Getting Started with Access Control¶
Overview¶
Physical access control has become cheaper and easier than ever to implement in your home or office. There are many different products and price points depending on your needs. This page seeks to be a comprehensive overview designed to help get you started.
--Access Control Best Practices--¶
Check This Podcast Episode out to learn more about best practices when it comes to access control.
Wiegand vs. OSDP¶
Wiegand is an older access control protocol that uses one-way communication. It is simpler and more widely compatible making it easier to implement and troubleshoot. OSDP (Open Supervised Device Protocol) offers bi-directional communication, enhanced security through encryption, and greater flexibility, but comes with higher implementation and maintenance costs, as well as the need for more complex programming.
--Credential Types--¶
EM4100 / EM4200¶
The EM4100 is a 125 kHz low-frequency, read-only RFID transponder developed by EM Microelectronic. It stores a fixed unique identification number (UID) that cannot be modified. It's popular for simple and cost-effective applications such as door locks and attendance systems. The EM4200 is fully backward compatible with EM4100 readers but expands to 128 bits of memory to support more complex data encoding.
The H10301 Format¶
The most popular standard for low frequency 125 kHz access control credentials is the open Wiegand 26 Bit H10301 format. It is widely regarded for it's simplicity and reliability. It has been around for decades and is compatible with nearly all 125 kHz Wiegand readers and controllers.
- 1 leading parity bit (odd)
- 8 bits for the facility code (Range: 0-255)
- 16 bits for the card number (Range: 0-65,535)
- 1 trailing parity bit (even)
The T5577 Chip¶
The T5577 chip is a low-frequency 125 kHz RFID, contactless read/write proximity card. At it's core is the Atmel ATA5577. The T5577 powers itself through induction when paired with a coil antenna. This provides bidirectional communication.
Some manufacturers or market material may incorrectly refer to the T5577 as an IC (integrated circuit). The T5577 is simply a low-freqeuncy chip capable of storing, reading, and writing data.
The T5577 is an ideal choice for access control because it eliminates the need to commit to a single card format. It can emulate EM4100 / EM4200, HID Prox, Indala, and other proprietary LF formats.
MIFARE / (ISO/IEC 14443)¶
ISO/IEC 14443 is one of the most important RFID standards in the world. It is the foundation for technologies such as contactless payment cards (EMV, Visa payWave, Mastercard PayPass), transit cards, access badges, electronic passports, and NFC-enabled smartphones. It operates at 13.56 MHz (High Frequency RFID). If you've ever stayed at a hotel with a proximity door lock, chances are it was a MIFARE card and reader that was used.
MIFARE DESFire¶
MIFARE DESFire is a a highly secure family of contactless smart card technology developed by NXP Semiconductors, designed for secure applications such as access control. It leverages hardware cryptographic ciphers such as DES, 2K3DES, 3K3DES, and AES to ensure secure communication between the card and the reader. MIFARE DESFire is a powerful microcontroller capable of supporting complex application logic and data management which allows multiple independent applications to be integrated onto a single card.
The latest evolution is MIFARE DESFire EV3 which is broadly backward compatible but introduces new features such as a transaction timer which mitigates risk of man-in-the-middle attacks. The downsides to MIFARE are that it adds complexity to deployments, comes at a higher price point, and may be incompatible with the current infrastructure.
--Parts and Resources--¶
BSTUOKEY Controller¶
The BSTUOKEY access controller is a 1000 user Wiegand access controller for under $20. This is an excellent piece of hardware to get started with. It's standalone design means that it does not require any software for configuration. Instead, configuration is done via 2 management cards for easy permission allocation and system management.
Axis A1001¶
The Axis A1001 Network Door Controller is an open platform for access management that can control up to two doors and is designed for easy integration with various IT systems and third-party software. It supports Power over Ethernet, making installation simpler by reducing the need for separate power cables. The A1001 does not require any external software and instead is configured via it's built-in web interface. The A1001 will reach end of life on December 31, 2026. They remain available on eBay.
Mercury Security & CredoID¶
Mercury boards are widely used in access control due to their open architecture, which allows you to flash different firmware permitting integration with various systems. They are known for their reliability and cybersecurity features. They are considered the gold standard for access control systems.
CredoID is access control software platform designed to work with Mercury boards. It provides versatile cross-platform deployment options, including the ability to run on Docker containers for Linux. This allows users to choose between cloud-based solutions or on-premise setups.
HID ProxPoint¶
If you need a simple budget friendly reader that is compatible with H10301 credentials have a look at the HID ProxPoint. This is a high quality reader that has stood the test of time, requires no configuration out of the box, and has a price point that is appropriate for most applications.
HID MultiClass Readers¶
One of the most popular readers on the market, these readers are highly regarded for their adaptability and interoperability, supporting a wide range of credential technologies and form factors, including cards, fobs, and mobile devices. They are available in sizes designed to fit perfectly on the 1-3/4" standard metal door frame or window mullion, or as a full size keypad. The multiCLASS technology offers flexibility and increased security by supporting a wide range of credential technologies, including both contactless smart cards and proximity cards.
WaveLynx ET10¶
WaveLynx was founded in 2013 by Hugo Wendling, who previously co-founded XceedID Corporation. These readers are capable of reading legacy proximity credentials, as well as MIFARE DESFire smart card credentials. They also support OSDP Auto Detect which is a patented feature allows readers to automatically switch from the Wiegand protocol to OSDP, facilitating easier upgrades without rewiring. Many access control solutions utilize white-labeled Wavelynx readers, which are customized for specific providers.
Proxmark3¶
If you want to program your own credentials, the Proxmark3 is a a multi-purpose hardware tool for radio-frequency identification security analysis, research and development.
Cheap H10301 Keyfobs¶
These keyfobs won't win any awards for their quality but they are $0.66 a piece and are read by the vast majority of access control readers. If you just need key fobs to get the job done, look no further.
Cheap H10301 Keycards¶
These keycards are cheap and thin. Like the key fobs listed above they are read by the vast majority of access control readers.
Adhesive Proximity Tags (T5577)¶
When you need to open doors with objects you already have on you (think phone cases), these tags will come to save the day! Based on the T5577 chip, they can emulate almost any 125khz proximity credential.
Leather Key Fob (T5577)¶
Want to have a key fob with a little class? Check out this leather key fob based on the T5577 chip. It can emulate almost any 125khz proximity credential in style.
Premium Key Fob (T5577)¶
These are a bit large, but if you're looking for a keyfob that feels high quality and doesn't look like every other key fob, check out this premium key fob based on the T5577 chip.
Ring with Proximity Credential (T5577)¶
A popular choice for those that want wearable access control, these rings feature a T5577 chip that allow them to provide access to most 125khz proximity systems in a ring.