Locks, Key Control & Access Control Systems

Key Takeaways

  • Access-control credentials authenticate via three factors: something you have, something you know, and something you are.
  • False Acceptance Rate (FAR) measures wrongful acceptance of an unauthorized person; False Rejection Rate (FRR) measures wrongful rejection of an authorized person; the Crossover Error Rate (CER) is the point where the two are equal.
  • Fail-safe locks unlock on power loss and are generally required on means-of-egress doors; fail-secure locks remain locked on power loss.
  • A mantrap's interlocking doors admit exactly one verified person per credential presentation, physically preventing tailgating rather than merely discouraging it.
  • Key-control programs rely on an issue log, periodic physical audits, restricted keyways, and defined re-keying triggers such as a lost master key.
Last updated: July 2026

Locking Hardware

Locks are fundamentally a delay control, not a detection control -- a locked door slows an adversary, but it does not, by itself, know that someone tried it. The CPP exam expects familiarity with several lock categories:

  • Mechanical pin-tumbler locks -- the most common lock type; vulnerable to picking and bumping, and if master-keyed, loss of the master key compromises every lock under it.
  • High-security cylinders -- resist picking, bumping, and drilling, and restrict key duplication to an authorized locksmith through a patent-protected keyway.
  • Electromagnetic (mag) locks -- hold the door through electromagnetic force and are almost always configured fail-safe (they unlock on power loss), which life-safety and fire code generally require on a means-of-egress door.
  • Electric strikes and electrified mortise locks -- release the latch electronically and can be configured either fail-safe or fail-secure (remaining locked on power loss), depending on the door's life-safety role and the asset it protects.

Locks are also rated by mechanical durability and attack resistance -- commercial specifications commonly reference ANSI/BHMA grading (Grade 1 being the highest-duty commercial rating, down through Grade 2 and Grade 3), and a CPP-level manager selects lock grade and type based on the door's traffic volume, life-safety role, and the value of the asset behind it, not on cost alone.

Key Control

A key-control program is the documented system governing who may possess which key, how keys are issued, returned, and audited, and how a lost key or a departing employee's unreturned key is handled. Core elements include a key-issue log, periodic physical audits reconciled against that log, restricted keyways to prevent uncontrolled duplication, and a defined re-keying trigger -- a lost master key, a terminated employee with an unreturned key, or a suspected compromise. Master-keying trades convenience for concentrated risk: a single compromised master key defeats every lock beneath it in the hierarchy, so the number of master-key holders and the frequency of physical audits should be minimized and tightly controlled.

Electronic Access Control Systems

An electronic access control system (EACS) replaces or supplements mechanical locks with a system that authenticates a credential, checks it against a permissions database, and logs the transaction -- combining delay (the locked door) with detection and audit (a record of who, where, and when) in a single control. Core components are the credential and reader, the control panel, door-position and request-to-exit sensors, and a head-end software platform that manages permissions and generates reports.

Credential Types

Access-control credentials authenticate identity using one or more of three factors:

FactorDescriptionExamples
Something you haveA physical token in the holder's possessionProximity or smart card, key fob, mobile credential
Something you knowMemorized informationPIN, passcode
Something you areA physical or behavioral trait (biometrics)Fingerprint, iris, facial recognition, hand geometry

Combining two or more factors -- for example, a card plus a PIN -- is multi-factor authentication, reserved for the highest-risk doors because it materially raises the difficulty of exploiting a single stolen or cloned credential.

Door-Level Biometrics

Biometric readers are evaluated on two competing error rates, both controlled by the system's matching-sensitivity threshold:

  • False Acceptance Rate (FAR) -- the system wrongly grants access to an unauthorized person, a security failure.
  • False Rejection Rate (FRR) -- the system wrongly denies access to an authorized person, a convenience and usability failure.

Tightening the threshold lowers FAR but raises FRR, and loosening it does the reverse; the point at which the two rates are equal is the Crossover Error Rate (CER), also called the Equal Error Rate, and is the standard benchmark for comparing biometric accuracy across systems -- a lower CER indicates a more accurate system overall.

Visitor Management

A visitor-management program controls non-employee access through pre-registration, identity verification at a staffed or kiosk-based check-in point, a visible and time-limited badge distinct from employee credentials, an escort or defined destination requirement, and a logged sign-out -- closing the loop so every visitor's presence on site is accounted for from arrival to departure. Mature programs add government-ID capture or scanning, a watchlist or denied-party screen against internal and, where relevant, external exclusion lists, and pre-notification to the host employee, so that a visitor's identity is confirmed before -- not after -- they reach a controlled area.

Mantraps and Tailgating

Tailgating, also called piggybacking, is when an unauthorized person follows an authorized credential-holder through a controlled door without presenting their own credential. It exploits ordinary courtesy and is consistently cited as one of the most common physical-security breach vectors; at ordinary doors, the primary countermeasure is awareness training and culture -- employees challenging unbadged individuals who attempt to follow them in. Where the protected asset justifies the added cost, a mantrap (an interlocking-door vestibule) provides a hard engineering control instead: the outer door must close and lock before the inner door will open, admitting exactly one verified person per credential presentation and physically preventing tailgating rather than merely discouraging it. Many mantrap designs add weight or sensor-based occupancy verification inside the vestibule specifically to defeat an attempt to squeeze a second, unbadged person through alongside the credentialed occupant.

Test Your Knowledge

A biometric access-control system's sensitivity threshold is tightened to reduce the rate at which unauthorized users are wrongly granted access. What is the predictable side effect?

A
B
C
D
Test Your Knowledge

Awareness training asks employees to challenge unbadged individuals who follow them through a controlled door. Which concept does this practice counter, and what is the engineering control that prevents it by design rather than by culture?

A
B
C
D