Entering a PIN on a keypad reader

PIN-Code Best Practices for Secure Access Control

By Tom Piston, East Coast Sales Manager

Why Keypads and PINs?

Quite literally millions of radio frequency identification readers, cards and tags are used in electronic applications around the world each and every day. The ubiquitous nature of these components makes them a target for hacking and compromise. While the extent to which these threats are actually carried out can be argued, the very facts that it’s possible and publicized1 has driven the development of ever more advanced reader and credential technologies.

One of these advancements was the introduction of keypad readers. Keypad readers allow personal identification numbers (PINs) to be used as access credentials. Today, the use of PINs—widely used everywhere from alarm panels to banking to telephones—is becoming more common in EAC applications. Security is a reason why. The threat of card cloning may be negated by the use of secret PINs, which are only known by the user. In reality, while PINs have the ability to significantly enhance the security of EAC applications, they are only as safe as the vigilance of the user.

Typical PIN Applications

An integrated keypad reader—a device that accepts both PIN and credential data—can accommodate PIN usage in three ways: PIN-only, card-or-PIN, and card-plus-PIN. In instances where access control is being implemented merely for convenience, as an alternative to physical keys, the PIN-only method may be adequate, as security threats may be low. This is also efficient and economical, as it eliminates the need to purchase and manage physical cards or tags. The card-or-PIN method is often used where multiple types of visitors may need access. For instance, employees may be issued cards, while PINs are assigned to less-frequent users, such as cleaning staff.

For access control applications that require enhanced security, the card-plus-PIN method—a form of two-factor authentication—is the best option. When a PIN is used in conjunction with another credential, such as a card or tag, security is elevated by adding a second layer of identification to the access transaction. In this type of application, security is based on something a user has, a card or tag, as well as something a user knows, a PIN.

In two-factor authentication scenarios, neither a physical credential nor a PIN alone will grant access; rather they must be used together. This provides for a more secure access control solution. Regardless of how keypad readers are used, proper management and thoughtful implementation of PIN codes is critical to maintaining the integrity of the access control system.

Best Practices for Selecting PINs

There are several basics to consider when assigning or selecting PINs. First, avoid short PINs. Access control PINs are typically four to six digits, and the use of longer PINs is encouraged, while balancing a user’s desire for convenience with an organization’s need for security. Avoid PINs that are easy to guess, such as birthday or anniversary dates, or portions of phone numbers or addresses. While easy to remember, do not use PINs comprised of single digits like 1111, or digits in numerical order such as 1234. Just as they are easy to remember, they are easy for others to simply guess.

There are additional factors to consider that may not be as apparent and may require a review of the keypad layout. PINs that form a straight line down one column of a keypad, as an example, should be avoided. While 2580 may be an acceptable PIN on a typical 2×6 keypad, the same PIN on a 3×4 keypad forms a straight line down the center column. Some PINs can form a pattern on a keypad and should also be avoided. For example, while 1290 may be a suitable PIN on a 3×4 keypad, it comprises the four corners of 2×6 keypad. These types of PINs—while requiring more thought to avoid—may be easier for an unscrupulous user to hack, using nothing more than guesswork and random button presses.

A single, common PIN for all users is also inadvisable, as that is extremely vulnerable. In fact, building owners or facility managers may wish to consider assigning unique PINs for all users in order to be sure best practices are implemented. Requiring PINs to be changed on a regular basis is also a good practice.

Finally, the condition and location of keypad reader hardware is also important. Keep keypads clean and in good condition, repairing or replacing worn or damaged keypads. Look for keypad readers that are fully potted and IP67 code rated, allowing for installation indoors or out, on or off metal, on flat or uneven surfaces. If possible, install keypad readers in a location that deters snooping. Since that may not always be possible, urge users to shield their PINs from prying eyes when entering them on a keypad.

Users should be encouraged to be as diligent in protecting their access control PINs as they are their ATM banking PINs. PINs are personal private information (PPI), and should be handled as such. They should be kept secret and not be shared. Indeed, when managed and implemented properly, PIN codes are a useful, economical, and reliable type of credential for use in electronic access control applications that deliver the convenience users want and the security their organizations require.

  1. “How they hacked it: The MiFare RFID crack explained”, Geeta Dayal, Computerworld, March 19, 2008 https://www.computerworld.com/article/2537817/how-they-hacked-it--the-mifare-rfid-crack-explained.html
  2. “Reverse Engineering HID iClass Master Keys”, Kevin Chung, June 12, 2016 https://blog.kchung.co/reverse-engineering-hid-iclass-master-keys/
  3. “We Copy Access Cards and Key Fobs”, https://key.me/rfid

Tom Piston, East Coast Sales ManagerTom Piston

East Coast Sales Manager