Buyer Guide: How to Design a Door Access Control System
Designing an access control solution requires decisions on seven (7) fundamental questions. This article is intended to help you understand the seven steps and the options and tradeoffs involved in designing an excellent access control solution.
The Seven Steps to designing a Door access control system are:
The first point to consider is cost. Door access control electronic systems are more sophisticated and can be more secure than traditional key locks. However, most people still use keys. The reason is simple: cost. Industry averages for electronic access control ranges $500 to $2,000 per door installed. Locksets, on the other hand, run between $50 to $500, depending on the level of security required. While electronic systems provide many benefits over keys, they will cost more per door than keys/locks. As such, you may determine the cost of an electronic door access system cannot be financially justified or that only certain doors are worth installing electronic access control. To determine if electronic access control is worth the cost fro your project, understand if the following benefits apply to your use:
- An access control system simplifies management of access to the building. Keys do not need to be made and distributed to employees or contractors. Credentials (either permanent or temporary) are issued to the respective party, and that is it.
- The potential risk associated with a misplaced or stolen key is significantly reduced. Typically if a key to an exterior door is lost, best practice and common sense would mandate re-keying the facility to ensure if the key arrives into a criminal's hand, the facility is still protected. Re-keying is typically a large expense. Lock cores cost between $30 and $80 or more, and locksmiths upwards of $70 per hour, so a four-door building can cost hundreds of dollars to re-key each time a key is lost.
- Improved audit trail: With keys, no record is kept of who came and went through each door, and when. Intrusion detection and surveillance systems may provide some idea, but not as simply, or in as much detail.
- With keys, in many facilities, staff must manually lock and unlock doors at the beginning and end of business. This requires time and introduces the risk of forgetting or not properly locking a door. Doors controlled by an access control system, whether controlled by a card reader or not, may be automatically unlocked in the morning and locked at night on a schedule, or when the intrusion detection system is disarmed and rearmed.
If the advantages are important to your project, the capital investment in an electronic door access control system maybe a great project to consider.
After answering the why, the second question when planning an access control deployment is what. What assets are to be secured? Doors which are infrequently used, or by a very limited number of staff, such as closets, typical non-critical offices, and mechanical spaces, may not be worth the expense of adding access control, unless a legitimate risk to high-value assets is expected. Review the use of each door. If is fair to have doors secured with a lockset (key and lock) if the door is not mission critical to your business.
Typical spaces we see access control applied:
- Exterior Doors: in general, exterior doors are the first thing to be secured. This simplifies access to the building, so staff do not need keys, while keeping unauthorized persons out of all entrances except those intended. Visitors may be directed to a particular entrance where staff can receive them. Typically, this is done in one of two ways. (1) Remotely: In this scenario, visitors to the facility utilize an intercom (audio/video is most definitely preferred) to speak to reception or security staff, who then remotely release the door so they may enter. (2) In-person: In this scenario, visitors simply enter the building through an unlocked set of doors and speak to reception staff. In both instances, the visitor may be kept outside of the facility entirely, or they may be allowed access into the building into a lobby or vestibule, which is secured by a second access controlled door.
- Gates: entry gates are commonly incorporated into an access control system. This moves access to the perimeter of a property. This is often desirable in high crime areas or for high-security facilities. Gate access control maybe paired with surveillance and/or video intercom so staff may visually confirm who is requesting entry. The gate may then be remotely released for deliveries or visitors. Wireless interfaces make access control of gates easier, by avoiding trenching and wiring costs. The gate is usually controlled via an interface to a gate operator or through specialized locks made for the application.
- HR and Accounting Areas: maintain and archive confidential company records and are often next to be secured.
- Inventory and Warehouse Areas: storage rooms and warehouses are easy targets for both internal and external threats. Securing entrances to these areas reduces access, provides a log of activity, and introduces an extra obstacle for anyone intending to steal supplies or equipment.
- Data Closets: network security continues to be a concern for companies large and small, access control of data centers and server rooms has increased. Considering the server room is often the brains of an organization’s operation, this is a good practice. Specialized systems exist for securing cabinets in larger, often multi-user, data centers.
- Classrooms: with computers being a common target of theft in schools, locking classrooms is often desirable. Installing electrified locks on each classroom also provides lockdown capability, so in emergencies security staff may lock down the entire campus with a single action.
- Cabinets: specialized locks for use on cabinets are available so that access control may be moved to the specific asset instead of the door.
- Key Control Cabinets: many organizations, even those who use electronic access control extensively, still need to manage a certain quantity of keys, whether for vehicles, cabinets, or other purposes. Often, these keys are kept in a cabinet or on a backboard, which are conspicuous and an easy target for any criminal. Simply using a securely mounted cabinet with an electrified lock reduces this risk. More elaborate systems for key management exist as well, providing control and audit trail down to the level of the individual key.
A key goal of access control is to selectively let people in. To do so, you need to choose a technique for people to prove that they have legitimate access to an entrance. This proof generally falls under the common mantra, something you know, have or are. Lets look at the practical options used in real-world security systems:
- Something you Know: This is the most common technique in accessing computers and second most in accessing doors. The best examples of this are passwords or pin codes. Since they are so easy to share and steal from an authorized user, most physical access control systems stay away from using this as the only means of authentication.
- Something You Have: This is the most common technique used in physical access and best represented by the card or fob. The user carries this physical token with them and presents it at the entrance. It is generally considered stronger than pin codes because they are harder to reproduce. On the other hand, it is possible to reproduce and the risk that the card is shared is still a threat.
- Something You Are: This is the least common technique used in security but generally considered the strongest. Good examples include fingerprint, face, vein and hand geometry. These are fairly hard to fake. However, biometrics are still quite rarely used statistically. Even for the ones that are considered to work well, the price increase over cards makes it hard for most to justify.
You can use these controls in combination. This approach, referred to as 'multi-factor authentication' is very popular among security practitioners. You can have dual or triple mode authentication where users are required to use a pin and a card or a card and fingerprint or all three together. If both or all do not pass, entrance is denied. The big plus for this approach is that it makes it much harder for an illegitimate user to get in. The big downside is that it becomes inconvenient to users who will be locked out if they forget one and will take more time and hassle to get in each time they check in. Because of this, the number of factors of authentication usually increases with the overall level of security or paranoia of the facility (e.g., condos are single factor, military bases can be triple, etc.).
There are a variety of locks that may be used on access controlled doors, all having their application.
- Electric strike: the electric strike replaces the strike plate in the door’s frame (the metal plate the door latches into), and will unlock when power is applied to it.
- Electromagnetic lock: the most common lock used for access control, electromagnetic locks, or maglocks consist of a coil of wire around a metal core, which produces a strong magnetic field when energized. The maglock is mounted on the door frame, normally, and the door is fitted with a plate which matches up with it. Under locked conditions, the magnet is kept energized, holding the plate to it. When the door is unlocked, power is cut, and the door releases. Maglocks are easier to install than other types of locks, since everything is surface-mounted, but they have certain trade offs required for convenience and life safety.
- Electrified hardware: the most unobtrusive method of electrically locking a door, electrified hardware puts the locking mechanism inside the door hardware itself. These may come in either mortise or cylinder lockset forms, or in exit panic hardware. Either form retracts the latch when power is applied, unlocking the door. These locks may also build request-to-exit and door-position-switch (DPS) into the hardware, requiring even fewer devices at the door.
Readers allow users to request doors to be unlocked and come in a wide variety of options.
- Keypad: a simple form of access control, in which the user enters his or her PIN number at a keypad device to open the door. Keypads suffers from the inherent security flaws of PINs described above.
- Card Readers: there are numerous card technologies currently in use in the industry, both contact and contactless.
- Contact readers include magnetic stripe, wiegand, and barcode. Of the three magnetic stripe is the only technology still widely used today. Barcode finds some use, mostly in legacy systems, but is so easily duplicated as the barcode can just be copied. Magnetic stripe readers are still regularly used on college campuses and in other facilities, especially where cards are used for purposes other than simply access. Mag stripe was common for cashless payment, but many of those applications are being filled by smart cards today. Contact readers are easily damaged by vandals, by inserting foreign objects, or even gum, into the slot. This is one of the reasons contactless proximity cards have become more common.
- Contactless readers include standard proximity, contactless smart card, RFID and other technologies, some proprietary to a specific manufacturer. HID proximity readers are by far the most widely implemented technology in access control, with almost every manufacturer supporting, and many reselling them. Regardless of which specific reader you use, the technology is basically the same for purposes of this discussion: the reader emits a field which excites a coil on the card, which then transmits an embedded number to the reader. Smart card technology has increased acceptance and use as the higher pricing when it was introduced and come down as the technology matured. Smart card prices are now generally in line with those of standard proximity.
- Biometrics: For access control purposes, we typically see one of three or four biometric readers used: Fingerprint, iris, hand geometry, and retina, with fingerprint readers being the most common. No matter which reader you choose, there are several drawbacks to consider:
- Access time is typically longer than when a card is used. In high-throughput areas, this may be a problem. You would not want to require an incoming shift of workers in a factory to filter through biometric readers for building access, for example.
- Biometric readers generally require an additional weatherproof enclosure. This adds expense and slows access time more. Additionally, many of these enclosures require an employee to manually open and close them, which increase risk of human error. Failing to close a weatherproof enclosure after use may damage the reader.
- Compared to card readers, biometric readers are expensive. While card reader pricing is in the $150-200, biometric readers routinely are priced over $800. This is offset somewhat by eliminating the expense of cards.
Whichever technology you elect to deploy, the form factor (aesthetics) must be taken into account. Readers come in a variety of form factors, from miniature to oversized, depending on the application. Miniature readers may be used to be aesthetically pleasing on an aluminum-framed door, for example, while a 12” square reader may be positioned at the parking garage entry for better read range. Generally speaking, the distance at which a card can be read increases wit the size of the reader. Standard read range is between one and four inches.
Motion sensors and/or request-to-exit buttons allow people free egress. Activation of these sensor signals the access control that someone is exiting. If the door opens (the door-position-switch (DPS) reports open state) without a request-to-exit (RTE) being sent first, the access control system interprets it as a forced door alarm. Motion sensors are typically preferred for request-to-exit devices, for convenience. There are considerations that must be made when using maglocks, however. In the US, life safety code requires that there be a means to physically break power to the maglock. This is done in case the access control system should fail. If the system no longer received request-to-exit signals, or failed to unlock a maglock when it did, there would be no way to open the door. For this reason, you will often see a request-to-exit motion sensor along with a pushbutton used with maglocked doors. The motion sensor for everyday use, and the pushbutton being used in case of emergency or system failure.
The devices above require power, of course, so power supplies are another consideration when designing an access control system. There are three methods by which door devices may be powered:
- A power supply centralized with the access control panel. This is the simplest method, requiring the least high voltage to be run and thus reducing cost. However, voltage drop may become an issue, so calculations must be performed to take this into account.
- A power supply local to the door. This is common in cases where electrified hardware is used. The power draw of an electrified device is normally much greater than a maglock or electric strike, so local power is installed, to avoid voltage drop issues. The downside of this is that it adds another point of failure, as opposed to a single central power supply.
- Power over Ethernet (POE). power over Ethernet is being utilized to power single-door (or in some cases two-door) controllers, which in turn supply power to all the attached devices. In our experience, this is normally enough to power typical strikes and small maglocks, but not latch retraction devices. Power draw also varies by manufacturer, so care must be taken to make sure enough power exists to operate the selected lock.
No matter which method you use for powering devices at the door, fire alarm interface may need to be considered. Typically, doors in the path of egress are required to allow free egress in the case of fire. Note that this does not necessarily mean they must unlock, a common misconception. Doors equipped with electric strikes are not required to unlock if they also are equipped with panic hardware. Maglocks in almost all cases are required to unlock. Remember this when considering locks for your access control system, as simply pulling a fire alarm pull station may leave the building completely vulnerable if maglocks are used.
We also recommend using supervised power supplies for access control applications. These power supplies supply contact closure upon AC fault conditions, or battery fault if backup power is being used, alerting the access control system that power to the door is lost. This allows more proactive monitoring, instead of waiting for a user to discover that a door does not open, or in the case of a maglock, that it does not lock.
Discussion of devices at the door would be incomplete without mentioning integrated access devices. These devices build the reader, lock, DPS, and RTE into the hardware of the door. They may be either wired or wireless, network-based or open platform. They reduce labor costs by eliminating the need to install multiple devices, but do require more specialized skills. Replacing locksets and panic hardware can be tricky and requires a strong working knowledge of the hardware. In the case of wired devices of this sort, the door must also be “cored”, which means a hole is drilled through the entire width of the door so cables may be run through it from the hinge side, requiring specialized gear. Wireless locksets of this sort greatly reduce the amount of cabling that must be run, but do present their own issues
Three types of management exist for access control systems:
- Embedded: Also called web-based or server less, the access control system is managed wholly through the access control panel, via web page interface or occasionally software. Typically the functionality is somewhat limited in this method, due to the limitations of what can be done in a standard browser which will work on all platforms: Windows, Mac, Linux. Enrollment and logging functions are easily available, but real-time monitoring is more of a challenge. Cost is reduced, since no server must be supplied.
- Server-based: The more common method, puts administration, management, and monitoring of the access control system on a central server. Client software installed on a management or monitoring computer connects to this server to perform necessary functions.
- Hosted: hosted access control systems are managed by a central server which manages multiple end users’ systems from “the cloud”. The only hardware required on site is the access control panel with an internet connection. User interface is usually through a web portal, making hosted access a combination of web-based and server-based management. The hosting company must manage the system as a traditional server-based system would be managed, but to a user, all interface is via the web. Hosted access also introduces an ongoing monthly fee to host the access system and the added cost will need to be factored in and weighted in your financial cost/benefit analysis.
When selecting an access control system, consider what features you will need at the present time, and consider where the system will go in the future. Some questions to ask:
Does it use standard card readers? Not every system utilizes compatible readers. Some manufacturers support only proprietary readers which would typically need to be replaced should the system be changed to a different vendor’s product in the future. Others utilize different cabling topologies, which usually require less cable to each door, typically a single cable, with all the devices at the door connecting to an intelligent reader or small controller. If future-proofing is a concern, as it typically is and should be, select systems which utilize standard wiring schemes.
Another consideration when discussing “openness” of a system is whether the selected manufacturer uses open platform control panel hardware or their own proprietary panels. If the system runs on open hardware, most, if not all, of the head end panels may be reused when changing to a competitive system. In the case of a small organization with a handful of doors, open platform hardware may be a non-issue. If the required feature set is small, and the likelihood of moves and expansions is low, a proprietary web-based platform will suffice. However, for enterprise-level systems, non-proprietary hardware is highly recommended to avoid becoming trapped by a single vendor.
Outside the typical door access scenario, there are some special use cases of access control we may run into:
Elevators: there are two methods of restricting access to an elevator;
- Call the elevator car upon a valid card read, instead of pushing a button. This method puts a single reader outside the elevator. A user presents his or her credential to call the car. Once in the elevator, the user has access to any floor he or she chooses. This is a simpler and less costly method of restricting access, since only a single card reader must be installed, but may not be applicable in all scenarios, if access to individual floors is desired.
- Allow selection of individual floors based on the credential presented. In this scenario, when the user enters the elevator, the floors he or she is restricted to are lit, and floors they’re not allowed access to remain unlit. They will only be allowed to take the elevator to floors they’re given access to. There are multiple drawbacks to this method, although it may be unavoidable if this sort of security is required. First, it requires a card reader be mounted in the car, which requires interfacing with the elevator’s travel cable, or wireless transmission be used. Second, it requires an input and output for each floor to activate and deactivate each of the buttons, which may be labor intensive depending on how many floors there are in the building.
Harsh Environments: when utilizing access control in harsh environments, all of the devices in the system must typically be intrinsically safe, also called explosion proof. What this means is that the device will not spark and potentially create an explosion. While there are card readers specifically produced for these environments, typically they consist of a standard card reader mounted in an explosion-proof instrument enclosure, readily available from electrical distributors, and easily fabricated in the field.
Mustering: a function of certain access control systems, mustering counts employees exiting the building via a designated reader or group of readers. So, in case of emergency, security and safety staff may see how many employees and visitors are still in the facility. Specialized wireless readers may also be used for mustering, In this case, the security officer carries a reader and has employees swipe their credentials as they reach the mustering point.
We are here to help
If you would like one of our advisors and help with your product requirements or answer any open questions, give us a call 1.866.500.5625. We would be happy to assist. Simply, complete the project planner form below and we will contact you to discuss ways we may assist. When you complete the project planner, we will add your email to our newsletter to keep you informed of industry news and special offers. You may amend your subscription, at any time, to limit contact.