Woman accessing a room with a keycard through a proximity reader

Keycards have many different names. There are prox cards, swipe cards, and fobs; you may have also heard of magnetic cards, RFID/NFC cards, and even simple ID cards. Despite their different names and the fact that the technology used varies, their function is always the same: To efficiently and securely grant or restrict access to a certain area.

As the fastest-growing access control company in the U.S., we’ve put together a comprehensive guide of all the main types of access card systems and compared them with other options available on the market.

Hang on, I’ve heard of these! Doesn’t HID make them? If you asked yourself that question, then you’re right! Historically, the main provider of keycards is HID Global—it manufactures, distributes and sells access cards using their proximity readers. Despite being very popular, a major problem of certain types of HID keycards is that they can be easily hacked using $10 devices. That’s because most common cards run on the vulnerable Wiegand protocol, which allows hackers to copy cards and keycards quickly and inexpensively.

Man using a keycard and a proximity reader
Woman entering a room with a keycard through an insert reader

Here’s a tutorial on how to copy HID cards. Most of these cards use facility codes that can be calculated using free facility code calculators, like these.

Note that Kisi doesn’t recommend or condone keycard theft. But we want our readers to be informed and know the vulnerabilities of their current systems. Now that we’ve gotten that disclaimer out of the way, let’s dive into the world of keycards!

What is a keycard? How does it work with a reader?

A keycard is a security token that grants you access through electrically-powered doors. These systems require a keycard reader (installed on the door) and you gain access by either tapping your card on the reader (proximity reader), swiping it (swipe reader), or inserting it (insert reader).

With keycards, users no longer need to insert a metal or traditional key into a tumbler lock to gain access. Instead, there is an embedded access credential on the keycard magstripe, or as a chip in the card itself, and this is read by the keycard reader each time you attempt an unlock. If the unique code on your card is recognized by the reader, permission is granted for access.

How does the Reader communicate with the door lock?

Once the reader recognizes the access credential, it then communicates with the door lock. The smart access control reader will be wired to an electric lock on your door and it will send a signal to the lock to start an unlock event. With a good system, the whole process takes less than a second.

Woman using keycard and Kisi proximity reader

Now that you’ve learned how access cards work, it’s time to look at the pros and cons of choosing a keycard system over other types of door entry systems.

Can easily be provisioned for access to multiple doors
Can provide restrictions for certain times, certain access levels, or even certain numbers of unlocks
Provides remote deactivation capability
Fits snuggly into your wallet or card holder
Can configure and reconfigure access using the same card (unlike a metal key where new keys need to be issued and old keys have to be returned)
A keycard cannot be used as a remote, mobile access badge for offices, buildings and homes; it still needs to be close to the reader to work
Physical token is still required
Losing your keycard still compromises access to your space, but to a lesser extent as compared to a metal key
Many keycards can be easily hacked using inexpensive devices
Hiring new employees requires buying additional keycards
Man accessing a room with his phone and the Kisi reader

Given the disadvantages of keycard entry systems, it's imperative to identify better alternatives that can address these disadvantages. An attractive option would be mobile access control. This means using the credentials on your mobile phone to unlock doors.

Kisi is a cloud-based mobile access control system. This means that, in addition to keycards, users can unlock doors with their cellphones. By using the RFID and Bluetooth chips inside the phone, you can use your phone as you would an access card and tap it to the reader to unlock it.

Moreover, as a cloud-based solution, the management or admins will be able to reap the benefits of having a cloud-based system (as opposed to a traditional local-hosted system). Kisi hosts all the data and offers interesting data analytics and observations.

Get a quote from us and experience the ease and security of a cloud-based mobile access control system.

Keycards or Mobile Access?

With a cloud-based system you don't have to choose. Discover how Kisi works with the access credentials of your choice.

Woman accessing a room with a keycard and a proximity reader

RFID cards are most widely used in commercial office spaces. These cards (sometimes referred to as 'tags' or 'fobs') can be classified by the range they communicate (low, high or ultra high) and the way the communication happens with the reader (active or passive).

RFID stands for “radio frequency identification,” and that’s the essential technology behind them. They emit identification information in the radio frequency range and the reader will pick up those signals and authenticate them.

As for NFC, that is a set of standards over RFID technology. NFC cards, meaning “near-field communication” cards, are RFID cards that operate over a specific frequency and have a clever bit of engineering that allows them to communicate quickly and securely over short distances.

How are permissions encoded on a magnetic keycard?

Each keycard system comes with a key encoding machine, which will configure the permissions granted to your card. The system should allow you to grant permissions for multiple doors, configure date and time for access, and even the number of times a user can access the space.

All these details are built into a very complicated algorithm, which is written into your keycard’s magstripe. This magstripe contains thousands of tiny magnetic bars, each can be polarized either north or south. Polarizing these magnets creates a sequence that is encoded on your card.

There are other ways to encode a keycard, but those are usually used for corporate spaces. These include newer models that have radio-frequency identification (RFID), or “smart cards,” which contain an embedded micro-controller to handle security. RFID keycards will be covered below.

Your RFID reader can operate on different frequency ranges:

  • Low Frequency (LF) RFID operates around 30 KHz to 300 KHz and has a maximum range of 10cm. Your conventional office access card usually utilizes LF range. Prox keys are generally at 125kHz.
  • High Frequency (HF) RFID operates around 3 MHz to 30 MHz and provide distances between 10cm and 1 meter. Examples of access cards that use HF RFID are NFC cards, which includes smart cards like MIFARE. NFC cards are a subset of high frequency RFID cards. All NFC cards operate at exactly 13.56 MHz, and this uniformity of communication allows NFC card manufacturers to make the communication more secure and more efficient
  • Ultra High Frequency (UHF) RFID ranges between 300 MHz and 3 GHz and reads up to 12 meters. They are typically used for parking solutions or similar wide-range applications

Now that we covered the different types of RFID frequency, there is another parameter to consider. RFID can be distinguished into two broad categories: Passive or active tags (or cards).

  • Active RFID tags have their own transmitter (and power source). Active RFID tags are used for cargo, machine or vehicle tracking.
  • Passive RFID tags do not require a battery. The reader on the wall sends a signal to the tag. That signal is used to power the tag and reflect the energy back to the reader.

These proximity cards are low frequency 125kHz and fall under the category of passive RFID cards, given that they have no means of getting power.

How do RFID keycards work?

Passive cards have three components sealed in the plastic: An antenna (mostly coil or wire), a capacitor and an integrated circuit (IC), which contains the user’s ID number. The RFID reader on the wall has an antenna, which continuously emits a short range radio frequency (RF) field.

When you hold the card on the reader, the card absorbs the energy from the RF field generated by the reader—the technical term is that it's an induced current. This energy creates (induces) a current powering the integrated circuit, which in turn makes the chip emit its ID number.

The reader sends the ID back to the server closet or IT room, where the main access control system panel usually resides. The sent ID signals that this user wants to unlock the door. The format the reader communicates in is often the Wiegand protocol.

Did you know?

NFC technology is being used on credit and debit cards as well, creating a contactless form of transaction. These take advantage of the added security and encryption enabled in NFC rather than simple RFID. Some modern access control providers, like Kisi, now support these third-party NFC cards to unlock smart readers.
Woman accessing a room with a credit card and a Kisi reader
Woman accessing a room with a keycard and a swipe reader

Swipe cards or magnetic stripe cards work by storing data in a magnetic layer placed on a card. This magnetic layer is capable of data storage by altering the tiny magnetic particles—in case you wondered how your credit card works.

Swipe card access which is used in physical security, but also for credit card payment or identity verification. You must pull through or swipe the card through a magnetic reader to be able to confirm the data stored on it, and enable the card access system to do its work.

A swipe card door access control system is a common security solution for premises that need to continually let in and out many same people, such as employees in a large organization. Although the magnetic stripe is the key differential that makes them what they are, swipe cards can contain additional means for storing, reading and writing data, such as RFID tags or microchips. Swipe cards are a convenient and affordable solution to control access, but they usually provide limited security protection that needs to be supported by extra technology or authentication factor to suffice for top security requirements.

How do swipe cards work in access control?

Unlike badge entry systems, magnetic swipe card access systems use magnetic strips at the back of the card to encode data. The magnetic readers' head reads the data when you swipe the card through it and enables access.

This is the most common technology used when you are doing your shopping for groceries, when you pull some cash out of an ATM machine or when you present your license as an ID document on specific locations.

When the card access system is made of a standalone reader, all swipe cards will be connected to that single access control device. This is rarely the case, though, as most organizations need either more cards or require additional security which can be obtained from several units distributed in a network. Network or PC-based card access combine multiple magnetic readers in a joint software that can be used to monitor the access events from all readers from a central point.

Employee accessing the office with a keycard and a swipe reader

Swipe card access control systems have a number of advantages that make them convenient for access control over other technologies, such as RFID or NFC (proximity) cards, smart cards or combination cards:

  • Swipe card access is cheaper than other technologies. The technology to store data in magnetic cards that can be used in hundreds of cards at a low cost.

  • Magnetic cards are interoperable. Unlike RFID devices, which use radio frequencies to connect devices and can incorporate a range of frequencies, swipe cards are applicable in a wide variety of industries and vendors, since they are based on the same technology.

  • Swipe cards are an exclusive security tool. When a magnetic card is lost, the user can ask for a new one to be issued in a short time because it controls clearly defined access points. If a user loses a mobile with an app that controls the swipe card access control system, getting a new phone will usually be needed to put the system in full use.

  • Physical possession of the swipe card is necessary so that the invader can compromise the magnetic stripe and steal data. Most attacks on swipe card data compromise the readers at ATMs or the stored data records with suppliers. For RFID or NFC cards, violations can be made with interception and interference, and the attacker doesn’t need to get to the card.

  • Swipe card access is read-only. Owners can use it only in passive mode, without deployingwriting capabilities and changing the data in a system. Smart cards, on the other hand, use both reading and writing modes.

  • Magnetic stripe cards enable individual tracking and audit trails.

Man holding a keycard

As the most simple and traditional access control method, swipe card access control has some disadvantages over the alternative forms of access control.

  • Swipe cards can be unreliable. Sometimes, the magnetic stripe can get damaged or corrupted, in turn making the data unreadable and creating difficulties for the person using the card, who will have to swipe multiple times until the data is read properly.

  • In general, magnetic access cards are considered less secure than the alternatives, because it takes less advanced technology to copy the device data and misuse it for theft or stolen identity purposes. These cards are basically most similar to mechanical keys.

  • Magnetic cards cannot cover a range of industries. For example, NFC is increasingly present not only in access control systems, but also in mobile payments, transports, redeeming rewards and many other consumer uses.

  • Swipe card access systems cannot provide multi-technology authentication, unless they are upgraded with additional access control tools, for example, smart cards that can support telephone or Internet lines as backup supply solutions.

RFID sensor
RSA SecurId Keyfobs Security token KeyFob
Man holding a keycard

A key fob is a type of access badge or security token. It acts as a wireless remote control device that allows users to access their buildings, offices, and cars. Such key fobs are usually utilized for locations with regular human traffic but requires entrants to authenticate their access, and it does that by initializing the built-in security access system each time the fob is activated.

Key fobs are used in apartment buildings, condominiums, offices and buildings worldwide, which often contain a RFID tag. It operates similarly to a proximity card, where they communicate access credential information (via a reader pad) with a central server for the building. Key fobs can be programmed to allow time restricted and location restricted access to permitted areas. Locking and unlocking a door with a key fob usually only requires you to push a button on your fob. Some key fobs provides two-factor authentication where an user has a personal identification number (PIN), which authenticates them as the device's owner.

Key fobs are an integral component of keyless entry systems, especially in the automotive industry where they are used to unlock your car door from a distance. However, it still requires a physical object to be issued to users before they can begin electronically unlocking their doors. This means that losing your key fob is still a very real possibility that would prevent you from accessing your space, and undermine the security of your building or car.

How Do Key Fobs Work?

The key fob (or wireless remote) usually operates in conjunction with a reader and an electronic lock (e.g. an electric strike). The key fob communicates with the reader using radio wave signals—RFID technology. The reader receives the ID information from the fob, authenticates it, and in turn relays an instruction to your door lock to perform an unlock event if the credentials are authorized.

Both the key fob on your keychain and the access control system have memory chips that allow the fob to work. When the button is pressed on the fob, it sends a code to the door with the instructions as to what the door should do, whether that is to lock or unlock the door. If the code sent to the access control system matches, it will perform that action and unlock the door. The code is randomly generated each time the fob is used.

This code utilizes a 26-bit Wiegand protocol when communicating instructions from the fob to the system. It is a binary code with 256 different possible combinations per fob, and there can be up to 65,535 ID numbers that would work for each code. Matching each code with each ID, you can issue up to 16,711,425 fobs without ever duplicating a user. Programming the key fob is essentially making sure that the access control system and the fob are synchronized so that the door would recognize the codes the fob is sending.

The frequency of the transmitter determines the maximum distance that will allow the key fob to send a code to the door. Quick note: If your fob only works when you get near the access badge, it might be utilizing a simple coil e.g. a 125kHz 'transmitter'. Therefore, it only works near the transmitting coil as the magnetic field decays very fast.

For more information:

http://www.ebay.com/gds/What-Is-a-Key-Fob-/10000000177633636/g

http://www.rfidjournal.com/site/faqs

http://electronics.howstuffworks.com/gadgets/high-tech-gadgets/rfid.htm

http://www.instructables.com/id/How-to-Transplant-RFID-Chips/

Discover Mobile and Card Access by Kisi

Mobile access, keycards, or encrypted fobs? With Kisi you can choose the solution that works best for you or even allow different types of credentials to work at the same time. For example, some people don’t own smartphones or just prefer a fob on their keychain.

Regardless of which credential is used, Kisi allows you to leverage the benefits of a cloud-based system, which include remote unlocks and health monitoring, granular access permissions, scheduled unlocks and automated rules, audit trails, integrations with third-party software and hardware, access to our API and a lot more.

Discover why more and more businesses worldwide choose Kisi to manage physical access.

Read Now
Man accessing a room tapping his phone with a Kisi reader

Starting a new project? Download our Physical Security Guide

Get the full guide and other great security content from Kisi.

Download Guide
Kisi Physical Security Guide