electronic access control

Secure Credentials: Access Cards, Biometrics, Multi-Factor and Mobile

By Neal Bellamy, IT Director at Kenton Brothers

A couple of months ago, we talked about higher levels of security and Multi-Factor authentication for your computers and servers. Today, I’d like to bring that discussion back to Commercial Access Control.

Cards and Fobs are the number one method of gaining access to your building.

Card and fobs identify the “cardholder” with a string of bits (ones and zeros). Those bits are broken down to a “Facility Code” and a “Card Number”. The facility code is used to group the cards together or designate that card belongs to a certain building. Additionally, the cards weren’t originally encrypted, meaning that if you had the right technology, you could read any access card.

Even worse, on the common 26-bit access cards, there are only 256 unique facility codes and 65,536 unique card numbers. I’m pretty sure there are more than 256 companies using commercial access control. I don’t want to spend a lot of time talking about old technology… but I implore you: If you’re using true proximity cards (there are a lot of you out there), come talk with us about using an encrypted card that can’t be easily duplicated!

Okay, so if most cards aren’t that secure, how do we make things better?

Step 1: Encrypt the card

Secure CredentialsEncryption for the cards and readers has been around for a while. As an example, HID iClass was introduced in 2002. The general premise is that the card is encrypted with a Public Key Infrastructure or PKI. Then the reader is loaded with the matching key. When the card is presented, the reader decrypts the credential and gives the access control system the unencrypted credential number. This number can still just be the same 26 bits as above, but only a reader with a matching key can read the credential.

Several technologies use encryption as a base layer of protection including HID iClass, Mifare, and FeliCA. There are several variations for each type.

Step 2: Increase the “uniqueness” of the card

Now we have a card that can’t be read by every reader in the world. However, there is still a good chance, with only 26 bits, that the exact sequence of bits exists on another card somewhere. The answer is simple… increase the number of bits. For every bit you add, you increase the possible card numbers by a power of 2. (16 bits = 65,535 possibilities, 17 bits = 131,072.)

The common 37-bit format allows for 65,536 facilities (16 bits) and 524,288 cardholders (19 bits). Although 37-bits allow for more variation in the sequence, there is still a chance of overlap. An even better solution is where your “Facility code” is registered and can never be duplicated.

Several Card manufacturers offer a program where your facility code is guaranteed to be unique. HID corporate 1000 is one such offering, Gallagher does this by default.


Secure CredentialsAnother strategy for creating a unique card is to not use a card at all. Biometrics fall into this category.

The premise is that by providing a “reader” that reads a unique feature of a person and then sends the 1s and 0s to the access control system, the credential can be duplicated when all those things are combined in the right order. Hand scanners, fingerprint readers, vein readers, iris scanners, and facial recognition all fall into this category.

Biometric readers solve or circumvent many of the issues above. No encryption is needed between the credential (the person being read) and the reader because a person can’t be duplicated. The systems can even tell twins apart.

The downside to biometrics has been ease of use. Biometric systems require enrollment to create and store the “credential”. Early adopters also faced a reliability issue where the biometric was not recognized even is it was the right person. This false negative issue has mostly been resolved. With the right biometric system in place, I would argue that it is better than any card based system. It cannot be reasonably duplicated and cannot be lost or shared.

If we decide that we don’t want to use biometrics, we at least have a card that’s encrypted and probably (or guaranteed) unique. However, we still just have one form of authentication. If your card gets lost or stolen, someone has access to your facility until you can get it disabled. That’s where multi-factor authentication comes in.

Step 3: Multi-factor authentication

The multi-factor comes in many flavors. The oldest is “pin and prox” (The prox part can and should be encrypted and unique), where the person presents the credential and then enters a PIN on the reader. Biometrics can also be used as a second form of authentication. The user presents their credential and then presets their biometric. This form of biometric makes biometric even more secure than biometrics alone. Instead of the biometric matching anyone in the database, it has to match the same person that presented the card. Dual factor authentication doesn’t have to be on every door in your facility. It could be used for the exterior doors only, highly sensitive doors only, or any combination.

So far, we haven’t talked about the latest tech in credentials, which is using your phone as a card.

Secure Credentials

Using Your Phone as a Card

Multiple vendors offer a “mobile” Credential, but they all work similarly. An application on your phone receives an encrypted package that identifies who you are. When you present your phone to the reader, it sends the 1s and 0s to the access control. If this sounds exactly like a unique encrypted card… it is.

As an administrator, you can enforce the application to require a second form of authentication (Pin, Fingerprint, Face) in order to send the credential to the reader. Now you have a uniquely encrypted credential with two-factor authentication, without the headache of enrolling users in a biometric database. Mobile credentials aren’t compatible with all systems, and some systems offer easier management of mobile credentials than others. That said, mobile credentials are going to be the next wave of authentication. They provide ease of use and high security in a single package.

Want to know more? Give us a call!

Section 889 Alert: Prohibited Telecom for the Federal Government and Their Contractors

By David Strickland, Vice President of Kenton Brothers

Federal agencies and companies that do business with them:
NDAA Section 889 B is now in effect.

The Federal Government alone experiences hundreds of thousands of digital assaults every day. Malicious actors are persistent, usually well-funded and constantly changing their tactics. They often exploit technologies from the identified Chinese companies to do so. The Administration shares Congress’ strong commitment to addressing insidious threats to the Nation’s national security and intellectual property.

In an effort to protect the nations systems and data, The National Defense Authorization Act (NDAA) was enacted in July 2019 with two distinct phases:

Part A – The Government Cannot Obtain Prohibited Telecom

Part A became effective on August 13, 2019. Part A prohibits the government from obtaining (through a contract or other instrument) certain telecommunications equipment (including video surveillance equipment) or services produced by the following covered entities and their subsidiaries and affiliates:

  • Huawei Technologies Company
  • ZTE Corporation
  • Hytera Communications Corporation
  • Hangzhou Hikvision Digital Technology Company
  • Dahua Technology Company

Hangzhou Hikvision Digital Technology Company and Dahua Technology Company are two  of the largest Commercial Video surveillance manufacturers in the world. They operate and distribute through OEM (Original Equipment Manufacturer) over a 100 brands around the globe.

For a complete and updated list, check out IVPM here. IVPM is a great resource for ongoing list changes.

What may shock companies and agencies throughout the Midwest and beyond are a few of the names on those lists including:

  • ADT
  • FLIR – Specific Models
  • DMP

Section 889: HIKVISION OEMs

Section 889: Dahua OEMs

The Department of Defense has the authority to add additional companies to this list at any time. Part B outlines that these items need to be removed by August 13, 2020 or a waiver needs to be submitted allowing for more time.

This order applies to all companies that do business with the Federal government. In any capacity, and at any level.

Part B – Government Contractors Cannot Use Prohibited Telecom Part B is effective August 13, 2020.

Part B prohibits the government from contracting with any entity that uses certain telecommunications equipment (including video surveillance equipment) or services produced by the entities listed in the statute.

  • The Government cannot contract with an entity that uses covered telecommunications equipment or services as a substantial or essential component of any system or as critical technology as part of any system.
  • Prohibition applies regardless of whether or not that usage is in performance of work under a Federal contract.
  • The prohibition applies to every sector and every dollar amount. Your ability to enter into contracts with the Government will be impacted by Part B.
  • After conducting a reasonable inquiry, entities will represent whether they do or do not use prohibited telecommunications equipment or services.

Part B has been added to the Federal Acquisition Regulation (FAR) at FAR subpart 4.21.


  1. Regulatory Familiarization. Read and understand the rule and necessary actions for compliance.
  2. Corporate Enterprise Tracking. Determine through reasonable inquiry whether you use “covered telecommunications” equipment or services.
  3. Education. Educate your purchasing/procurement, and materials management professionals to ensure they are familiar with the entity’s compliance plan.
  4. Cost of Removal. Implement procedures if the entity decides to replace existing covered telecommunications equipment or services and ensure new equipment and services acquired for use by the entity are compliant.
  5. Representation. Provide representation re use and alert Government if use is discovered during contract performance.
  6. Phase-out Plan and Submit Waiver Information. Develop a phase-out plan and provide waiver information to the Government along with the complete laydown of the presence of the covered telecommunications equipment or services.


Please let Kenton Brothers know if you have questions on navigating Rule 889.

Global Solutions: Easily Centralize Control of all your Locations

By Ryan Kaullen, Field Services Manager at Kenton Brothers

Kenton Brothers has the honor and privilege of working with many types of customers including government entities. Recently, a governmental client located in the state of Missouri wanted to expand their access control system. The goal was to deploy it globally across their different physical sites across the state.

You may ask, “What’s a Global Solution?” Think of it like an ecosystem that enables users to knit together an entire security management system & video management system under one, centrally controlled, and distributed network.

S2 Security LogoThis specific customer uses S2, an access control platform that Kenton Brothers supports and installs. This access control application made sense for the customer for many reasons, including the ability to monitor and manage multiple locations centrally. They can quickly build reports that run on a schedule, make security changes immediately that are reflected across the entire system, and build and administer global access levers that grant permissions across the entire organization.

Kenton Brothers: Global S2 Solution for Governmental Entity

Our S2 based solution took care of a major need for this customer. Previously, they were using a collection of off-line systems. These included mechanical systems with no audit capabilities and individual access control systems with no standardization.

The S2 Global solution allows them to have standardized security across all of their sites. They’ve reduced their liability, upgraded their commercial security, and adopted a centrally managed system. The results? Their business is more efficient, they receive expedited alerts of security issues, and they have the ability to expand their coverage across future sites down the road.

Whether Kenton Brothers’ clients need a standalone system or something as intricate as a global deployment for their business needs, we are able to help and guide our customers down the path that best protects their people, property, and possessions.

Kenton Brothers: Global S2 Solution for Governmental Entity

Access Control Tech Update: Identifying Exposure Through Contact Tracing

Contact Tracing is the process of identifying people who may have come into contact with an infected person, and collection of information about these contacts.

Hands-Free Door Hardware and MORE to Protect Your People, Property and Possessions

By Gina Stuelke, CEO of Kenton Brothers

Did you know that 80% of germs are spread with your hands? Kenton Brothers Systems for Security offers several types of door hardware that can aid in the prevention of spreading germs and infectious diseases.

Arm and Foot Pulls

Arm and foot pulls are quick, easy and cost-effective solutions to open a door without touching a handle or lever with your hands. This type of hardware is attached to the door and can be used by pulling with your foot, arm or elbow. We offer a variety of options including stainless steel base material, copper anti-microbial material, anti-microbial coating over stainless steel, and multiple finishes. These types of products are perfect in areas such as restrooms, commercial buildings, restaurants, grocery stores, churches, event spaces and healthcare facilities.

Kenton Brothers Hands-Free Security Options Kenton Brothers Hands-Free Security Options

“Healthy” Hardware Options

The door handle of a public facility can be touched by people several thousand times a day. That’s thousands of opportunities to transfer bacteria and infectious diseases. In hospitals alone, there are over 103,000 Hospital Acquired Infections (HAIs) reported every year! On openings where pushing or pulling a mechanical door handle or lever is necessary, we offer health conscious bactericidal and/or anti-microbial hardware.

Some of the benefits of this hardware include:

  • Kills 99.9% of bacteria in 2 hours.
  • Not a coating and won’t wear off! Will continue to kill bacteria for the lifetime of the product.
  • Looks like stainless steel to match other hardware products.
  • Wide range of hardware and touch surfaces available.

Kenton Brothers Hands-Free Security Options Kenton Brothers Hands-Free Security Options

“Hands-Free” Access Control Technology – Empower your phone to be your credential

Another option becoming popular is “hands-free” access control technology. We offer products that use cellular, WiFi, and Bluetooth technologies to create hands-free credentials. These allow you to walk up to a secured opening with your mobile credential and gain entry without needing to take your smartphone out of your pocket or your bag.

Kenton Brothers Hands-Free Security Options

For more information about these hands-free security options, please give us a call. We would be happy to walk you through these options to find your perfect solution!