Monday 21 May 2012

Q-Action cards as a secure access system


Here’s how Q-Action QR codes can be used to create a simple but robust photo-pass access security system for buildings and events, at almost no cost and without special equipment or infrastructure.


The security problem

I once interviewed a security chief at a major airport who, rather alarmingly, told me that his tests had shown that you could walk past one of their security guards with the photo security pass of someone radically different to you and yet still have an 80% chance of not being challenged as, even putting sloppiness and fatigue aside, it was difficult for humans to match photographs to people. Technologies such as biometrics have been hyped as solutions, but are costly and have so far failed to work reliably; as demonstrated by the recent abandonment of iris scanning at UK passport control. Technological solutions to security seem to come at a cost and to involve dedicated equipment, with little by way of fall-back if it fails.

As with any security system the effort and complexity of what you build using Q-Action depends on the nature of the risk and the degree of threat, but you can easily lock this system down to a greater or lesser degree according to your resources and your own balance of security and convenience. You can also change that balance quickly in response to perceived threats.

Really Simple Security



For a low-level security system without requiring equipment or infrastructure beyond a smartphone, you create a standard Q-Action membership or similar card type, ideally  with a photo of the owner. You could even put the photos on a shared space where they can be maintained by the card owner as they get older, grow beards, change their hair, or wear glasses. You can produce printed cards with the photo images and the QR code like standard security passes.

The QR code on the cards are scanned by security personnel with a any PC/laptop/tablet or a mobile phone. Even at this level it already represents an increased level of security as the photo that appears on the card and the photo on file that appears on scanning the QR code should be identical. This should already be much more positive and reliable than asking a person to compare a poor passport-booth photo with a real face walking by (which you will still have present as a check that this is the holder).

If you have a high peak traffic flow and want to avoid hold ups you could let the individuals scan their own cards and simply show their phones and matching cards to security. Both are possible to fake, but it is a lot of trouble.

Really Serious Security

Now comes the clever bit. The trick is to create one or more ‘security images’ that can be uploaded to a fixed URL that only you have access to. You put this single URL in all of your cards in the ‘background image’ field. This means that the current background will be rendered from all cards as they are scanned. As this is repetitive, any change in the regular background will be immediately apparent to security personnel.

You can change the background of the cards according to days of the week, time of day, or even individually per user according to their access level. As no user has access to the image, which could be complex, or could be unique and frequently changing, it would be difficult in the extreme to anticipate or replicate the correct security image.

If you are really prepared to go to town and have a Local Area Network and/or Wi-Fi, you could put the image on an internal server and restrict access by IP or MAC address, as well as restricting access of the scanning device to the known image source. This ensures that the security image is only delivered to a known device, and that the scanning device can only access the security image from a known source. This should be within the capabilities of most local set-ups using only the standard user access control features. Add WPA or similar encryption and you have a system that is about as locked down as it can be.

Lost stolen and abused

Q-Action cards reported as lost or stolen can have the message or the photo changed by the administrator to give a highly visible warning to security upon scanning. The background image URL can also be removed or changed to an alert one. Any subsequent scanning can also be noted from the web analytics audit trail. Cards can thus be rendered ineffective and a liability.

Regular system abusers, or personnel known to be high-risk, or in some other way special, such as visitors or contractors, can be flagged with a message or a different background image that causes security to give them appropriate attention.

No photo (or other data apart from the QR code) on the physical cards in an internally locked-down system (security image served from an internal server not available on the Internet) means that anyone gaining possession of a valid card and trying to use it, or to doctor it, has no idea what the complete scanned result should look like.

Multi-factor security

There are a number of factors that make it difficult to circumvent a Q-Action access system, but the fundamental strength is that you can centrally control, and easily change as frequently as you like, the data, the photo, and the background security image that attests to its validity.

Other factors are:
  • Physical photo and stored photo (or other image) are an exact match, which is easy and quick for a human to assess
  • Q-Action URLs are randomly generated so are not able to be guessed
  • The first part of the URL shown after scanning should be the Q-Action one, otherwise it is a fake and this can be captured in a closed local network
  • Q-Action QR codes are hard to spoof as all look very similar whereas another URL would produce a different pattern
  • Access to the security image can be highly restricted in a local area network
  • Using web page analytics means that an audit trail can be created