An overview of how basic access control systems work
Access Control Protocols
Auston Bunsen
The high level
In this guide, we're going to cover the soup to nuts of a very simple access control setup so that people can understand the different parts of access control. After reading this, you should be able to able to figure out what part of your access control system you need to focus on should their be a problem.
We're going to cover credentials, readers, wiring, controllers, doors and locks in this guide. To get us started, let's look at this from a high level:
Overview Diagram
As you can see, there's not a whole lot to an access control system. In case it's not clear, this is a single reader, single door setup - but it's usually relatively easy to add another door or two because most systems enable a 1-3 door and 1-3 reader install/setup.
Let's take a slightly deeper look into this system - starting with credentials.
The credential
Let's talk about the credential. Credentials are the way to "authenticate" the person trying to enter the door, at the reader. Credential's can be any authentication method:
Key fob scan (RFID or NFC)
Magstripe scan
Face scan
Fingerprint scan
Bluetooth scan
Mobile device scan
Other more advanced methods
The data in the credential can be extremely advanced (like all of the points on your face or finger), but usually it is reduced to just 2 key pieces of info: the site (or facility) code, and the card number. Especially in magstripe or key fobs. Here's a simple example of the data you might get from a credential:
Site Code
Card Number
42
16181
›
Now let's talk about how this data gets taken from the credential and eventually used to open the door.
The reader
Now that we have an idea of what exactly the credential is, let's talk about how the data is read from the credential. You need to have a compatible reader! Readers come in all shapes, sizes and functionalities. Some readers are extremely narrow in capabilities - meaning they only do one thing (like magstripe reading) and others can have multiple capabilities, like magstripe, nfc, bluetooth, wifi, etc.
Readers are the device that are typically mounted outside of the door you want to enter. They usually have a small buzzer or speaker for making beep sounds and an LED for flashing blue, green or red. This is what they look like:
CDVI Reader
The readers job is to do three simple things: Read the credential data, decode it into the expected format, and transmit it over the wire to the controller.
Reading the credential is complicated, but is essentially just adhering to a specification, like HID Seos, MIFARE DESfire, AWID Prox, EM Prox, etc
Decoding the credential is a bit more esoteric - the data being read from the credential usually comes in as 0's and 1's (aka bits). In addition to that, there are over 70 specifications for encoding card information. Which is why we built a tool to brute force search and decode any given string of bits.
Transmitting the data over the wire also has a few different flavors as well, but usually falls into either Wiegand transmission, RS232, RS485 or OSDP (which runs over RS485).
Once you're transmitting, you've got into wiring territory, which is the next section.
The wiring
Every transmission method from the reader to the controller has different requirements. For instance, we'll go over a very common, very simple set of requirements for Wiegand. Wiegand is basically a unidirectional wiring - it sends the data to the controller, but can't get much more than a power source from the controller. Here are the requirements:
- Wiring type: 4-7 conductor cable - Wire gauge: 18-22 AWS (thicker wire for longer distances) - Shielding: Required - Maximum distance: About 500 ft from reader to controller - Voltage: Typically 5v, sometimes 12v
Data Line Abbreviation
Explanation
D0
The line that 0 bits are sent on
D1
The line that 1 bits are sent on
GND
The ground - serves as a common return path for electric current
VCC
Power source
LED
The line that flashes the LEDs from the controller
TMP
The line that if disconnected let's the controller know of tampering
Buzzer
The line that beeps the Buzzer from the controller
›
Every transmission method has different requirements and data lines! We didn't cover OSDP, Clock & Data (common for magstripe), plain old RS485, Power over Ethernet and others. You'll need to do a bit more research on the particular transmission method your access control system is using to make sure your requirements are met and not disrupted by any changes you're making.
But once the reader is properly wired and connected to the controller, you're almost set!
The controller
Now that we've established how a credential stores data, the reader collects it, decodes it, and transmits it over the wire - it enters the controller. The controller is pretty complex, it basically decides if the data being sent to it constitutes a valid credential for the door nearest (or assigned) to the reader. This is what a controller looks like:
PDK Controller
There are only a couple different kinds of controllers; on-prem and cloud managed. Basically on-prem means that all of the logic and storage for who can access what door and when is stored at the place of business. Cloud managed means that it's wifi connected and all of that info is actually stored in the "cloud" or servers in some datacenter.
When a controller decides that a credential being presented at a given reader is valid for a given door, it will send power or reduce power to a locking mechanism at the door.
The door
There are a few terms that are important to know when it comes to doors. These are important to know because there are many locking mechanisms at the door behave differently. They are:
- Fail Safe - Unlocks when power is lost - Fail Secure - Stays locked when power is lost
So the controller will need to send power (or cut power) to the door to open it and this is primarily decided by your locking mechanism. Let's go over 3 common locking mechanisms in depth:
Electric Strike (Electronic Door Strike) - Replaces the fixed strike plate on a door frame. When powered, the latch is released (this is fail secure), allowing the door to open. Works with mechanical door handles and keys. It's very common to see these on office doors, apartment buildings, commercial spaces.
Magnetic Lock (Maglock) - Uses an electromagnet and an armature plate. When powered, the electromagnet holds the door shut. When power is cut, the magnet releases (this is fail safe), allowing the door to open. It's common to see these on glass doors, emergency exits, and high-traffic entry points.
Electrified Mortise Locks - Similar to a standard mortise or cylindrical lock, but electrified. Power controls the internal latch to lock or unlock. Can be wired into access control or keypads. These are best for high-security areas needing traditional locks with electronic control. The cool thing about these locks are that they can be fail safe or fail secure and it's pretty easy to reconfigure them.
Some other locks you'll see in the field are: Shear locks and solenoid bolt locks - will leave the research for those to you if you have one in your access control stack.
Conclusion
After reading this guide, you should have a solid understanding of the high-level components that go into most access control systems and the options at each point. This is the kind of knowledge I wish I had starting out that would have allowed me to go faster.
To summarize: An access control system consists of credentials (key fob, card, biometric, or mobile) that authenticate users at a reader, which decodes and transmits data via wiring (Wiegand, RS485, OSDP) to a controller that verifies access permissions. If authorized, the controller activates a lock (electric strike, maglock, or electrified lock) to grant entry, depending on whether the system is fail-safe (unlocks on power loss) or fail-secure (remains locked from the outside on power loss but may allow exit).
If you have any feedback on this guide, please send it to [email protected] - thanks!
