Secure Credentials: Access Cards, Biometrics, Multi-Factor and Mobile

By Neal Bellamy, IT Director at Kenton Brothers

A couple of months ago, we talked about higher levels of security and Multi-Factor authentication for your computers and servers. Today, I’d like to bring that discussion back to Commercial Access Control.

Cards and Fobs are the number one method of gaining access to your building.

Card and fobs identify the “cardholder” with a string of bits (ones and zeros). Those bits are broken down to a “Facility Code” and a “Card Number”. The facility code is used to group the cards together or designate that card belongs to a certain building. Additionally, the cards weren’t originally encrypted, meaning that if you had the right technology, you could read any access card.

Even worse, on the common 26-bit access cards, there are only 256 unique facility codes and 65,536 unique card numbers. I’m pretty sure there are more than 256 companies using commercial access control. I don’t want to spend a lot of time talking about old technology… but I implore you: If you’re using true proximity cards (there are a lot of you out there), come talk with us about using an encrypted card that can’t be easily duplicated!

Okay, so if most cards aren’t that secure, how do we make things better?

Step 1: Encrypt the card

Secure CredentialsEncryption for the cards and readers has been around for a while. As an example, HID iClass was introduced in 2002. The general premise is that the card is encrypted with a Public Key Infrastructure or PKI. Then the reader is loaded with the matching key. When the card is presented, the reader decrypts the credential and gives the access control system the unencrypted credential number. This number can still just be the same 26 bits as above, but only a reader with a matching key can read the credential.

Several technologies use encryption as a base layer of protection including HID iClass, Mifare, and FeliCA. There are several variations for each type.

Step 2: Increase the “uniqueness” of the card

Now we have a card that can’t be read by every reader in the world. However, there is still a good chance, with only 26 bits, that the exact sequence of bits exists on another card somewhere. The answer is simple… increase the number of bits. For every bit you add, you increase the possible card numbers by a power of 2. (16 bits = 65,535 possibilities, 17 bits = 131,072.)

The common 37-bit format allows for 65,536 facilities (16 bits) and 524,288 cardholders (19 bits). Although 37-bits allow for more variation in the sequence, there is still a chance of overlap. An even better solution is where your “Facility code” is registered and can never be duplicated.

Several Card manufacturers offer a program where your facility code is guaranteed to be unique. HID corporate 1000 is one such offering, Gallagher does this by default.


Secure CredentialsAnother strategy for creating a unique card is to not use a card at all. Biometrics fall into this category.

The premise is that by providing a “reader” that reads a unique feature of a person and then sends the 1s and 0s to the access control system, the credential can be duplicated when all those things are combined in the right order. Hand scanners, fingerprint readers, vein readers, iris scanners, and facial recognition all fall into this category.

Biometric readers solve or circumvent many of the issues above. No encryption is needed between the credential (the person being read) and the reader because a person can’t be duplicated. The systems can even tell twins apart.

The downside to biometrics has been ease of use. Biometric systems require enrollment to create and store the “credential”. Early adopters also faced a reliability issue where the biometric was not recognized even is it was the right person. This false negative issue has mostly been resolved. With the right biometric system in place, I would argue that it is better than any card based system. It cannot be reasonably duplicated and cannot be lost or shared.

If we decide that we don’t want to use biometrics, we at least have a card that’s encrypted and probably (or guaranteed) unique. However, we still just have one form of authentication. If your card gets lost or stolen, someone has access to your facility until you can get it disabled. That’s where multi-factor authentication comes in.

Step 3: Multi-factor authentication

The multi-factor comes in many flavors. The oldest is “pin and prox” (The prox part can and should be encrypted and unique), where the person presents the credential and then enters a PIN on the reader. Biometrics can also be used as a second form of authentication. The user presents their credential and then presets their biometric. This form of biometric makes biometric even more secure than biometrics alone. Instead of the biometric matching anyone in the database, it has to match the same person that presented the card. Dual factor authentication doesn’t have to be on every door in your facility. It could be used for the exterior doors only, highly sensitive doors only, or any combination.

So far, we haven’t talked about the latest tech in credentials, which is using your phone as a card.

Secure Credentials

Using Your Phone as a Card

Multiple vendors offer a “mobile” Credential, but they all work similarly. An application on your phone receives an encrypted package that identifies who you are. When you present your phone to the reader, it sends the 1s and 0s to the access control. If this sounds exactly like a unique encrypted card… it is.

As an administrator, you can enforce the application to require a second form of authentication (Pin, Fingerprint, Face) in order to send the credential to the reader. Now you have a uniquely encrypted credential with two-factor authentication, without the headache of enrolling users in a biometric database. Mobile credentials aren’t compatible with all systems, and some systems offer easier management of mobile credentials than others. That said, mobile credentials are going to be the next wave of authentication. They provide ease of use and high security in a single package.

Want to know more? Give us a call!

Section 889 Alert: Prohibited Telecom for the Federal Government and Their Contractors

By David Strickland, Vice President of Kenton Brothers

Federal agencies and companies that do business with them:
NDAA Section 889 B is now in effect.

The Federal Government alone experiences hundreds of thousands of digital assaults every day. Malicious actors are persistent, usually well-funded and constantly changing their tactics. They often exploit technologies from the identified Chinese companies to do so. The Administration shares Congress’ strong commitment to addressing insidious threats to the Nation’s national security and intellectual property.

In an effort to protect the nations systems and data, The National Defense Authorization Act (NDAA) was enacted in July 2019 with two distinct phases:

Part A – The Government Cannot Obtain Prohibited Telecom

Part A became effective on August 13, 2019. Part A prohibits the government from obtaining (through a contract or other instrument) certain telecommunications equipment (including video surveillance equipment) or services produced by the following covered entities and their subsidiaries and affiliates:

  • Huawei Technologies Company
  • ZTE Corporation
  • Hytera Communications Corporation
  • Hangzhou Hikvision Digital Technology Company
  • Dahua Technology Company

Hangzhou Hikvision Digital Technology Company and Dahua Technology Company are two  of the largest Commercial Video surveillance manufacturers in the world. They operate and distribute through OEM (Original Equipment Manufacturer) over a 100 brands around the globe.

For a complete and updated list, check out IVPM here. IVPM is a great resource for ongoing list changes.

What may shock companies and agencies throughout the Midwest and beyond are a few of the names on those lists including:

  • ADT
  • FLIR – Specific Models
  • DMP

Section 889: HIKVISION OEMs

Section 889: Dahua OEMs

The Department of Defense has the authority to add additional companies to this list at any time. Part B outlines that these items need to be removed by August 13, 2020 or a waiver needs to be submitted allowing for more time.

This order applies to all companies that do business with the Federal government. In any capacity, and at any level.

Part B – Government Contractors Cannot Use Prohibited Telecom Part B is effective August 13, 2020.

Part B prohibits the government from contracting with any entity that uses certain telecommunications equipment (including video surveillance equipment) or services produced by the entities listed in the statute.

  • The Government cannot contract with an entity that uses covered telecommunications equipment or services as a substantial or essential component of any system or as critical technology as part of any system.
  • Prohibition applies regardless of whether or not that usage is in performance of work under a Federal contract.
  • The prohibition applies to every sector and every dollar amount. Your ability to enter into contracts with the Government will be impacted by Part B.
  • After conducting a reasonable inquiry, entities will represent whether they do or do not use prohibited telecommunications equipment or services.

Part B has been added to the Federal Acquisition Regulation (FAR) at FAR subpart 4.21.


  1. Regulatory Familiarization. Read and understand the rule and necessary actions for compliance.
  2. Corporate Enterprise Tracking. Determine through reasonable inquiry whether you use “covered telecommunications” equipment or services.
  3. Education. Educate your purchasing/procurement, and materials management professionals to ensure they are familiar with the entity’s compliance plan.
  4. Cost of Removal. Implement procedures if the entity decides to replace existing covered telecommunications equipment or services and ensure new equipment and services acquired for use by the entity are compliant.
  5. Representation. Provide representation re use and alert Government if use is discovered during contract performance.
  6. Phase-out Plan and Submit Waiver Information. Develop a phase-out plan and provide waiver information to the Government along with the complete laydown of the presence of the covered telecommunications equipment or services.


Please let Kenton Brothers know if you have questions on navigating Rule 889.

Global Solutions: Easily Centralize Control of all your Locations

By Ryan Kaullen, Field Services Manager at Kenton Brothers

Kenton Brothers has the honor and privilege of working with many types of customers including government entities. Recently, a governmental client located in the state of Missouri wanted to expand their access control system. The goal was to deploy it globally across their different physical sites across the state.

You may ask, “What’s a Global Solution?” Think of it like an ecosystem that enables users to knit together an entire security management system & video management system under one, centrally controlled, and distributed network.

S2 Security LogoThis specific customer uses S2, an access control platform that Kenton Brothers supports and installs. This access control application made sense for the customer for many reasons, including the ability to monitor and manage multiple locations centrally. They can quickly build reports that run on a schedule, make security changes immediately that are reflected across the entire system, and build and administer global access levers that grant permissions across the entire organization.

Kenton Brothers: Global S2 Solution for Governmental Entity

Our S2 based solution took care of a major need for this customer. Previously, they were using a collection of off-line systems. These included mechanical systems with no audit capabilities and individual access control systems with no standardization.

The S2 Global solution allows them to have standardized security across all of their sites. They’ve reduced their liability, upgraded their commercial security, and adopted a centrally managed system. The results? Their business is more efficient, they receive expedited alerts of security issues, and they have the ability to expand their coverage across future sites down the road.

Whether Kenton Brothers’ clients need a standalone system or something as intricate as a global deployment for their business needs, we are able to help and guide our customers down the path that best protects their people, property, and possessions.

Kenton Brothers: Global S2 Solution for Governmental Entity

Connecting five buildings with line-of-sight radios. Who Needs Wires?

By Ryan Kaullen, Field Services Manager at Kenton Brothers

At Kenton Brothers, we get many types of requests for different scenarios and applications. We recently received a request from a customer in the Westport area of Kansas City, MO. The wanted to install video cameras at five separate buildings. And they wanted all of those video feeds to go into a video management system at one of the five locations. This can be a fairly challenging technical request. Our solution was to use Ubiquiti line-of-sight radios to communicate between the buildings. That way, we could stream the camera feeds to the centrally located recording server because they would all be on the same network.

The Ubiquiti radios are mounted on the roofs of the buildings and aimed at the main building where the recording service is housed. (All camera systems have to have a network path back to where the video is recorded.) When you’re physically located in a single building, this is a relatively easy task. In situations where there are two buildings, fiber is often in place between the buildings making a single network possible.

Kenton Brothers: Who Needs Wires? Connecting Buildings with Line of Sight Ubiquiti Radios

Fiber connections weren’t an option between all five buildings, so wireless became the solution.


The picture above shows one of the Ubiquiti radios. As you can see, the buildings are several blocks apart. This physical challenge made a wireless connection the ideal solution. And at the same time, it’s the most cost effective for the customer while meeting their business needs and plans for future growth.

In the past, high speed wireless systems used to be expensive, unstable, and slow. New technology like Ubiquiti’s line of products has lowered the cost, improved the stability dramatically and allows dozens of cameras to be streamed at the same time. This technology has allowed customers to cover areas of their business with commercial video surveillance that wouldn’t have been an option financially a few years ago.

Kenton Brothers has deployed dozens of wireless commercial video surveillance systems over the past 7+ years. These have been successful projects resulting in happy customers. Why? Because we’re fixing pain points in their business and making them more secure.

At Kenton Brothers, it is our mission to Protect People, Property, & Possessions. Would you like to learn more about commercial video surveillance? Give us a call!


Kenton Brothers: Who Needs Wires? Connecting Buildings with Line of Sight Ubiquiti Radios

People Counters and Intercoms – Adapting to this New Normal

By Neal Bellamy, IT Director at Kenton Brothers

Like many businesses, Kenton Brothers is adapting to the “Stay at home” order and the “New Normal”. While we remain operational, we are changing our operations to reduce risk and exposure for our team and yours. One of the ways we’ve adapted is by looking at our systems and seeing what they can do for us.

With fewer people in the office, we’ve introduced some new challenges.

Commercial Counter - People Counter in ActionOne such challenge is when people come to our commercial counter. The commercial counter is not always staffed like it used to be. The employees staffing our commercial counter are still in the building, but they’re helping out other teams. We don’t want a customer waiting for service, so we looked to our systems to increase alerting.

In this case, we used the Axis “People counter” software to send alerts to our team members when someone gets to the commercial counter. This counter is loaded directly onto the camera and can send alerts from the camera itself or notify the Video Management System (VMS) which can apply more logic to the alert.

The intercoms installed at our main entrances have become even more vital.

Old intercom systems used to be answered by a physical device at one or two desks in an office or retail environment. Today, intercoms are assigned to an extension on your phone system and can be answered by any station.

Most intercom systems have mobile applications where you can see and talk to the person at the intercom from anywhere in the world. We have an Axis 8105-E and 2N Solo mounted at two of our main entrances. The person who usually answers the intercom is at home, but shifting the answering station to another person was as simple as changing the extension in our phone system. We could have enabled the mobile app for after-hours answering if that was necessary as well.

Although these are “strange times” we can look to technology to help fill some of the gaps. These tools and technologies can  increase our ability to do more with less. If you’re faced with some business or security problems in this new world, give us a call. We’re happy to help!