Security technology has advanced greatly since the days when showing a tin security badge to a security guard who could reasonably be expected to notice intruders was considered adequate, but in one very important way, things haven't changed all that much. Access security still largely relies on the fact that authorized persons will always follow the rules. In fact, the design of most new security systems and programs are based on the assumption that authorized persons will follow the rules. Because security guards are no longer posted at every security-sensitive location, technological tools are relied on to provide the levels of security required in today's environment, but in general, the effectiveness of the typical access control system in use today is directly linked to the users' level of willingness to adhere to the rules.
If users are willing to never share their security badge, codes, and/or passwords, never open an access controlled door and let a stranger come in behind them, question all unknown persons they encounter in the secured area, and immediately report violations to the security team, then the system will function perfectly. In reality, users do bend or break the rules for whatever reason and when that happens, it exposes the weakest link in the system, the very people the system was designed to protect in the first place: the users themselves.
Most commercial building owners/managers deploy some sort electronic security system to control access into their buildings. These systems rely on various types of technologies to authenticate the access. RFID devices, such as electronic key cards, are the most common type technology used in the physical access control industry today, but other types of devices are also used. In some typical RFID system deployments, this code is also stored in a central database and when the card is electronically scanned at a security portal (door, turnstile, gate, computing device, etc.), the code in the card is automatically compared to the code in the database and if they match up, the system “authenticates” the card and allows the access to proceed. In other embodiments, the encrypted security certificate stored by the badge may be cryptographically verified after being electronically scanned. The weakness with this design is that although it can authenticate the badge, it can't verify if the person using the badge is actually the person to whom the badge was issued.
To overcome this inherent weakness, electronic security device manufacturers have tried to deploy RFID systems with a second layer of controls (commonly known as dual authentication) such as requiring the person presenting the card to enter a PIN along with presenting the card for authentication. However, this type of system still cannot authenticate if the person presenting the card and inputting the PIN is in fact the person who really did have permission to access the area or just someone who somehow obtained both the card and the PIN.
In other schemes, the second layer of the dual authentication system might include the use of facial recognition systems or other types of biometric readers and sensors. In these cases, the existing systems can only authenticate one person at a time and typically the person requesting access has to physically interact with the system to initiate the authentication sequence by either scanning their security badge or by entering a PIN before the authentication sequence begins. The biometric authentication and physical interaction with the system are time-consuming processes, which limits their effective use to locations where very few people have access with any regularity, such as research labs, datacenters and secure rooms. Because of their low throughput rates (the time it takes to process a given number of people through a control point) these systems have proven unworkable in areas where large numbers of users have to be vetted for general building access, such as in lobbies or stairwells.
In addition to the slow speed of these systems, they share the inherent weakness of not being able to actually verify if the person presenting the security badge for authentication was the same person who accessed the security portal. For example, an authorized person may unlock the door and then allow an unauthorized person to enter either instead of themselves or in their company. This weakness can be mitigated to some extent through the use of a third layer of control deployed inside the portal, by either holding the person in the security portal itself (commonly referred to as a “man-trap”) until the authentication process is complete or by detecting how many “bodies” come through the portal (commonly referred to as tailgate detection). However, existing tailgate detection technologies don't identify individuals, but instead count heat signatures using infrared technologies to count bodies passing through the portal. The most effective existing way to mitigate tailgating would be to hire guards and have them posted them at every entrance, but this is both the most expensive and the most intrusive solution. A solution that employs technology to replace the security guards while retaining the effectiveness of the security guards is desired.
Even if all three layers of controls (the two layers of dual authentication plus tailgate detection) are in place, the span of control of these systems are limited to the edge of the security area (typically, you will only see security controls such as guards, turnstiles, checkpoints and access controlled doors in the lobbies or other public access points) and they cannot detect if someone has gained unauthorized access in to the area from somewhere other than through a security control point. Also, physical control devices such as turnstiles, electronic door locks, and the like are not useful for protecting many resources for which security is sought today. Further, databases, digital financial transactions, and networks may be accessible from locations that are not all within the same physical area, or from an area in which it may not be feasible to physically control access (such as a retail store, a bank, and/or the like).
What is needed is a system for protecting secured resources that no longer relies on users to do the right thing to maintain security, is fully automated with the ability to perform multi-factor authentication at a rapid pace, detect tailgaters, reduce false alarms, and be user friendly.