How can you stop PIN and key token sharing among staff?

Using another member of staff’s log in details or access key token is not encouraged in large companies but it does happen.  Usually innocuous in nature, people borrow a colleague’s details to log in to a second computer, or to open a door if they have forgotten their key token (or have lent it to someone else!).  While no harm is meant by this practice, it is to be discouraged to prevent anyone from getting their hands on an access key that they are not authorised to have; if everyone is made more accountable for their token, or uses another un-shareable method of entry, then this potential problem is no longer even a hypothetical issue.

At P&R Alarms we use the Paxton Net2 system for access control, and this system uses PIN entry and RFID token entry, offering two methods of access that can be used together, or one can be chosen as the only access method.  The choice of access method is down to the organisation and facility in which it is installed, as RFID tokens may be unsuitable in warehouses where RFID technology is already present, and similarly PIN code access may be a concern in buildings open to the public, where visitors can see the code being inputted.

To increase accountability among staff for the correct use and safekeeping of their RFID tokens, some companies opt for a scheme whereby lost keys incur a replacement charge.  This approach can work well, but in large organisations where there are a lot of RFID tokens in the building at any one time, people may prefer to get by with borrowing others’ tokens in order to avoid a fine, or getting in trouble for losing or lending their tokens.  There is an argument to say that charging staff for replacement keys can put a person off reporting missing keys, which in itself is a security issue, so whether a replacement charge policy is implemented in your organisation depends on your company ethos.  Replacement charges can either be collected in cash, or taken off an employee’s wages with their consent.

A good middle ground is to offer free replacements once a year, and charge for replacements thereafter.  This means staff won’t incur any charges the first time, but the threat of paying for a replacement will ensure they take better care of their new token.  It is vital to keep a list of who has access, and what number their key token is, so this can be deactivated from the system if it is reported missing.  This prevents it being used by thieves hoping to gain access to a building without tripping the alarm.

No sharing of PIN codes is much harder to regulate, as staff who work closely together often feel comfortable sharing this type of information with one another.  If this is the case in your organisation it may be better to use an RFID token access method rather than shareable PIN codes.  Additionally, unscrupulous members of the public may be able to watch and remember the codes staff use in order to gain access at a later date, so this should be borne in mind – any organisation that has high levels of visitor traffic should seriously consider the use of PIN codes, and use covered keypads, which shield the PIN input from view if RFID tokens are not a viable option.

Each organisation will have different attitudes to security and information sharing among colleagues and in some companies the issue of access key sharing is not something that worries upper management.  There are, however, many organisations and facilities that require a stringent level of security, and in these instances PIN and RFID token sharing should be addressed as a serious problem that could compromise the integrity and operations of the business.