Trends, future developments and possible risks are the basis for our survey.
Jeremy Malies, content editor at In Security Magazine, assesses the driving forces in the access control market. The areas of focus include biometric & mobile credentials, artificial intelligence (AI), pros and cons of access control as a service (ACaaS), and pressure from budgetary restraints as costs rise.
The article looks at vertical sectors for access control where requirements may be unusual or demanding, and what vendors and consultants are doing in terms of system design. Sectors lending themselves to innovative access control include pharmaceuticals, petro-chemicals, construction, mining, flexible workspace sites and shared occupancy buildings.
Background
Access control offerings have progressed greatly from the days when you often found yourself performing the ludicrous task of inputting your date of birth into a keypad. Product suites now focus more and more on biometric systems with speed of access being crucial. Visitors to major corporate sites expect to be issued with passes in advance by email so that pre-vetting can be done by facility managers. When you go to the premises, it’s likely that you will already have received a QR code on your mobile. Mobile phones can of course be compromised but much can be done in terms of judicious use of public wi-fi, avoiding unnecessary Apps, premium antivirus software and awareness of phishing attacks.
In the lead-up to my visit to a high-security site, a conscientious facility manager might ask, “Just who are In Security magazine? Should their content editor, Jeremy, be here? Can he provide supporting information?" Come the day, the QR code gets the visitor through the turnstile or other physical barrier or merely reassures reception staff that this is a legitimate guest.
No access control vendor would market their products now on the grounds of ability to create a hierarchical system of entry privileges. Such functionality is a given. And yet, applying artificial intelligence as a failsafe against bad hierarchy decisions on access seems wise. I often wonder if excessive deference and failures in commonsense might leave a facility prone to attack or theft. It would for instance be unwise for any organization to put me in charge of its physical security. My impulsiveness and trusting nature might see me do something ludicrous such as giving the chief executive officer of a hospital board an access-all-doors privilege level. A moment’s thought makes it obvious that unless his/her core competence lay in those areas, no hospital would want the security credentials of its CEO to give them entry to a server room or a pharmacy. Such an access request would have to be the result of their ID being stolen by an intruder intent on IT sabotage or theft of drugs with street value.
Security credentials according to generation
Credentials held on a phone or smartwatch, perhaps a QR code that might be for one day only, is the approach that is best suited to anybody from Gen X or younger. It is also the most intuitive. Gen Z (the first truly digital-native generation who will likely have been given a phone when they hit adolescence) may even be dismissive of a fob or card. And a card is a dumb item that can be passed around or stolen. If I were a miscreant working from the inside either alone or with an accomplice, it would be difficult for me to say credibly to human resources, “I picked up Jeremy’s phone unwittingly and used it to open a door” or “Jeremy gave me his phone!”
Biometrics and mobile credentials
“All About You” was a hit record for British pop-rock band McFly. And innovative access control vendors who are focusing on biometrics want entrances to places of work, leisure and residence to, indeed, be all about you. There is a security industry adage that badges are items that you have and pin codes are something that you know. But biometrics – be it your fingerprints, iris or voice – are what you are.
Driven by the needs of end users at sites where trespass can have disastrous consequences in terms of reputation not to mention commercial losses, innovative vendors are looking to offer doors, gates, barriers and turnstiles where the reading/activation device responds solely to biometric information. With the possible exception of the custodial sector, the trend in mission-critical environments is away from traditional keys. Increasingly, even cards have become legacy technology and there is a vogue for near field communication (NFC) credentials stored in digital wallets most usually on a smartwatch. But waking in the morning to single-digit battery charge on phone or smartwatch will be familiar to most of us. Biometric credentials truly are the most robust identification approach.
Building sector benefiting from biometrics
With redress for workplace accidents resulting from negligence or malpractice extending right up to charges of corporate manslaughter against CEOs, few industries are more vigilant than the construction sector in its protection of sites and overseeing of work practices. High incidence of “buddy punching” (one worker clocking in or out for another), use of equipment such as forklift trucks by unqualified operatives, and breaches of general health & safety protocol mean that managers are very keen to control movement around and access to sites.
With construction workers often wearing gloves and likely to pick up dust and aggregate particles so rendering fingerprint scanning difficult, building sites are making increasing use of facial recognition cameras at entry points such as turnstiles to allow workers on site. This gives a live headcount and helps with mustering in the event of evacuation. It also makes buddy punching and tailgating all but impossible. Safety and compliance rules can be applied at the entrance points. It’s pleasing to note that modern facial recognition can cope with workers wearing a hardhat.
Building case study
Products of particular value to those managing construction workforces are offered by Biosite Systems based at Solihull in the UK’s West Midlands. The company specializes in innovative access control for construction sites with the suite including facial recognition with (a sign of the times) optional integrated temperature measurement.
The solution is completely contactless and valued by users for real-time visibility which is reassuring for management. Facial matching is achieved in less than 0.2 seconds and workers are automatically locked out of site if there is an attempt at spoofing or an accreditation has expired. The offering also includes smartcards and fingerprint scanning. At smaller, often linear construction sites, managers can use the Biosite Mobile app on their phones to apply facial recognition scrutiny to workers seeking access. Biosite Systems have an impressive set of case studies with their construction client Bowmer + Kirkland. Biosite Systems are an ASSA ABLOY company.
Leisure venues
Biometric access control is increasingly popular at leisure venues, notably sports stadiums where history teaches us that fan bottlenecks/choke points must be avoided at all costs. There will soon be case studies in the trade press where season ticket holders load a selfie onto their club’s system and gain entry by simply looking at a camera. This is preferable to printing out a ticket at home or barcode/ QR code scanning from a dimmed low-battery mobile.
Much of this remains in the near future and there have been some less-than-accurate claims from vendors about facial recognition usage at British football grounds. Supporters’ associations have voiced legitimate concerns about privacy and data management, but if the technology is used responsibly (with opt-out alternatives) and scrutinized by third parties, it will surely be to the benefit of everybody.
Facial recognition in the US
I have found one well documented case study of fans using facial recognition to enter a stadium, this being the Intuit Dome in Inglewood (California) whose main use is as the basketball home for the Los Angeles Clippers. The technology, GameFace ID, was implemented in 2024. Signing up for the system is voluntary; fans can always opt out if their preference is for traditional payment and entrance methods with stewards always on hand.
Scrutiny of how data is collected and retained is rigorous. In the first six months of usage, more than 400,000 fans became users of this frictionless solution. It should be noted, if there are any sceptics, that the technology mitigates the risk of alcohol sales to those under 21. Again, to optimize spectator safety and reduce the risk of ticket forgery, GameFace ID uses Bluetooth sensors to report on seat presence.
Facial recognition technology has either been used, is being used or is under trial at venues including FirstEnergy Stadium in Cleveland (home to NFL side the Cleveland Browns), the multi-purpose Mercedes-Benz Stadium in Atlanta, and the Citi Field baseball stadium in New York used by the New York Mets.
Biometric access control usage in infrastructure
Authorities in charge of border crossings have proved early adopters of biometrics. Last summer, my holidays saw me criss-cross between Serbia (non-EU) and Hungary which is an EU member and thus in the Schengen Area. Like anybody in the industry, I compulsively watch security technology in action even during my leisure time. Crossing at Kelebia, Serbia, by coach into Tompa, Hungary, my Irish passport minimized any fuss across this external border of the EU.
But there were delays as passengers from non-EU countries walked to booths where facial photographs were taken and scans given from four fingers of the right hand. This is one of the first implementations of the new European Union Entry/Exit system (EES) that mandates biometric border checks. EES is also being implemented at border crossings between Serbia and Croatia, these being on another external border of the EU. The system is an illustration of what is now known as the “Brussels Effect” whereby EU regulations become de facto global standards.
Access control exploiting artificial intelligence (AI)
The essence of artificial intelligence in present-day access control is that it moves us away from static rules to adaptive behavioural analysis, a means of decision-making that demonstrates self-learning. AI can alert site managers to behaviour that is not unauthorized but sits just off kilter, beyond the baseline of typical activity and therefore warranting attention. Richard Dawkins berates anybody who confuses drastic change in the short term with evolution. But AI is making constant incremental changes to bring the access control sector to something better than axiomatic decisions. Dawkins might allow us to say that this niche part of our industry is truly evolving.
My survey here suggests that AI is doing much to reduce the threats to biometric access control from fraudsters and other criminals (including political protestors resorting to criminal acts when desperate). Deepfakes such as masks and silicone fingers show determination by criminals to commit identity fraud, but there are now sophisticated algorithms for liveness detection. Identification is not just a question of looking at static images; there is assessment of eye movement, skin reflection and blood flow.
Biometric access control enhanced by AI
An area in which biometric access control is being made possible by AI is voice activation of doors and other entrance points. In 2001: A Space Odyssey, HAL (the sentient supercomputer) famously refuses to open the pod bay doors. If he had opened them, it would have been through voice activation. But voice-controlled doors are now revolutionizing how many people move through buildings in the real world. Post-Covid, contactless door usage has attractions.
Demand for this technology is also driven by mandates and general efforts to cater for the needs of the elderly and those with mobility challenges. Voice activation is no more difficult for a wheelchair user than it is for the able-bodied or for an able-bodied person who is perhaps in charge of a palette of goods or a patient on a trolley. The technology scores well in terms of general inclusivity.
Machine learning for voice identification
I’ve long known that walking patterns (gait) is far more subtle than one might suppose, and video analytics can exploit this in order to identify unusual behaviour and people who might be agitated, smuggling contraband or perhaps conducting hostile reconnaissance at an infrastructure hub. Machine learning models for voice analytics (also known as speaker recognition) look at pitch, cadence, tone and projection – these qualities being independent of language even when the languages are notably different such as Arabic contrasted with the Latin languages.
A staff member’s voice is recorded as a voiceprint while they speak in everyday naturalistic tones. This forms an encrypted model. It is not stored as audio but becomes a mathematical sequence which reduces the possibility of reverse engineering. When the user seeks entry to premises or wants to make some other demand of equipment, a comparison (with a degree of latitude) is made. Access or permission will be granted if there is a match, with the latitude even making allowances for factors such as slight illness.
Robust against spoofing
The technology is respected by installers and consultants for being robust in terms of attempted spoofing and deception by deepfakes. From here, it’s hardly a conceptual leap for there to be a hierarchy of access privileges by which your voice allows you to open some doors but not others, access the site at particular times etc. This is all familiar to us, but as an external observer with intermediate knowledge at best, it still impresses me greatly.
Any technology that reduces physical contact with objects is appealing to specifiers and end-users. The technology fits well with the Internet of Things and the general trend towards urbanization. Are there any drawbacks? The spectre of hacking will always remain in the minds of managers, up-front costs are high and there is a need to educate people as to the benefits.
If there is an element of AI usage in access control that is particularly impressive it is surely the ability of machine learning to identify even minor anomalies and often predict a significant threat before it happens.
Is there a catch or limitation? The most notable limitation is simple costs, with allocated budgets obviously varying according to the seriousness of the consequences if access control is compromised. The amounts of data that AI needs to “train” itself effectively can be vast. This can be a hurdle not just in terms of cost but man hours required to collect the data and put it in place. False positives and indeed false negatives are inevitable as an AI system is bedded in, and once AI acquires its own momentum the decision-making criteria of the algorithms can become opaque to the overseeing human intelligence.
Vertical sectors making innovative use of access control
Anybody who attends meetings with startups or small companies will have noted the rise of flexible workspace providers who allow business people to meet in city centre and financial hub locations where actual rents would be prohibitive. Such sites require flexibility of user privileges and quick issue of credentials be these on a smartphone or through biometrics such as fingerprint or even iris recognition.
ASSA ABLOY has a UK case study with such a provider, this being Clockwise, a company that offers workspace at locations right across Europe. The facilities include hot desks, permanent desks, offices, meeting rooms and “Zoom rooms” that are now benefitting from ASSA ABLOY’s Incedo™ software solution. Incedo™ is a scalable software platform tiered at Lite, Plus and Cloud. It is being used at these flexible workspace sites with Aperio wireless locking devices and Incedo™ door reader modules as well as cluster controllers reporting to Incedo™ Business Cloud. Documented end-user benefits include the ability to update cards remotely and dispense with the need to issue new cards in person.
Multi-tenancy and multi-use buildings ask testing questions of access control equipment and its deployment by integrators and facility managers. (The range of uses can even extend to a mix of commercial and residential occupancy.) Combined usage of buildings is an aspect of increasing urbanization that makes regulatory compliance difficult. The assets to be protected can range from equipment to data and of course, above all, people.
Access control as a service (ACaaS)
Even vendors who were initially sceptical about ACaaS are now accepting it as a model and including it in their offerings. Take-up is influenced by the client’s existing IT infrastructure (degree of interconnection within the site or between a group of sites) and the possible repercussions of the premises being compromised during Internet outage either from the outside or triggered by a disaffected insider.
Would-be ACaaS users need to ask themselves how important it is to have redundancy? Privacy concerns (sensitivity of company data) and whether the client is moving generally to being a smart building while embracing the Internet of Things (IoT) can be factors that make ACaaS attractive or a non-starter. If an industry is rigorously overseen by an ethics watchdog, it may be that ACaaS is simply not allowed in terms of compliance.
Seamless upgrades with prompt implementation will be attractive to on-site engineering staff, while the prospect of monthly or yearly payments without ever owning the equipment could be a turn-off for a financial director. It’s a given that ACaaS puts a premium on multi-layered defence against hacking in an environment where breaching the mobile phone of a single employee could prove problematic.
It is scaremongering to suggest that a single breach of this kind will compromise an enterprise-wide system but encryption and defence in multiple layers needs to be of the highest order. Data is at its most vulnerable when new user details and activity reports are being transmitted to the vendor’s central platform. Over a decade ago now, I watched the first ACaaS offerings become commercially viable. It was soon obvious that the approach was ideal for any business working with franchisees and this continues to be a lucrative market.
Transition is fraught
Real-time monitoring, flexibility and optimum scalability are major advantages of ACaaS. The transitionary phase from a system where all the components apart from perhaps offsite data backup are held locally to a Cloud system must be fraught with difficulty however experienced the vendor is in easing clients through a migration. Fields such as roadworks, rail construction/maintenance and open-cast mining suggest themselves as ideal sectors to benefit from Cloud-based access control if there is cellular connectivity. Just as it can be expanded easily, ACaaS can also be scaled down promptly which is ideal for remote works sites.
I have seen bullish ACaaS vendors refer to access control where equipment resides at the core as “legacy”. Well not just yet, and Cloud systems obviously fall short of being a universal solution. Even with an attentive vendor, the demands made on in-house engineering staff may be greater than what has been required to run the local system so there will be a knowledge gap.
Broad business intelligence
It is paramount that data is protected not just in transit (the obviously vulnerable stage) but also at rest. Interoperability with video surveillance cameras and VMS systems is a given now with any Cloud provider. This can be counted as a major plus for ACaaS when prospective users are deciding whether or not to implement it. ACaaS can contribute to broad business intelligence when it interacts with CCTV which can also be overseen on a Cloud model. Remote management of access control with the macro perspective that this brings fosters good decisions about energy consumption and awareness of which parts of the site are underused.
Occupancy patterns
ACaaS fosters a collaborative approach. In all but military-grade and critical national infrastructure (CNI) sites, it’s apparent that access control can double and treble up with visitor registration systems and time & attendance. I can recall from at least a decade ago being shown round a branch of the French supermarket chain Hyper U in the Loire Valley where an ACRE Security access control system was proving flexible. The platform was not only securing entrance and egress but also allowing general logistics managers to optimize movement around the site and even contributing to safety by ensuring staff did not become locked in chilled areas or spend more time in them than best practice recommends.
Budgets
Centralized offerings such as ACaaS that can multi-task bring major cost savings and are appealing at a time when budgets are straitened. They allow security managers to work alongside their general logistics colleagues to look at site-wide movement, footfall and energy usage. Colleagues can collaborate to assemble broad datasets while also mitigating risks from intruders, internal miscreants or simply enforcing good risk management protocol. But unless the organization already has a high level of IP connectivity, set-up costs for Cloud access control are likely to be significant and return on Investment (RoI) will be slow to medium.
Effective interaction with building management systems (BMS) and even Heating, Ventilation and Air Conditioning (HVAC) can have a positive effect on profitability by reducing labour costs, avoiding false or nuisance alarms and minimizing call-outs to remote sites. Disparate systems working from a single platform can produce economies by reducing repair bills through intelligent preventative maintenance. It is possible to produce compelling arguments for implementing ACaaS on the grounds of lower total cost of ownership. And yet, initial investment can be prohibitive.
Conclusions
So where is the access control sector headed? It should be remembered that access control is usually only a component within overall building management. Buying behaviour will lie within the macroeconomic perspective. The trend for access control to be automated through attribute-based decisions rather than a set of inflexible predefined rules being used to say “yes” or “no” based on a single credential is impressive. Factors such as the person’s role, the time of day, their previous pattern of movement and their training certifications will all contribute to whether an access privilege is granted.
Perhaps even more importantly, if access is denied then the system’s innate intelligence will drill down to evaluate the staff member’s behaviour. A simple “allow” or “deny” decision pattern is outdated. A set of movements across the site might be legitimate according to protocol but simply non-standard. Even if the irregular behaviour is innocent, middle and senior managers will want to understand it in order to focus on atypical incidents that really matter. Perhaps it is in the realm of collaboration that access control is scoring highest? The sector is now quicker to implement advances from other engineering disciplines than at any time this century. The more that AI is taught and learns for itself, the closer we will come to making optimal decisions at all times. Expect the decade to continue with less friction and more collaboration, at least in this subset of the security industry.
