Designing Physical Access Control Systems

by Mark Rowe

Author: Ross Bale

ISBN No: 978-1548124304

Review date: 29/11/2023

No of pages: 128


Publisher URL:

Year of publication: 18/08/2017



£Kindle edition 4.99, paperback 17.99

Designing Physical Access Control Systems is an ebook and physical book by Ross Bale, a ‘design guide for consultants’.

As the author says, the book does not name particular companies or products, although he does work for an access control product company. His work is aimed at M&E consultants and building services engineers who are designing physical access control systems for new building projects, in some cases with little to no experience, he says.

He begins sensibly with the first principles – why have access control systems at all? – then goes into the ingredients, if you like. The server and workstation, the security controllers, the door furniture and locks. He then proceeds to the design considerations. Again, in clear English he points out for example the difference between identification, and verification. An access control system authenticates – that is, confirms the identity of someone, or something – whether through something you have (a card or key fob); something you know (typically a PIN code) or something that you are (biometrics; your fingerprint, iris scan, face or vein).

The author takes us through RFID cards, read range and frequency, and as for biometrics the points to bear in mind – the convenience, comfort, and false acceptance and rejection rate (because it’s as annoying to the person seeking legitimate access to be barred, as it is a security breach for someone who isn’t authorised, to be let in). Some biometrics are more popular and mainstream than others – a hand is fast and easy to use we’re told, for one thing because you don’t have to remember which finger you have to show for the fingerprint. “Hand geometry has a higher false acceptance rate than fingerprint, but a lower rejection rate.”

Intriguing is weight verification, whereby weight sensors are built into an airlock device; the person seeking access presents a card, and while the person is locked inside the airlock, between one door and another, they are weighed on a pair of scales. Most systems allow a variance of around 10 per cent, in case you are dieting, or have had a heavy meal; but the point of checking weight is that you are not leaving or entering a site or a part of a building with something you shouldn’t. But as the author adds, some people may feel embarrassed if they are kept waiting because the system has found their weight different from the weight when they enrolled.

Particularly useful is the chapter ‘smartphone as credential’, which goes through the growing trend of a smartphone being used as the access control credential, instead of a plastic card. As the book sets out, a smartphone has advantages – people may lose or tire of having one or indeed several cards; and who dares to forget their phone when they leave the house?!

The chapter goes through how credentials are set up on the phone, whether on the device or the SIM card; or, credentials can be stored on the Micro SD Card. There are practical considerations; what if the devices used for access control are not owned by the company and given to the employees. On other words, what if employees are ‘bringing their own’ device, and they’re downloading the company’s access control credential. The book advises – indeed, says that it’s essential – for the company to state a policy. If the phone is lost, or stolen, the employee must agree to a ‘remote wipe’ of the phone, to protect the company against unauthorised access.

The chapter suggests that you have options; you may not want to give smartphone-based access to security guards, or cleaners; you may prefer smartcards for them still. Hence the access reader must be able to read phones and cards. And what about visitors – a smartcard for them; or are they allowed to access the online portal for the issuing of a credential to their phone, via an app that they install on their phone; or is someone going to escort them at all times?

The book covers vehicle identification and turnstiles; system architecture; authorisation models (how people are given permissions to access parts of a building or site, and not others); and more advanced features such as anti-pass back and delegated administration (in case you want a local manager to do the admin in one building, while a central office does the rest).

And just to cover schedules briefly; one basic that’s easily overlooked is that the access control server, the controllers and workstations all have to work to the same time, because if they are running to different times, someone could have a door unlocked for them, when the system does not give them permission to enter. If you use a publicly accessible atomic clock, what could be more exact? However, as the author points out, this would require a connection to the internet; ‘which can introduce a potential entry point for a cyber-attacker’.

As that extract suggests, this is a welcome book that can guide the consultant and designer through the pitfalls of making an access control system. We’ve come a long way from the large ring of keys as carried by the jailer or security guard opening a campus in the morning, and locking again at night; a system can now schedule for doors to open automatically (office hours for example) or for someone’s credential not to allow entry over Christmas.

As the author mentions towards the end, a large site may have hundreds of doors, and tens of thousands of access card-holders; widespread updates to schedules on that scale can take hours (so think of doing so overnight).


You can read more from Ross Bale on a blog; and you can download from his website a free 15-page ebook.


Subscribe to our weekly newsletter to stay on top of security news and events.

© 2023 Professional Security Magazine. All rights reserved.