Testing of Permeability of RFID Access Control System for the Needs of Security Management

Abstract

Access control systems are part of the overall protection of objects. It is often the first system with which it is necessary to start the contact system; therefore, it is necessary to ensure its proper functioning. In the event of a malfunction, it can cause downtime in production, and it is triggered by a bad replacement of workers. Access control systems have their own specificities that need to be considered when designing security. Poor selection of access control devices can cause inefficient system functionality, resulting in downtime and loss. Based on experimental testing and related work in access control systems, this paper discusses the possibilities of testing the throughput of access control systems. The manuscript presents the design of a unique test device that can be used in the assessment of the reliability and throughput of access control systems. With the help of tests, we were able to determine the probability of downtime due to inappropriately set time intervals for changing employees on a work shift.

1. Introduction

Access control systems are parts of alarm systems. Unlike most alarm systems, access control systems use a combination of information systems and mechanical barriers to control the movement of people based on predefined organizational and regime measures.

Access control systems are used in companies today for many practical reasons. They facilitate attendance control, automatically allow or disallow access to protected areas, and control the movement of persons within the premises.

In defining access control systems, we will base our definition on the technical standard EN 60839-11-1/AC2. By alarm and electronic security systems, we refer to electronic access control systems. According to the relevant standard, an access control system can be defined as a system that is intended to provide authorized persons with access to or egress from a secured area and to deny unauthorized persons access to or egress from the secured area [1,2].

Norman defines access control systems as electronic systems that grant automated consent for entry through a security portal without the need for a security officer to check the authority of the person entering through the portal [2,3].

The following facts follow from the basic definitions of access control systems [3,4]:

• An access control system is classified as an alarm and electronic security system, given the designation of the standard;
• An access control system must recognize an authorized person from an unauthorized person and decide whether to allow or refuse entry;
• The role of the system is to protect the area to be secured by controlling the portal and to trigger an alarm condition if the portal is breached.

Access control systems can be thought of as electronic systems that control passage through security portals [5]. By security portal [6], we mean, for example, an entrance to a room that is equipped with an access control system (e.g., a door, an electric lock, and an access reader) [6,7]. Access control systems consist of many components, the basic ones being a controller, a database, access readers, electric locks, and a user interface for administration (computer). Access control systems also include their users, procedures, access control policies, and organizational security policies [3,8].

Access control systems have their position within the overall system of building protection and alarm systems. In contrast to alarm security systems, mechanical security devices such as turnstiles, security culverts, electric locks, magnetic locks, etc., which serve to mechanically prevent access, also fall within the scope of access control systems. The access control system is often connected with an intruder alarm system or its part [8,9]. If an unauthorized user attempts to enter through a security portal, the system signals such activity, and if the user manages to overcome the security portal, the access control system can trigger an alarm condition with the intruder alarm system; in other words, it can serve as an active component of the intruder alarm system. Another system with which access control systems cooperate is the electrical fire alarm system [9,10,11]. If a fire-based alarm condition is declared, it is necessary that all security portals that serve as escape routes are not blocked to allow persons to leave the protected area. Several access control system access readers are also supplemented by so-called duress signaling, whereby pressure is exerted by an intruder on a person who has permission to enter. The duress signaling function of an access control system can be described as an emergency system [11] or a call-for-help system, which also fall within the domain of alarm systems [12,13,14].

The appropriate parameter setting of counter access control systems has been addressed by many authors. The most common way in which the sensing capability can be adjusted is by adjusting the antenna and frequency [15,16].

The technical standard EN 60839-11-1/AC2 classifies access control systems according to the level of risk. The standard recommends determining the level of risk by estimation based on the value of the asset to be protected, the determination of the attacker, and the method of attack.

The risk levels are defined as follows [1] we can also see the experiences of the offenders for individual degrees in

Table 1. Classification of access control systems (Source: [1]).

Level	1	2	3	4
Risk level	Low	Low-to-medium	Medium-to-high	High
Use	Control of movement of people in the building; protection of low-value assets	Control of movement of people in the building; protection of assets of medium value	Spatial protection; protection of high value assets	Spatial protection; protection of assets of very high value
Knowledge of the attacker	Low knowledge; low financial resources to attack	Medium skill and knowledge; little financial resources to attack	Great skill and knowledge; medium financial resources to attack	Very high skill and knowledge; high financial resources to attack
Typical application	Hotels	Offices; small businesses	Office premises; banks; industry	Critical infrastructure; military installations

:

• Level 1—Low risk: The attacker has no or minimal knowledge of access control systems. The value of the protected interest is low;
• Level 2—Low-to-medium risk: The attacker has little knowledge of access control systems and may use commonly available tools to defeat the system. The value of the protected interest has a higher value, and the attacker aborts the attack if he fears detection;
• Level 3—Medium-to-high risk: The attacker has knowledge of access control systems and has the appropriate technical equipment to overcome the system. The value of the protected interest is high. The attacker aborts the attack if he fears detection and identification;
• Level 4—High risk: The attacker has planned the attack in detail and has the equipment to overcome the system. The value of the protected interest is very high. The attacker aborts the attack if he fears detection and identification.

EN 60839-11-1/AC2 defines four classes of environments in which access control systems can be operated [1,17,18]:

• Class I: Indoor residential or office environment;
• Class II: General indoor environments—shops, stairwells, restaurants, etc.;
• Class III: Outdoor environments that are protected from direct sunlight and rain, or indoors with severe climatic conditions;
• Class IV: General outdoor environment.

To provide the listed functions, access control systems have several active and passive components [17]. A possible topology of an access control system is shown in Figure 1 (Figure 1) [18,19,20].

The access control system (Figure 1) is made up of electronic and mechanical elements that together allow access through the access point. The access point consists of [3,20,21] the following:

• Monitoring/Management Center—This contains the database of a lot of information from authorized users, device configuration records, access control plans, etc.
• Controller/Terminal—Control unit and the main device of access control systems, whose task is to make decisions and control one or more access points based on the data received from the access reader and from the monitoring center. The controller controls the individual access points by means of connected devices.
• An access reader is a user interface device that receives data from users requesting to pass through an access point. Access readers can collect data in three ways: based on the user’s knowledge, from an identification element possessed by the user, or from the user’s biometric characteristics.
• Door sensors—These are most often magnetic contacts also used by alarm systems; their role is to notify the controller of the opening or closing status of the portal.
• Door lock controllers—Electric devices for mechanical locking/unlocking of doors.
• Mechanical barriers—Different types of doors, turnstiles, ramps, and their components.

Access readers are devices that can read data presented by the user, process it, and transfer it to the controller. The process of data submission and processing can be called user identification. The subscription process can take several forms and depends on the identification element; the most common ones are [18] as follows:

• Codes (PINs and passwords);
• Access cards (RFID, NFC);
• Biometrics.

Considering the methods of user identification and the types of identification elements, several types of access readers are generally produced, which differ from each other in the method of obtaining data from the user. They most commonly take the form of keypads, card readers, and biometric readers [22,23,24].

Access card readers can be contact or contactless. Contactless access card readers, which are equipped with RFID technology, are currently the most widely used. They consist of an RFID transmitter and receiver and can thus receive data presented by a contactless card or tag, mobile device, etc. RFID and NFC technology is at a very high level of security. The disadvantage of this technology is that the user must have a contactless card or tag, which can be lost or copied.

Description of system function—individual components are connected to a controller that decides whether to allow access based on authentication of a person’s identity. A person proves his identity at the access reader through knowledge, something he owns, or a property. If the system verifies the person’s identity, it releases the electric lock on the door and allows the person to enter the secured area. The controller is connected via TCP/IP to a computer that has the necessary software installed. Through this interface, it is possible to manage the database of authorized persons in the controller or on the server. The database contains a wealth of information, ranging from authorized users, device configuration records, access control plans, etc. Access control records (requests, identifications, access denials) and alarm events are also stored in the database [25,26,27].

Based on the claims made or the user’s identity data, the identity verification process can be carried out in two ways, namely, identification or verification.

User identification is the process of matching the data obtained from the user by the access reader against all the data in the access control system database (1:N matching).

User verification is the process of comparing data obtained from a user by an access reader against only a specific entry in the access control system database (1:1 comparison), whereby the user must enter an additional piece of information that indicates his identity (e.g., PIN) to be verified [28,29].

Authorization is the process that takes place after identification or verification. It is a sequence of decisions and events executed by the controller to allow the user to pass through the access point [30,31,32].

The need to know the reliability of the input control system is essential from several points of view. One point of view is the fact that the access control system is part of the overall object protection system, and without this information, it would be quite difficult to talk about overall comprehensive object protection. The second point of view is the fact that access control systems form a kind of imaginary border or obstacle allowing entry or exit from the protected object; therefore, it is necessary to be as effective as possible. This is also the case since in recent years, object security has undergone a major change, namely, automation consisting of the replacement of the classic form of guarding by guards for technical protection through alarm systems and video surveillance systems controlled by former guards. Thanks to this fact, it is necessary that all alarm systems work as well as possible. A third point of view is the fact that access control systems are used primarily by employees who may be diverse, with different habits, etc. (for example, they may have a problem with contact with the devices, they may try to follow very quickly either intentionally or unintentionally, etc.). Based on all these situations and possible scenarios, it is necessary to know the actual communication distance of access control systems so that security managers can eliminate the possibility of downtime when changing work shifts.

The collective of authors has been working on the issue of access control systems for a long time, as evidenced by the fact that one author, Veľas, has been working on the issue partially since 2013 [28]. He was gradually joined by other co-authors, especially Boroš and Lenko [30], while Lenko also addressed this issue in his dissertation. In the long term, co-author Kuffa devoted himself to the issue of access control systems from the point of view of the use of camera systems as well as RFID systems. Based on the acquired experience, the co-authors, prompted by the needs of practice, designed a testing device and a testing methodology, which is addressed in this manuscript.

2. Materials and Methods

The use of access control systems has its peculiarities. Technical standards do not define the throughput of the system. The throughput of an access control system is the number of contactless cards, RFID chips, or tags that an access control reader can read per unit of time.

Neither the literature nor the standards define these parameters. Testing of the access control systems has been conducted primarily at Sandia Labs in New Mexico [33].

In 2005, under the leadership of prof. Velas, the team of the Department of Security Management began to carry out research and tests in the field of alarm systems, including access control systems [28]. Velas proposed the idea of a device capable of testing RFID card and chip readers. The facility was designed in 2020 in collaboration with Lenko and Boros. Subsequently, pilot tests were carried out in 2021 [30].

The device is protected by utility model number 9601 registered in the register of the Industrial Property Office on 13.9.2022 [34]. Subsequently, the device for testing RFID contactless cards, RFID chips, or RFID tags was extended with a distance meter and a place for mounting the reader. The device itself can be placed directly on the already installed reader and thus test its throughput in practice [35]. It is a parameter that determines how many contactless cards, RFID chips or tags the system can read. This parameter is important for designing access control systems. Based on the throughput information of the system, the designer can design the access control system in such a way that no unnecessary delays occur in front of the readers and passes [36,37].

System throughput is closely related to the reliability and fail-safety of the access control system. The reliability of an access control system can be defined as the percentage of correctly read contactless cards of RFID chips or tags to all access reader approaches.

The probability of correct functioning of a security system, which is also an access control system, is the product of the probabilities of overcoming mechanical barriers, the cumulative probability of intruder detection (in case of a breach of tamper protection), the probability of a fault-free state of the alarm transmission system, and the probability of timely and adequate intervention of physical protection [33]:

P_SYST = P_MB × P_KDET × P_ATS × P_GA,

(1)

where:

• P_SYST—the probability of the correct functioning of the security system;
• P_MB—probability of overcoming mechanical barriers;
• P_KDET—cumulative probability of detection, processing, and evaluation of a violation of sabotage protection;
• P_ATS—the probability of a fault-free state of the alarm transmission system (includes the probability of correct functioning of the communicators, a functional alarm transmission path);
• P_GA—the probability of timely and adequate intervention of physical protection, which is based on a timely and correct evaluation of the alarm condition and the probability of arrival (road clearance).

In practice, reliability is given as the number of failures per unit time during the period of interest. The reliability over time is called the failure rate or failure intensity and is denoted by λ. The instantaneous value of the failure rate can be calculated as the ratio of the value of the directive tangent to the curve F_(t) (probability of failure) and the corresponding value of R_(t) (probability of failure-free operation) at a given time instant t₀ [35].

$$\lambda (t_0)=\frac{{(dF/dt)}_{t0}}{P_P(t_0)}$$

(2)

When only a limited number of data are available, the average intensity of the disturbances can be calculated using the following relation [35]:

$$\overline{\lambda }=\frac{\sum failure}{\left(\sum tested\hspace{0.33em}objects\right)\times (period of\hspace{0.33em}testing\hspace{0.33em}1\hspace{0.33em}object)}.$$

(3)

If we plot the failure rate values versus time, we obtain a curve of the life indicators of the equipment (object). However, the primary focus of this article will not be on failure rates or the life cycle of access control systems. Measured values can serve as baseline data for modelling and designing object protection systems and evaluating the effectiveness of existing systems.

Simple methods were used to evaluate the measured values. Analysis is a basic scientific method that aims to investigate the independent functioning of individual parts within the whole, the system, and the relationships between them. With the help of analysis, it is possible to extract the most important facts and relationships from a coherent set of facts to clarify the issue under study. The method of analysis was used in the study of professional and scientific literature and subsequently in the elaboration of the article.

Synthesis is the opposite of analysis. With the help of synthesis, individual smaller parts extracted by analysis are composed into a whole. Synthesis enables the description of the main principles governing the whole to be drawn up. Synthesis was used to draw general conclusions based on the information obtained from the analysis and the data found by testing the RFID tags on the test equipment [38].

Deduction consists of going from general statements to specific ones, from general to general, or from specific to specific. Thus, by means of deduction, a logical conclusion is drawn based on other propositions that we hold to be true. This method has been applied especially in developing a testing methodology based on known facts about the components under test. Deduction was used after evaluating the individual knowledge gained during the study of the problem to create logical justifications for partial and overall conclusions. The method of induction was used in the statistical processing of the data obtained during the experiment in the form of various tests and measurements. From the processed data, conclusions used to answer the research questions are drawn.

Experiment is a method by which differences in the experimental entities are investigated by deliberately changing the conditions. The experiment is subject to the requirement of repeatability. Conditions are chosen and manipulated deliberately, and the effects produced by this manipulation are then measured [39]. The experiment is the main method used to address the problem under investigation and obtain answers.

Practical testing consisted of observing, measuring, and testing a selected RFID reader mounted on a test device designed by the authors of the paper. The device is not complicated and allows us to test RFID readers of contactless cards, RFID chips, or tags. It allows us to save time on tedious manual testing. The analysis method was used to process and evaluate the experimental testing results. Comparison was used to process the results of individual measurements and to compare the different reading distances. The actual testing was carried out experimentally to achieve results usable for practice and further investigation. The experimental testing was performed on a device printed on a 3D printer [40]. Testing of RFID and NFC access devices is covered in the ISO 18046 family of technical standards in parts 1 to 4. The standard defines the requirements for reading devices, cards, and tags and describes a methodology that discusses the procedure for measuring the parameters of access devices: RFID and NFC cards or tags. The intent of many of the tests is to investigate signal strength at different distances of the cards from the reading device. Such measurements are performed with equipment such as VoyanticReadformance™ or CISC RAIN Xplorer. All devices for measuring RFID and NFC reading device parameters are equipped with an antenna, a signal processing system, and a user interface [41,42].

3. Methodology

In our testing, we focused on the capacity limits of the RFID card reader and the effect of the reader placement distance on the card reading capability. The data that were found are not reported by the reader manufacturers. Nevertheless, they are of great importance in the practical use of RFID or NFC readers in practice. Since many errors and shortcomings can occur in manual testing, we used a testing device that helped to eliminate inaccuracies.

The device for testing RFID access readers and RFID chips in the form of cards can perform a continuous rotary motion and thus simulate the attachment of an RFID card to the reading device at specified time intervals and at a selected distance from the reading device. At the same time, it senses the number of simulated attachments of the RFID chips in the form of cards to the reading device by means of an optical or inductive counter. The frame of the device is made of plastic using a 3D printer. It has an adjustable height, which allows for changing the distance of the reading device. The drifter has a circular form and is mounted on bearings and driven by a DC motor with a gearbox and speed control. The control electronics are mounted directly on the device together with the counter. The device is equipped with an inductive speed counter (counts the number of RFID cards) (Figure 2).

The results of the reader pilot tests, showing the ability of the Crypton x112 reader to correctly read RFID cards and tags, are shown in the Figure 3.

There is a noticeable decrease in the ability to read RFID cards and tags as the distance of the reader location increases. A total of 6000 repetitions were performed across the three types of tests. In this case, 15 measurements with 100 repetitions of reading an RFID card or RFID tag.

In the experimental tests, which are covered in the given manuscript, we used the methodology from the pilot tests carried out using the first version of the test device. The principle consisted of the established maximum communication distance and the subsequent determination of three standard distances within the scope of the given communication distance. Subsequently, multiple repetitions were carried out through which we determined the reliability of card reading. These data are very important, especially from the point of view of the need of security managers to know at what distance RFID systems can fully function so that they do not cause downtime when changing workers in a work shift.

During the pilot tests, we realized that the testing equipment needs to be improved to automate the entire testing process even more and eliminate the influence of the human factor on testing. That is why we added a large sliding scale to the designed device, formed by a metal belt with a magnetic structure, to which any reader of the input control system can be attached; thus, the same distance is ensured during the entire measurement.

4. Results

The test equipment, when modified in 2022, includes a design that can measure the exact distance from the reading device. A combined biometric and RFID access control system with a Crypton x112 reader was selected for card reading. For testing, we used four contactless RFID cards for the RFID reader, code, access control, and biometric systems (125 kHz). The cards can be used both indoors and outdoors as the operating temperature ranges between −40 °C to 85 °C. The size of the cards is 86 × 54 × 0.8 mm [43]. The cards were secured to the test equipment using Velcro, which ensures the stability of the card during rotational movement of the test equipment. One side of the Velcro is located on the plastic cylinder in an amount of 4 pcs at regular spacing. The other side of the Velcro was glued to all the test cards.

The first step was to place the RFID cards on the test roll and the selected RFID reader on the fabricated sliding stand. As these were four identical cards, there was no need to specially line them up on the test roller. The reader was placed at three different distances. These were the maximum card capture distance, the minimum distance, and finally, the average distance. To find the maximum reader placement distance, we used a multiple trial method in which we zoomed the reader on a sliding ruler up to the card capture point. We repeated this process 10 times to be sure of the correctness of the result.

By experiment, we found that the limiting distance to which the reader could be placed to capture the cards placed on the cylinder was 10 cm. Subsequently, for each measurement, the reader was placed below the limit distance at three different distances of 8 cm, 4 cm, and 0.5 cm. We performed 1000 repetitions at each distance.

We successively placed four, two, and then one card on the test reel, test equipment we can see at Figure 4. For each of the options, we performed 1000 possible reads with the reader. For the four cards, this amounted to turning the plastic cylinder 250 times, for the two cards, 500 times, and for the one card, a total of 1000 times at each of the three distances. The results of the testing are presented in the next section of the paper. Result of testing we can see at

Table 2. Results of card loading reliability testing with four cards placed on the test device.

	Number of Repetitions	Number of Retrievals	Number of Non-Retrievals	Success (%)
Distance 0.5 cm	1000	932	68	93.20
Distance 4 cm	1000	977	23	97.70
Distance 8 cm	1000	906	94	90.60
Total	3000	2815	185	93.83

.

When four cards were placed, the cylinder was rotated at the lowest speed of one cylinder rotation/10 s; thus, one card every 2.5 s. Results we can see at Table 2.

In the next section, we discussed an experiment in which we placed two cards opposite each other on the test cylinder. By doing so, we created more time space for the reader to capture each card. At the same rotation speed, a single card should be read in about 5 s. Results we can see at

Table 3. Results of card loading reliability testing with two cards placed on the test device.

	Number of Repetitions	Number of Retrievals	Number of Non-Retrievals	Success (%)
Distance 0.5 cm	1000	996	4	99.60
Distance 4 cm	1000	998	2	99.80
Distance 8 cm	1000	992	8	99.20
Total	3000	2986	14	99.53

.

Because there were only two cards on the test device, the reader had a longer time to stabilize and prepare to load the next card. Perhaps this was the reason for the higher read success rate than when using four cards.

We subsequently left only one card on the test device. We did not change the rotation speed. Results we can see at

Table 4. Results of card loading reliability testing with one card placed on the test device.

	Number of Repetitions	Number of Retrievals	Number of Non-Retrievals	Success (%)
Distance 0.5 cm	1000	999	1	99.90
Distance 4 cm	1000	999	1	99.90
Distance 8 cm	1000	996	4	99.60
Total	3000	2994	6	99.80

.

Depending on the increase in distance, there is a noticeable increase in the inaccurate loading of a single card, but the success rate is relatively high compared to the use of multiple cards. Results we can see at

Table 5. Comparison of results—Percentage retrieval success at each distance depending on the number of cards.

	4 Cards	2 Cards	1 Card	Success (%)
Distance 0.5 cm	93.20	99.60	99.90	97.56
Distance 4 cm	97.70	99.80	99.90	99.13
Distance 8 cm	90.60	99.20	99.60	96.46
Arithmetic average	93.83	99.53	99.80	97.72

.

Based on simple tests, a dependency between the number of cards and the loading speed can be established. The fewer the number of cards at a constant loading time, the higher the card loading success rate. Interestingly, the most suitable distance for card loading was 4 cm.

Testing has highlighted the possibilities of testing the counters of access control systems. The advantages of the proposed method and equipment can save time and cost, especially when designing new systems. All results of testing, we can seen at Figure 5.

Such testing is useful to find out the reading capacity and throughput of the access control system. Especially during the pandemic period, where according to the Association of Security Managers in Slovakia and the experience of ASIS, it was necessary to reduce the number of entries into large organizations due to lack of human resources. The reason for the testing is the change in the mode of entries into organizations during COVID-19, when it was necessary to slow down the entries into facilities due to body temperature measurements. In addition to the throughput, the test equipment can measure the transit times through the individual counters if they do not have such a function and thus adapt the access control system to the actual situation in the organization. The device is useful in the development of IoT-based alarm systems that need to be tested before being used in practice.

5. Conclusions

The study delves into the intricate world of access control systems, highlighting their significance in modern security setups. Defined by technical standards and expert insights, access control systems serve as integral components within alarm systems. They employ a combination of mechanical barriers and information systems to regulate the movement of individuals based on predetermined organizational measures.

The paper meticulously describes the architecture and components of access control systems, emphasizing the role of controllers, access readers, door sensors, and mechanical barriers. Various methods of user identification, including codes, access cards, and biometrics, are explored, underlining the versatility and adaptability of these systems to different security needs.

Classification based on risk levels offers a comprehensive framework for understanding the diverse applications and environments where access control systems operate. From low-risk environments like hotels to high-risk settings such as critical infrastructure, the classification aids in tailoring security measures accordingly.

Moreover, the study extends to practical testing methodologies, particularly focusing on the throughput and reliability of access control systems. The development of testing devices underscores the need for accurate assessment and optimization of system performance. Through meticulous experimentation and analysis, the research provides valuable insights into system limitations and optimal configurations.

Overall, the paper underscores the critical role of access control systems in modern security infrastructure. By combining theoretical frameworks with practical testing, it offers a holistic approach to understanding, evaluating, and enhancing the functionality of these systems. As security challenges evolve, continuous research and innovation in access control systems remain essential for ensuring effective protection of assets and personnel.