Some access control systems employ older or less technically-sophisticated reader devices. Indeed, there is a large installed base of access control readers that are only equipped to read data from an access credential. These readers are sufficient to analyze the authenticity of an access credential (e.g., a thing carried by a user), but they are not natively equipped to verify that it is being carried by an authorized user. More specifically, many readers are not equipped with a keypad, biometric sensor, etc. that enables the reader to confirm the identity of the user in addition to confirming the validity of a credential carried by the user.
Attempts to upgrade these older access control systems propose introducing a Personal Computer (PC) or similar computing device next to the reader. A user is often required to present their access credential to the reader and then enter a password or PIN code into the computing device. The computing device then transfers the user-entered password or PIN code to the reader via a dedicated communication link (often a wired connection). Providing the computing device in combination with the reader increases the level of security because the user that presents the access credential is now also required to prove something they know in addition to proving that they are earring a valid access credential. This is often referred to as dual-factor authentication.
One problem with this upgrade approach is that a keyboard logger or a similar snooping device could be installed to intercept the password/PIN entry process at the computing device or somewhere between the computing device and the reader. This potentially exposes the user's password/PIN to a malicious attacker. Via a replay attack in background at a later stage, an access credential could be abused with the knowledge of the password/PIN retrieved from a previous operation (PIN entry) to perform user-unintended operations (e.g. Signature, Key usage, etc.). As can be appreciated, this exposes the access control system to potential attacks.
Indeed, certain security applications require dual-factor authentication. The best solution from a technical perspective would be to replace every simple reader with a reader that natively includes a keypad so that the user can input their password/PIN directly into the reader. Unfortunately, readers with keypads are very expensive as compared to their simpler counterparts and are often cost-prohibitive to incorporate throughout the entirety of an access control system, especially systems with many readers.