Are RFID badges still secure to use?
Radio-frequency identification (RFID) systems consist out of two components: a tag and a reader that use radio frequencies to communicate. In access control, the tag is typically an access badge. There are three categories of RFID tags, based on the frequencies they use to communicate:
In general, a higher frequency range has a higher read range and a faster data transfer. As a downside, higher frequencies suffer from more interference with electromagnetic applications, liquids and metals.
There are two common types of RFID tags: passive and active.
Usually, passive tags are used in access control applications, since only small pieces of information need to be exchanged. Examples of data that can be transmitted are identification numbers, personal information and pictures. When the door reader detects an RFID badge via radio waves, that radio wave is used to power up the tag and reflect a data signal back to the reader. The reader decodes this information and sends it to the host software. Based on the information provided, the host software grants or denies the user access and sends this information to the access control panel hardware, which controls the door.
Even though the technology has been in use for more than 20 years, RFID systems face serious shortcomings:
"In seconds you steal someone's badge, have a complete copy, and you walk into the building." - D. Maldonado (Security Researcher)
Near field communication (NFC) is a newer technology, comparable to RFID. Most modern smartphones are equipped with NFC tags. Consequently, smartphones can communicate with door readers, making RFID badges obsolete. NFC only works at a smaller distance, 10cm, which makes intercepting the signal a lot harder.
Although NFC is already a step closer to a more secure system, loss, theft and exchanges of smartphones still form potential security breaches. In order to safeguard an office building, an industrial site or a production facility, there needs to be 100% certainty about the identity of the visitor, employee or contractor. This can only be achieved by implementing a biometric layer to the access control solution.