Locks, which come in many types, sizes, and shapes, are an effective means of physical access control. Locks are by far the most widely implemented security control largely because of the wide range of options available as well as the low cost of the devices.

Lock types include the following:

• Mechanical—Warded and pin and tumbler

• Cipher—Smart and programmable

Warded locks are the simplest form of mechanical lock. The design of mechanical locks uses a series of wards that a key must match in order to open the lock. Although it is the cheapest type of mechanical lock, it is also the easiest to pick. Pin and tumbler locks are considered more advanced. These locks contain more parts and are harder to pick than warded locks. When the correct key is inserted into the cylinder of a pin and tumbler lock, the pins are lifted to the right height so that the device can open or close. More advanced and technically complex than warded or pin and tumbler locks are cipher locks, which have a keypad of fixed or random numbers that requires a specific combination to open the lock.

Before selecting a lock, consider the fact that not all locks are alike and they come in different grades. The grade of the lock specifies its level of construction. The three basic grades of locks are as follows:

• Grade 1—Commercial locks with the highest security

• Grade 2—Light-duty commercial locks or heavy-duty residential locks

• Grade 3—Consumer locks with the weakest design

Although locks are good physical deterrents and work quite well as a delaying mechanism, a lock can be bypassed through lock picking. Criminals tend to pick locks because it is a stealthy way to bypass a lock and can make it harder for the victim to determine what has happened.

The basic components used to pick locks follow:

• Tension wrenches—Like small, angled flathead screwdrivers. They come in various thicknesses and sizes.

• Picks—Just as the name implies, similar to dentist picks: small, angled, and pointed.

Together, these tools can be used to pick a lock. One example of a basic technique used to pick a lock is scraping. With this technique, tension is held on the lock with the tension wrench while the pins are scraped quickly. Pins are then placed in a mechanical bind and will be stuck in the unlocked position. With practice, this can be done quickly so that all the pins stick and the lock is disengaged.

Tokens and biometrics are two additional ways to control individuals’ movements as they travel throughout a facility or attempt to access specific areas. Tokens are available in many types and can range from basic ID cards to more intelligent forms of authentication systems. Tokens used for authentication can make an access decision electronically and come in several different configurations, including the following:

• Active electronic—The access card has the ability to transmit electronic data.

• Electronic circuit—The access card has an electronic circuit embedded.

• Magnetic stripe—The access card has a stripe of magnetic material.

• Contactless cards (proximity cards)—The access card communicates with the card reader electronically without requiring physical contact with the reader.

Contactless cards do not require the card to be inserted or slid through a reader. These devices function by detecting the proximity of the card to the sensor. An example of this technology is radio frequency identification (RFID). RFID is an extremely small electronic device that is composed of a microchip and an antenna. Many RFID devices are passive devices. Passive devices have no battery or power source because they are powered by the RFID reader. The reader generates an electromagnetic signal that induces a current in the RFID tag.

Another form of authentication control is biometrics. Biometric authentication is based on a behavioral or physiological characteristic that is unique to an individual. Biometric authentication systems have gained market share because they are seen as a good replacement for password-based authentication systems. Different biometric systems have various levels of accuracy. The accuracy of a biometric device is measured by the percentage of type I and type II errors it produces. Type I errors, or false rejections, are reflected by what is known as the false rejection rate (FRR). This is a measurement of the percentage of individuals who should have been granted but were not allowed access. A type II error, or false acceptance, is reflected by the false acceptance rate (FAR), which is a measurement of the percentage of individuals who have gained access but should not have been granted access.

Some common biometric systems include the following:

• Finger scan systems—Widely used, popular, installed in many new laptops and mobile devices

• Hand geometry systems—Accepted by most users; function by measuring the unique geometry of a user’s fingers and hand to determine an identity

• Palm scan systems—Much like the hand geometry systems except they measure the creases and ridges of a user’s palm for identification

• Retina pattern systems—Very accurate; examine the user’s retina pattern

• Iris recognition—Another eye recognition system that is also very accurate; matches the person’s blood vessels on the back of the eye

• Voice recognition—Determines identity by using voice analysis

• Keyboard dynamics—Analyze the user’s speed and pattern of typing

No matter what means of authentication you use, a physical access control needs to fit the situation in which it will be applied. As an example, if the processing time of a biometric system is slow, users tend to just hold the door open for others rather than wait for the additional processing time. Another example is an iris scanner, which may be installed at all employee entrances yet later causes complaints from employees who are physically challenged or who use wheelchairs because they cannot easily use the newly installed system. Consider who will be using the system and whether it will be appropriate given the situation and user base.