The Most Basic Physical Security Vulnerability

Vulnerability cartoon

Mechanical Key Override

I am so often amazed to see Security Integrators uninterested in the end-user/owner’s decision how to manage a mechanical key override solution for electronic access control. This is the most severe, easily recognized vulnerability in the entire continuum of security applications. Every organization’s greatest fear and biggest dirty little secret is: Lost Masterkeys. Do security integrators factor in a client’s lost masterkeys in the system design? In a career of private conversations with facilities operations teams, I can emphatically say, no one has told me they have never lost a masterkey.

Must Have / Can’t Have Dilemma

As any honest consultant will tell you, failure rates with electro-mechanical and electronic equipment are very real. Two problems arise when access control solutions fail: doors allow unauthorized access, or doors do not allow authorized access. Each is equally problematic… one for security reasons, the other for the customer inconvenience. In my experience, at least a third of access controlled doors in the U.S. are not designed with fail-secure applications (mag locks) and if you install battery back-up, do the batteries get inspected regularly? The second scenario may be worse: Door Forced. So what does the industry do? Deploy the generally accepted emergency solution: mechanical key override. Here is the head-scratcher, when leaving locksmiths on their own these cylinders are KEYED INTO existing systems, rather than keyed differently – adding all the vulnerabilities that come with it.

How Old is Pin Tumbler Technology?

Pin tumbler cylinders were invented approximately 160 years ago. So, even when working with the most recent access control solutions, we are still depending on the performance of a 19th Century technology to deter unauthorized access. That vulnerability is not strictly defined as a professional criminal picking the cylinder. Today, any kid with two photos of a key (patented keyways too), a CAD program and a cheap 3D printer can duplicate a key.

Depending on 160 Year Old Tech, IS there an Answer?

There is a new generation of “key” technology today. The “key” here (pun intended) is an electronic format with a loaded credential carrying an authenticated “digital identity” within. This technology has been kicking around for about 10 years in the banking, retail and municipal sectors, but has only been introduced to the broader security market in the last few years. These electronic credentials are managed by self-hosted, or cloud-hosted software in a central server based environment. This IS the next generation in “key” control. A battery in the key is charged weekly and provides power to the credential (key) and electronic cylinder (when inserted). There is a mobile programming device that is capable of pairing via Bluetooth to your cell-connected smart phone, loading/updating credentials and user permissions real-time to/from the server. The solution includes audit trail capability for both key and cylinder, but also has more advanced features such as: expiration of keys and the ability to re-key entire buildings at no cost. Interestingly enough, discussions have begun to integrate these solutions with major access control software, so key management can be integrated into identity management. What a powerful combination!


xt images

This is NOT Traditional Electronic Access Control!

While there are features in common, the real value becomes clear as the next generation of key control. I have seen it used as an access control solution, but in that application it offers a limited feature set, primarily: electronic credential management, schedules and audit trail. Just as a quick measure, the solution is roughly 1/5 to 1/10 the cost of traditional card access control per opening.

Risk Mitigation

Traditional key management touches so many roles: property managers, facilities managers, security managers and yes, risk managers. Now that current technology options exist for key control, those responsible for risk management should be looking at this type of solution long and hard. If we stop sweeping under the rug the issue of lost master keys and the high probability of the associated vulnerability it represents, the ROI becomes VERY clear. At a minimum, this tech makes sense for all exterior doors. Common locksmith practice is to key exterior doors separately, because of the probability of lost key events. Instead of the mechanical interim solution, deploy something more permanent and eliminate recurring re-keying costs.

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be a personal professional blog. The content reflects my observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed reflect a personal viewpoint and do not in any way represent the position of any other person, organization or company.

About Doug Levin

Doug is a certified (PSP, AHC, LEED AP), experienced business development professional with a focus on the physical security industry. With a diverse background that includes delivering products & services through multiple channels (manufacturing, distribution, specialty & general contracting), he brings a broad industry perspective that adds greater value for his clients. Having decades of experience with sales engineering and design-build of low-voltage automated systems, he also offers a strong emphasis on technical knowledge and consulting services. His career has included responsibility for: profit & loss, operations and sales management with front-line experience in estimating, sales/marketing, project management and developing security design documents & spec writing.
This entry was posted in Identity Management, Integration, Physical Security, Technology and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s