The Future of Access Control

Face Recognition

At Swiftlane, we are constantly thinking about the future of access control. A huge shift in the industry is coming due to the need for touchless access systems, remote first management, and use of privacy-first face recognition-based access. Here’s how we view the future of access control.

For such a basic concept, access control has a way of abruptly adjusting to business and societal trends and events. Round the clock production and 24/7 operations ushered in time- and zone-based access control. The Oklahoma City bombing turned attention to standoff distance. 9/11 made x-rays and magnetometers standard at high-security sites. The Information Age brought access control to the virtual world, including cloud-based and SaaS models, and adding sophisticated analytics. The invention and ubiquity of the smartphone has made that tool into a de facto user credential.

Now comes Covid-19 to harken yet another shift, likely to touchless systems.

A 2019 survey of 473 security directors, managers, and consultants conducted by HID Global and Security Management magazine identified the top access control concerns at that time: integration with legacy systems (45 percent); taking advantage of features in new technologies (39 percent); protection against increasing vulnerabilities (38 percent), user convenience and throughput at entrances (36 percent); and making physical access processes simpler with digital administration.

Given the extensive office closings during the Coronavirus pandemic, and the reluctance of many workers to return to the office, it wouldn’t be surprising to see user convenience and throughput leapfrog the other concerns to assume the top position.

Meanwhile, the 2019 year-end report from Imperial Capital, which tracks the security industry, concludes that the identity and authentication sector exceeded all other security sectors between 2018 3Q and 2019 3Q, with a 35.1% gain in company valuation multiples.

According to that report:

“Identity and authentication technology, from software to biometric equipment, is continuing to mature, as evidenced by its increasing adoption by an array of government and defense programs in response to increased security threats, international identification programs, as well as increased cloud-based hosted access and ID systems being installed by integrators for both government and commercial sites. The acceptance of analytics, behavior and related biometric modalities … have all played a role in the 50% increase in this sector’s valuation since December 2015.”

In light of the conclusions and projections in surveys and analyses, the effect of covid, the development of new technology, changes in corporate culture, and a doubling down on controlling costs, several major trends influencing the future of access control can be identified. They include hygiene and social distancing, a mobile-first approach, the continued emergence of biometrics, cloud versus edge computing, authentication types, “presence control,” the development of wearable and implantable technology, and cyber and physical integration and convergence.

History of Access Control Technology: From 4000 B.C. to 2020 A.D.

It all started with a lock in Khorsabad Palace in Nineveh, Iraq, around 4000 B.C. At least that’s where the first lock and key can be traced to. Five thousand years later brought the warded lock, the forefather of the padlock, to 9th Century Britain. The Industrial Revolution unleashed a whole new series of locks, including pin tumblers, safety locks, combination locks, and time locks.

The Rise of Electronic Access Control

The age of mechanical locks reigned until the PC ushered in electronic access control, including keycards (starting from swipe and leading to smartcards) and dumb readers. That represented an enormous leap, eliminating the burden of cutting new keys, adding people counting and auditing, creating levels of access, and reducing key copying. With the arrival of the Internet, networking, logical access control, system integration, biometrics, and other innovations, access control became simultaneously more secure and more vulnerable: systems could quickly transfer and analyze data, integrate with other components, scale to large proportions, and allow or deny access to a fine degree. But by doing so it exposed itself to an almost limitless array of cyberthreats.

Access Control Changes for Safety and Social Distancing

Hygiene and Physical Separation: The New Normal?

Around the world, offices, factories, retail stores, restaurants, stadiums, theatres, museums, libraries, hotels, banks, and pretty much every type of facility that houses workers has sat empty, or almost empty, for months. Companies will have to gradually coax nervous staff back on site, and foremost in that effort will be safety assurances, policies, and protocols. Access control may become more granular, perhaps with low security doors removed or propped open, corridors altered, and frequently touched barriers minimized.

But safety measures don’t have to mean abandoning security. Stanley Security Solutions recommends such measures as modifying hours of operation in access control systems to reflect current policies as well as auditing access privileges and taking a zero-trust approach to access, if feasible. For initial entry into a building or discrete zone or facility, BOMA International suggests limiting access points to the building–one entrance and one exit if possible. In addition, companies can route visitors at lobby desks with separate paths for “in” and “out.”

While businesses look at long-term solutions to access control, they are taking low-cost short-term measures as they see how the pandemic plays out. For example, instead of using office closures to install touchless access control systems, businesses—which may well be reducing their square footage anyway as return to work remains in doubt—are placing sanitizer and/or napkins/paper towels on both sides of doors; testing personal keychains or hook-like devices that can be used to turn door handles, push elevator buttons, and flip on light switches; and distributing masks and disposable gloves.

Access control system data can also be audited to perform contact tracing for individuals who test positive for Covid-19. One newly created solution, called the COVID-19 Exposure Report Tool (CERT), represents a partnership between Convergint and Detrios. According to securityworldmarket.com, “Time frames can be specified before and after a COVID-19 positive individual entered an area. Administrators can also receive a CSV export of those potentially exposed to COVID-19, with the ability to obfuscate COVID-19 positive or exposed individuals’ names, to protect people’s identities and calculate the magnitude of exposure.”

At the request of McCormick Place in Chicago, Genetec offers a similar system. As Campus Safety reports, “The new reporting function is said to correlate physical proximity of an infected individual with other employees and badged visitors based on the use of the access control system. A report can quickly be generated to correlate access events by time window to identify people who are at increased risk of being in contact with contaminants or contagious individuals, according to Genetec.

Access control companies, video providers, and data analytics companies are each creating systems to address Coronavirus by monitoring occupancy of work sites to ensure physical distancing requirements. Genetec, and VCA Technology have versions, each based on different technology. And some companies are considering remote security operations centers.

Mobile First/Smartphone Access Control Systems

Almost everyone has a smartphone. Smartphones have so many functions, why not access control too? Turns out, there’s an app for that. Many companies are leveraging the ubiquity of smartphones to make them de facto key cards. People often leave the house without their keycard without realizing it; they almost never unwittingly leave their phone at home. That gives phone-as-keycard an inherent advantage. Since most key cards are unencrypted proximity RFID cards that can be cloned easily, mobile credentials offer a more secure solution.

“Mobile First”” used to be the mantra solely for designing web content to maximize ease of use and acquisition via smartphone, rather than prioritizing desktop or laptop experience over the phone experience. The fear of touching a communal item such as a guest credential (when a worker has forgotten his or her keycard) has helped propel mobile-first technology into the realm of access control. Big players have been getting into the game. For example, according to securityinfowatch.com, Apple will natively support Near Field Communication—which allows a smartphone to supplant a keycard—in its iPhone 11.

Research firm IHS Markit has reported that mobile credentials are the fastest-growing access control product, up about 150 percent in growth rate between 2017 and 2018. It predicts that more than 120 million mobile credentials will be downloaded in 2023.

Biometrics Access Control Systems

Biometrics have existed at the periphery of access control for decades, limited by high cost, accuracy issues, privacy concerns, and other issues. But with prices dropping, quality improving, and privacy concerns not at the fore, it has become a viable access control technology in the Covid-19 era. One forecaster predicts that “Contactless biometric technology will ride the wave created by the Covid-19 pandemic to a CAGR (compound annual growth rate) of 17.4 percent from 2020 to 2030, with the global market increasing five-fold to reach $70 billion.

Among the key takeaways: facial recognition will grab the largest market share as it becomes widely implemented for both identity verification and access control; other technologies to experience growth include iris, palm, vein, voice, and touchless fingerprints; and demand for contactless biometrics among government agencies will surge due to public safety concerns.

Face Recognition-Based Access Control

In the COVID-19 world and beyond, face recognition will be a critical form of authentication, given the touchless experience. Past implementations of face recognition access control systems suffered from poor accuracy, anti-spoofing issues, and lack of privacy controls. But advances in recent years have catapulted the technology into the mainstream.

Critical Requirements for a Face Recognition Access System

  • 2D and 3D checks for face recognition
  • Learning continuously over time to adapt to changing face features
  • Prevent attempts to fool it using a photo or video of a person (anti-spoofing)
  • Easy enrollment
  • Works well with various demographics
  • Strong privacy controls to limit the use of the data

The Rise of Touchless Access Control Systems

A report by ABI Research sees things differently in light of the Coronavirus pandemic; it projects a $2B drop in revenue in shipment of biometric devices through 2020. But there are two exceptions: face recognition and iris matching. As reported by securityinfonews.com: “face and iris recognition have emerged as key technologies allowing authentication, identification, and surveillance operations for users and citizens wearing protective headgear, face masks, or, with partially covered faces. These elements, which used to be the bane of face recognition algorithms in the past, have now been integrated into algorithm developers’ value propositions.”

Another analysis, which takes COVID-19 into account, offers yet another sunny forecast for face recognition in access control. Face Recognition using Edge Computing Market Intelligence Report – Global Forecast to 2025 – Cumulative Impact of COVID-19 predicts a 20 percent CAGR from 2019 to 2025, based on the “privacy, bandwidth, and other potential benefits of performing facial recognition directly on edge computing devices.”

However, the growth in edge biometrics is not expected to impair the market for cloud-based biometrics security as a service. According to the report, “The anticipated growth in cloud-based biometrics services would seem to suggest that the growth in edge facial recognition will not come solely, or perhaps even mainly from cannibalization of applications hosted on centralized digital IT infrastructure.”

Issues With On Premise Access Control Systems

Future of Access Control

Traditionally most access control systems have run on premise, on a windows or linux server running inside a building. This has suffered from major issues such as:

  • Lack of easy remote management tools
  • Lack of frequent updates and improvements
  • Slow pace of innovation
  • Lack of managing access on the go
  • High capital expenditure for equipment
  • Specialized training to run and operate large pieces of software locally
  • Significant training costs from using bloated legacy systems
  • Lack of strong data backups,
  • Lack of scalability: You have to fit all your processing into a single machine
  • System upgrades create downtime

Cloud-Based Access Control Systems

Cloud based systems have revolutionized every industry, and physical security is no exception Access control systems are moving to completely cloud based systems that can reap the benefits of limitless scalability..

Benefits of a Cloud-Based Access Control System

  • The system can scale with the needs of the organization
  • Constant security updates that can be rolled instantly
  • Zero down time
  • Mobile first access management
  • Hundreds of buildings managed from a central location
  • Real-time and remote grant or revocation of access
  • Constant data backups
  • Fast product evolution

Cloud vs. Edge Computing

That raises the issue of which access control data gathering, analysis, and storage model will prevail in the future: cloud computing (which when farmed out to a third party becomes known as access control as a service) or edge computing.

In cloud computing, data is gathered and analyzed in a central location, offering the advantages of power and scalability. It also offers the convenience of managed service and automatic software updates. IHS Markit has forecast steady demand for a SaaS model for access control, especially among new users such as small and medium-sized businesses. In edge computing, data is gathered and analyzed on the device itself–be it camera, card reader, alarm panel, etc. Edge computing’s major benefit is much faster processing time–critical, for example, in telling an autonomous vehicle whether to brake–and suitability for remote applications.

Edge computing, a concept that has existed for years, is hot in 2020. In fact, it has been estimated that by the end of the year, 40% of the data on the Internet of Things will be stored, processed, examined and applied near to or at the edge of the network.

Rather than being in competition, however, cloud and edge computing complement each other, and are likely here to stay for at least the mid term for use in access control. Cloud-based access control offers convenience and cost-effectiveness among other advantages, while edge computing suits remote applications, and, as Axis Communications puts it, saves materials and labor costs (no wiring) and simplifies future changes.

Authentication

Mobile credentials are also being used for both multimodal and multi factor authentication. (Multimodal authentication can mean proving identity/gaining access with at least two separate biometrics, or allowing access via use of any one of various credentials, such as a keycard or PIN. Multifactor authentication means having to prove identity/gain access via at least two methods or credentials—including something you know, have, or are)—such as fingerprint and a password.) Swiftlane’s facial recognition based access control system, for example, can use smartphones as second-factor authentication, and either face or smartphone as multimodal authentication.

Multi-Factor Authentication

Both multifactor and multimodal approaches have significant benefits. Multifactor authentication is more secure than single-factor authentication. It also helps organizations to feel more comfortable using single sign-on, and single sign-on is a favorite of users because it greatly simplifies network access. Further, multi-factor authentication may be required by regulation to handle personal identifying information. Multifactor authentication is frequently used by consumers when changing account passwords or performing online transactions; they will be cued to enter a PIN sent via SMS text or email, for example, to verify identity. These are called push notifications, and they are a favorite of research and analyst company Gartner. Gartner predicted that 50% of enterprises using mobile authentication would adopt it as their primary verification method by the end of 2019.

Multimodal Authentication

Multimodal authentication that requires two separate biometrics is far more secure than a single biometric, but more costly and time consuming. Multimodal authentication that requires a choice of several authentication credentials is less secure but far more convenient; for example, if you forget your keycard you may be able type a PIN into a keypad.

Blockchain Authentication

Meanwhile, blockchain technology is emerging as a contender in the authentication sweepstakes. Some have hailed it as the underpinning of all security applications in the near to mid-term future. Blockchain use cases have sprouted in almost every security application, and access control and authentication is no exception. Researchers have already established proof of concept, so it is likely that some access controls systems will be based on distributed ledger or blockchain technology. According to research done at the University of Saskatchewan, “By exploiting Hyperledger Fabric and Hyperledger Composer potential we have implemented a tamper-proof access control application based on permissioned blockchain for managing access permissions on physical places.”

Blockchain also facilitates scaling access control and authentication. As Robin Gaal explains:

“An interesting aspect is that the blockchain can be used as an authentication provider. Imagine you can authenticate yourself at government services, banks, airports and other services with only one identity using blockchain technology. Using their key-pair, users register their identity on the blockchain. This registered identity is a piece of information that contains hashes of several identity related attributes. For example their name, governance registration number, fingerprint or other biometric information. After that such a user can go to a recognized party, which verifies the hashes earlier registered on the blockchain and let the recognizing party “sponsor” that piece of information as the truth on the blockchain. Other parties which trust the particular recognizing party can now trust the identity on the blockchain and use it as an authentication or identification mechanism.”

Automatic Anomaly Detection

With improvements in AI and Machine Learning, suspicious activity can be detected instantly. If a person normally badges between 9-5 PM on weekdays, a badge scan at 10 PM will instantly generate an alert for security teams. Security guards don’t have to be glued to the computer screen, watching every single access event across all doors. Instead, their time can be freed up to patrol and observe the space around them. They can be automatically notified of events, right on their phone, and they can respond to them in real time.

Smart GSOCs

Today’s global operations centers (GSOCs) require large rooms filled with dozens of screens streaming video and access control feeds from all access points. The rapid evolution of mobile phones, cloud connected devices, and anomaly detection software will avoid the cost and complexity of GSOCs. Anomalies will be pushed to security managers directly on their phones. Computer vision will detect an active shooter with a gun and immediately notify security teams directly on their phones anywhere around the globe. The result will be higher security in real time.

Presence Control

Covid-19 is helping shift the access control paradigm to a presence control paradigm; that is, ias important as it is to know who is entering your organization’s spaces, it is becoming equally important to know where staff are within those spaces, to ensure physical distancing, de-densify common areas, be prepared for safe evacuation, and so on.

Real-Time Location Services Real-Time Location Services (RTLS) enables organizations to track the locations of all people in a facility. RTLS also optimizes space use, provides for enhanced asset-location awareness, and enables more efficient use of lighting, HVAC, and other resources.

RFID, wifi, and Bluetooth, infrared, and cellular are among several technologies used to track individuals, as well as assets. Real Time Networks offers a good comparison of the technologies. The Hong Kong government is using the technology, via wristbands, to geofence people who have tested positive for covid-19 and ensure that they don’t break quarantine.

RightCrowd is one provider that has active applications in the field, including in an open-office environment and at high-security areas of an R&D facility. RightCrowd uses Bluetooth technology as its virtual backbone.

A forthcoming report by Market Trends analyzes trends and drivers in the RTLS market, forecasts growth through 2029, and compares solutions by such companies as Zebra Technologies, Impinj, CenTrak, and Versus Technology. Forecasts by other companies break down RTLS use in different markets, including sporting events.

Wearables and Implantables: New Technologies in Access Control

It’s hard to believe that smartphones didn’t exist in 2006. They have transformed computing in myriad ways, from communication to travel to shopping to entertainment to education to security and beyond. But handheld devices can disappear as quickly as they emerged. Already, smartphone capabilities are migrating to wristwatches, earbuds, belts, and even smart clothing. Circuits are getting smaller, prices are dropping, and the quest for convenience and style continues unabated.

For access control, wearable devices dispense with having to pull your phone out to open a door; instead, you can wave a watch, a necklace, or some other device. One day soon, that may seem too onerous as people start tattooing, implanting, or injecting computer components, enabling access control with a wave of the hand.

Sound far-fetched? Elon Musk is testing implantable neural network technology on monkeys through laser surgery. Smaller companies are seeking the same goal through technologies such as inserting a stent through a vein in the back of the neck, which then embeds 16 metal electrodes into the blood vessel’s walls from which neuronal activity can be recorded.

Futurist Scott Klososky, when confronted with skepticism whether anyone would agree to implant neural technology in their child, had the following response: “If all the other children have been ‘augmented’ and are reaping huge advantages, parents will naturally want to keep their children on an even playing field.”

Compared to all of the other capabilities presented by implantables, access control is relatively minor. But consider how implantables can become a form of universal access control for an individual once he or she uploads his or her personal software “key” in the cloud.

Access Control System Convergence and Integration

Not 20 years ago, IT departments would blanch at the prospect of running physical security components–”bandwidth hogs”–over corporate systems. But with widespread installation of fiber-optics and the explosive growth of bandwidth and throughput rates, it’s a rare company that fails to integrate all security components, both physical and cyber, into the corporate network.

Digital identity has seen a huge amount of innovation over the last decade, starting with single sign-on experiences like “Facebook Login” and “Google Login ” in the early 2010s. Using single sign-on, users don’t have to create shared passwords across hundreds of untrusted sites and risk their passwords getting stolen. Around 2015 brought large adoption of this technology for enterprise and commercial access. GSuite Sign on, OKTA, OneLogin, and similar companies have paved the way for large adoption of SSO in the enterprise access space. This allows companies to enable or disable access to hundreds of websites and software in one shot. The next advance will be convergence of identity between digital and physical access. The same SSO providers will be used for granting access to individuals for building and physical access, instead of relying on on-premise software maintaining outdated records of access, and remaining vulnerable to access by ex-employees.

Cyber and physical integration has had, and will continue to have profound implications for access control. Once separate systems, physical and cyber access controls often function seamlessly. The same face recognition technology that opens the door of the office suite also integrates with a camera that allows a guard to confirm your identity and with your PC to give you network access. This trend is expected to only accelerate in the future.

In fact, 36% of access control installations in educational settings now include video or intrusion detection systems. An integrated, cloud-based access control and video management solution allows users to seamlessly monitor access activity and link events at doors with integrated video.

A survey by HID Global and ASIS International enumerates three major benefits of access control integration. First, users are eager to adopt converged credentials. Second, users are less likely to lose combined credentials. Finally, the single credential reduces the need for strong passwords, which are notoriously difficult and frustrating to remember.

Tools4Ever Managing Director Tim Mowatt describes other advantages of integrated access management:

“Provisioning will be far more rapid since transferred identity data will help to create accounts and configure access levels immediately. Continual improving integrations will provide administrators and managers with far more granular control during initial setup, active management, and deactivation.”

Also, increasing connectivity allows centralized management at the source of the authoritative identity data and pushed easily from there. At the same time, systems and applications will better incorporate identity data to enforce a given user’s permissions within that resource.”

Perhaps the only thing holding back integrated access control is the lack of departmental convergence or cooperation between physical and cyber security departments. In fact, a 2019 study by the ASIS Foundation shows that only 24 percent of companies in the United States, Europe, and India have converged physical and cyber security, and there is scant evidence that the number is increasing.

The HID/ASIS report adds that while security directors report that they work with IT departments to establish security best practices for their facilities (61 percent) and to look for new technologies cooperatively (55 percent). 20 percent report that there is little or no overlap between physical security and IT.

Asked in the HID/ASIS survey to rate the level of authority on decisions to upgrade physical access control solutions: 46 percent said IT was fully consulted and another 22 percent said IT was involved in either the final recommendation or the final decision. Ten percent said IT had no influence.

For 28% of respondents, “Integrated physical and logical access control” was selected as the top technology advancement that would have the most impact on improving the organization’s overall access control system.