One of the major advantages that Entryfy has over legacy access control systems is the multitude of credential types that you, the administrator, are free to issue to mobile app users. Some of these credentials, in fact, don't even need a smartphone.
For example, you can let one user enter a door with a keycard while allowing another user to enter the same door using a Remote open or by showing a QR code to a camera.
In the Entryfy environment, types of credentials are referred to as Auth types (short for Authentication types). The system supports up to 9 auth types. These include physical and virtual auth types. There is also a unique backup code for each user. Certain auth types have limitations; some are more secure, some are more user-friendly. More on this below.
Note: Not all of the auth types listed below may be available to you. This depends on your organization's subscription.
Physical auth types:
- Show QR
- Keycard + PIN
VIrtual auth types:
- Scan QR
- Scan QR + PIN
- Remote + PIN
Group's Entry and Exit auth types may be different. In theory, you're free to combine the auth types any way you want. Practically though, not all combinations make sense.
Compare the strong and weak sides of each auth type using data from the table below.
Read more about each of the auth type's peculiarities below the backup code paragraph.
Inbreak protection score - how difficult it's for a criminal to open the door by cloning, faking or matching the given auth type. 0 - no problem at all, 10 - impossible.
User convenience score - how convenient it's for regular users to routinely apply their credentials many times a day. 0 - utterly awful, 10 - incredibly convenient.
Trusted user score - how simple it's for a user to consciously give the credentials to a third party without being noticed by a system/system supervisors. 0 - impossible, 10 - very easy.
Punch clock support - whether or not the given auth type can be used as a part of the work hours tracking tool.
Internet demanding - whether or not the given auth type requires user's smartphone to stay online while opening a door.
GPS demanding - whether or not the given auth type verifies smartphone's coordinates before opening the door.
No smartphone needed for door open - users need a smartphone only for the setup but can routinely open the door with no device at hand.
The backup code
In the Entryfy system, each Regular and Guest user has a unique 8-digit code - Passcode. This code is generated automatically when user's profile is created. Passcode is subjected to the standard credentials rules - the user and the group must be valid and the schedule must allow user's entry. If any other credential allows the user's entry at the moment, then Passcode will also be applicable.
Note: Users cannot use their passcodes if doors are not equipped with keypads.
Passcode requires no internet connection, no GPS and does support the Punch clock functionality. You never set the Passcode auth type for the group. It's a default credential that is automatically added for all groups.
Users may hand over their passcodes to other users in an attempt to cheat the Punch clock. If you notice the user routinely using the Passcode instead of a primary credential, you should investigate why. Routine Passcode usage must be prohibited. Passcode is an inherently reliable emergency credential intended to be applied only if the primary credential doesn't work - for example, there is no internet connection for the Remote open or the user forgot the smartphone or lost the keycard.
Show QR offers the best combination of security and convenience while imposing no requirements on the internet connection quality or GPS signal. It, however, requires the door to be provided with a camera-equipped door station.
Show QR is the inherently unbreakable auth type. Each Regular user has his/her own unique QR code that refreshes every 10 seconds. To open the door, the user must enter the app and then show the QR to the camera.
The weakest link here is the user. Show QR can only be used for unauthorized access if user either loses or consciously handes over the password to his/her mobile app's profile.
PIN is a 4-digit code that implies the presence of the keypad at the door. As a discrete auth type, PIN offers a fairly low level of security and no Punch clock support. PIN auth type should not be applied to any doors of the outer perimeter or any doors protecting anything of a valuable nature. Even one valid PIN credential at a door greatly reduces the level of protection that the given door can provide.
PIN is generated automatically once user is added to a PIN group (or any group with two-factor authentication) and the group is activated. User can observe and modify his/her personal PIN in the app.
Scan QR/Scan QR + PIN
Scan QR is the ability of the user to open door by scanning door's QR code via his/her device's camera while in the mobile app. Scan QR belongs to the virtual auth types, meaning that it requires no physical readers at the door. Instead, it requires only door's QR code to be printed and placed on the wall or on the door (read the Security devices article to learn more about door's QR codes) while also demanding a reliable internet and GPS connection from the user's device during the door open attempt.
Scan QR auth types should not be applied to any door, where wireless internet connection or GPS connection is not present.
Scan QR credentials stay valid within a certain radius around the doors they are applicable to. Normally, it's several hundred meters.
Scan QR + PIN is a sort of a virtual two-factor authentication combining the Scan QR and the PIN auth types for an additional layer of protection. Scan QR + PIN requires no keypad - user enters the PIN on the smartphone screen after the QR is scanned.
Remote/Remote + PIN
Remote is the ability of the user to open door by pushing a button on his/her device's screen while in the app. Remote belongs to the virtual auth types, meaning that it requires no physical readers at the door. Instead, it requires a reliable internet and GPS connection from the user's smartphone during a door open attempt.
Remote auth types should not be applied to any door, where wireless internet connection or GPS connection is not present.
Remote credentials stay valid within a certain radius around the doors they are applicable to. Normally, it's several hundred meters.
Remote + PIN is a sort of a virtual two-factor authentication combining the Remote and the PIN auth types for an additional layer of protection. Remote + PIN requires no keypad - user enters the PIN on the smartphone screen after the Remote button is pushed.
Remote/Remote + PIN don't support the Punch clock functionality.
Keycard is a legacy auth type within Entryfy system intended to ensure a simpler transition of an organization from card-based access control to Entryfy and mobile-based credentials. Keycards can also be issued to users with no smartphone.
Note: Compared to Show QR, Scan QR or Remote auth types, Keycards ensure a much compromised level of protection against both the outer threats and the unconscious employees. Always consider Keycards only a timely and irregular solution. Never set keycards a primary auth type for your entire organization.
The supported keycard standards only depend on the functionality of the readers the doors are equipped with. The system itself supports the whole range of existing keycard standards.
Read the How to add a keycard? article to learn how can the keycard be added to the Entryfy system.
Keycard + PIN is a form of physical two-factor authentication requiring both the keypad and the card reader to be available at the door. Unlike the Scan QR + PIN and Remote + PIN, Keycard + PIN implies the code to be entered on the physical access control device (reader) rather than the smartphone screen.
Request exit button is a standard access control equipment that can be integrated into the Entryfy system for more convenient and quicker exit from the area that doesn't need strict attendance control.
REX button doesn't support the Punch clock functionality. If the door that belongs to a Checkpoint has active REX button, no relevant Punch clock data will be collected.
By default, all REX buttons at your organization are deactivated. Even if the device was operational prior to the Entryfy integration, it's deactivated once the integration is complete.
To activate the REX button at a door, this door has to be assigned to at least one valid group with REX exit auth type and with at least one valid user in it. The REX auth type is subjected to the general scheduling rules - the button stays operational for as long as the user's and the groups valid from/to, and also the schedule assigned to the group allow the entry.
The fundamental difference between REX and other auth types is that REX creates a public credential whereas any other given auth type forms a number of personal credentials.