Low Frequency Access Cards | What Are They and Are They A Thing of The Past?
The company I work with, like many other organizations, utilize access control cards for not only access control to our facilities, but also for timekeeping and vending machines (tool and PPE distribution) within the plant operations. One of the biggest hurdles I have had to overcome with access cards is getting all my locations onto a single enterprise system and then all on the same badge. For context, when I first took over Corporate Security Technology (CST), we had roughly a dozen different access control systems across the globe. Many of these systems were not even supported or in business anymore. For the systems that were still supported, Lenel and Hirsch Velocity, we weren’t even aligned on the badges within each system. Between Hirsch, which is our primary access control system, we were using both Indala and HID badges, typically 26-bit LF. However, we could be running over 20 different facility codes across the enterprise with some individuals needing three and even four badges to get into all the facilities they manage. I know, it seems ludicrous.
So, what did we need to do? Well, the first step we took was looking at which access control systems we were going to stay with and how we would upgrade the older systems. Ultimately, we ended up selecting Hirsch Velocity as our primary access control system and began moving many of the one-off systems over to Hirsch. Hirsch is a great system but does have its downfalls depending on how you look at it. One of the issues you will see with Hirsch is that they function on proprietary boards, SNIBS as they are referred to, versus a Mercury board that many of the other systems can utilize. This has not been as much of a problem in the US but has caused us issues outside of the US and in more remote regions of South America, Africa, and Asia where having trained technicians can be difficult.
We had to then look at the cards we were using. With access control cards, there are two main factors you need to look at: bit and frequency. Frequency is generally looked at as either low frequency LF, high frequency HF, or ultra-high frequency UHF. Low frequency runs on 125 kHz and is the most common type of access control card you will see, especially on legacy systems and smaller locations that focus less on security. High frequency 13.56 MHz cards are becoming the new standard for government and critical infrastructure, as they have encryption, clone resistance, and support mobile credentials. Many corporate locations are also moving to the more secure 13.56 MHz. There is also ultra-high frequency UHF access control. Typically, these are used for vehicle entry or logistics tracking and not used in ID badges.
Bit is the other factor you need to look at with access control cards. Bit refers to the single binary digit-either 0 or 1. A 26-bit or 35-bit card refers to the total length of the binary string a 26-bit card would have the following format:
We were utilizing 26-bit LF cards which caused us another issue, collision risk. A 26-bit card has a limit of 65,536 unique numbers per facility code and we have far greater than ~65k employees and contractors who need access cards. This requires us to use multiple facility codes. Now this isn’t as big of an issue on the access control side, it can be managed although it is slightly annoying. Unfortunately, we ran into significant issues with payroll as they would not capture the entire card number for the time clocks and were instead capturing the last 5 digits from the 8-digit facility code. As you can imagine, this did not work out very well. Between the rolling facility codes at our larger location and the smaller locations selecting their own facility codes in the past, we were constantly having collision issues.
As stated prior, we were also utilizing Indala, which had been acquired by the HID family in 2001 and has since been discontinued. These needed to go, especially the Indala specific readers, as the security was lacking and the Indala specific readers are difficult, if not impossible to find for replacement. We were able to utilize Identiv TS readers to assist with our migration from Indala, as the Indentiv TS readers can be set to read both cards, which allowed us to replace cards through attrition.
There are other concerns with the 26-bit 125 kHz cards (low frequency LF) – high collision risk, susceptible to cloning, and inferior encryption. So, what option do we have for better security at larger enterprises?
Moving to a 35-bit, 13.56 MHz High Frequency (HF) card through Hirsch is what we selected. This card runs on NXP MIFARE DESFire EV1 256B chip technology, AES-128 with key diversification and CMAC protection for card commands for cryptography, and Hirsch Key Set (NextUp Secure) or customer-specified keys (NextUp VIP) for key management. While at first glance this may seem like it is going to be a much more expensive card, it actually has reduced our cost as the older Indala badges were difficult and expensive to order and now moving to a larger badge has reduced the overall number of badges we needed in the system. No more senior management needing a handful of cards to get into all their locations, all access can be added and managed on a single card and system. This also increases our overall security as we reduce the risk of accidentally leaving a badge active that should have been turned off.
You can see the product sheet for the Hirsch cards here.
Multi-factor Authentication
Additionally, we began looking into Multi-Factor Authentication or MFA options. Quick review for everyone- MFA requires at least two of the three forms of authentication; something you have, something you know, something you are. So, if you have two passwords, that is not MFA as it is just two of something you know. But if you have an access card and a PIN, this would be proper MFA; something you have, the access card and something you know, the pin. We establish this with Scramble/Prox pads with the Velocity system requiring some areas to need both a badge swipe and a pin to be input before the door opens. Now, this is not needed at every facility and every door, but we have begun implementing MFA requirements in our data centers and research facilities. We have this option for other locations as the need arises as well.
Overall, you have to question, is the 125 kHz card obsolete?
I would say it is not obsolete, yet. However, I do think its use is very limited and should be avoided if possible. If you already have a legacy system which is limited to reading low frequency cards, then a 125kHz card may be acceptable – depending on your risk tolerance. I would say that if you are installing a new system or upgrading your system, then strongly consider moving to the more secure high frequency cards.
Additionally, you need to look at the size of a card you need. Is a 26-bit sufficient? Or do you need to move to a 35 or 37-bit card? We commonly have 65k+ active badges in the system. With employee and contractor turnover, we needed something larger than 26-bit card.
In comparison, the 35-bit cards have 500,000+ unique card numbers and, if we made 7,500 cards a year, the 26-bit would be exhausted in ~8.5 year. However, it would take over 130 years for the 35-bit cards to be exhausted in the same time frame.
Remember, not all access control cards are built the same. You may be saving money by increasing your risk.
