An access control system is a system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. An access control system, within the field of physical security, is generally seen as the second layer in the security of a physical structure.
Access control systems are typically used in or for situations requiring identification of each and every person (e.g. badge, biometric) in order to access an area. This area is typically accessible through a single door or passage controlled by an ID sensor. The access system may involve an authorized person presenting an access card to a card reader, or may involve fingerprint or retina verification or other means. Access is granted only if the person's credentials are verified and it is ensured that the physical situation is permitted.
When a credential is presented to an ID sensor or reader, the reader sends the credential's information, usually a number, to a control panel with a highly reliable processor. The control panel compares the credential's number to an access control list, grants or denies the presented request, and sends a transaction log to a database. When access is denied based on the access control list, the door remains locked. If there is a match between the credential and the access control list, the control panel operates a relay that in turn unlocks the door. The control panel also ignores a door open signal to prevent an alarm. Often the reader further provides feedback, such as a flashing red LED for an access denied and a flashing green LED for an access granted.
The above description illustrates a single factor transaction. However credentials can be passed around, thus subverting the access control list. For example, Alice has access rights to the server room but Bob does not. Alice either gives Bob her credential or Bob takes it; he now has access to the server room.
To prevent this, two-factor authentication can be used. In a two factor transaction, the presented credential and a second factor are needed for access to be granted. The second factor can be a PIN, a second credential, operator intervention, or a biometric input. Often the factors are characterized as                something you have, such as an access badge or passcard,        something you know, e.g. a PIN, or password.        something you are, typically a biometric input        
A problem is that once the door is open an authorized person can be ‘tailgated’ by another member of staff or an unauthorized person. Another problem is that an authorized person may open the door, but for some reason not pass through. A conventional access control system is likely to assume the person has passed through. This will have bad implications where the system is required for safety or time and attendance reasons to know if a person is ‘in’ or ‘out’.
The newer access control systems use sensing systems to detect certain of these misuse situations. These sensing systems can detect a limited number of situations. These systems are not capable to enable a situation/application specific access strategy. These systems are not configurable to be adaptable to different imaginable security policies.
The difficulty in these kind of automatic access control systems therefore lies in the correct implementation of security policies defining classes of permitted and rejected physical situations. This is particularly also the case for the so-called man-traps in modern physical security protocols, i.e. to small spaces having two sets of interlocking doors such that the first set of doors must close before the second set opens.