usually, these counters are on 30-second time frames, so as soon as that 30 seconds is up, a brand new TOTP code is provided.

This is one of the more common one-time password methods. You’ll see this used by Google, Facebook, Microsoft, and many other organizations.

Certificate-based authentication is a popular form of determining access. This is one example of this on a smart card where the private key on the card is the certificate for the person who is holding that particular smart card. You can see a certificate used in a PIV card. That’s the Personal Identity Verification card used by the US federal government. It includes picture and identification along with the certificate that’s on the card.

The US Department of Defense has a similar card called the Common Access Card, or the CAC. Or you could put their certificate on a mobile device or a laptop, and when you authenticate, it uses 802.1X to be able to authenticate using the certificate that’s on that physical device.