Verifying and Validating Visitors

Strategies for checking and issuing credentials


The Systems Approach
Most visitors, 99.99 percent, arrive for legitimate purposes and should be welcomed at the facility. Active participation of smartly presented security officers who are well-trained in both equipment operation and people skills, and who show a keen interest in ensuring that any delay or inconvenience to the visitor is minimal, are the attributes that make the visitor feel at home and are most effective in detecting off-normal conditions and denial of access to the 0.01 percent of visitors who are intent on harm.

Let’s look at the process discussed above as it is implemented in an automated Visitor Management System (VMS). Such systems are being implemented at corporate facilities, commercial office buildings (at both entry lobbies and loading docks) and gated residential communities. Modified versions are also applicable for visitors to school buildings.

Pre-Approval: The validation phase can start before the visitor arrives: The (authorized) host of the visitor accesses a VMS Web server via a standard browser (and a password) and completes a form that provides, as minimum, the visitor’s name, affiliation, date, time and duration of visit, and where in the facility the visitor will be permitted and if a host is needed. An e-mail can be sent automatically to the visitor with the details of the visit and presentation of the e-mail in printed form can be used as part of the verification and validation processes. Pre-approval of visitors greatly reduces processing time and reduces the number of processing stations required.

The Visitor Arrives: The first step when the visitor arrives at the visitor processing station is to verify identity. Preferably, a standard government-issued credential, such as a driver’s license, is presented and its data automatically extracted by a reader. The alternative is keyboard entry which is slow and error-prone. The VMS software can validate the visit by checking that the individual is not on a “black list” and is expected (pre-authorized) at that date and time. If not pre-authorized, the processing staff can phone the host for validation or can require the visitor to phone the host and obtain pre-authorization. In a busy entry lobby, the latter procedure is becoming more prevalent since the responsibility for authorization is transferred from the administrative staff to the trusted host. Once the verification and validation processes are complete, the system can e-mail the host with notification of arrival and print a visitor badge.

Taking and storing a photograph of each visitor is valuable as a deterrent and can be used to identify a visitor who becomes a suspect in a security incident. Printing the photo on a disposable badge to be worn by the visitor is of less value: given the quality of the camera and typical lobby lighting conditions, the print quality is very poor and the photo of questionable use unless employees and security staff in the facility are trained to check the photo against the holder. Also, as mentioned before, visitor badging is ineffective in large facilities unless employees are also required to wear their badges.

The Visitor’s Badge: The system can automatically print the visitor’s badge as soon as the identity is verified and the purpose for the visit validated. The design of the badge is open to the user, but it is useful to ensure that the following information is prominently displayed: visitor’s name, affiliation, host’s name, meeting location (e.g., floor/room number) and expiration date. A self-expiring sticker may be of added security and, if the badge is to be used in an automated access control system, a barcode can be printed on the badge or a prox reader sensor adhered to it.

A label can be printed that is stuck on a reusable plastic badge that can be a proximity card. Any process that requires peeling off a backing or peeling off an old label is more time-consuming and creates waste. Card stock, pre-printed with standard building information, is probably best if longevity and barcode reading are issues. Although such badges are a little more expensive to produce and need a thermal-printed piece of paper ribbon, they are part of the “visitor experience” and enhance the image of the facility.

The period of validity of a badge may be set at a single visit, multiple visits in one day, of multiple days for, say, a visitor who is attending a week-long training course. The quality of the badge should reflect its expected duration. Another factor to plan for is disposal: a badge dropped in a garbage can outside the building should not permit entry by a dumpster diver.

Visitor management systems can interface with many off-the-shelf access control systems. As soon as the visitor badge is produced, the badge identification number (e.g., barcode or proximity code) and the expiration data can be transmitted to the field panels of the card readers that will read the badge. Thus, a turnstile access control system in the entry lobby, with appropriate readers, can accept the visitor’s badge and control passage into the facility.

Kiosks
The VMS process is ideal for automation — if the visitor is preauthorized and has a machine-readable, government-issued credential. ATMs and boarding pass kiosks have trained us to interface with complex systems through simple processes. Many VMSs promote the use of kiosks: the visitor dips the credential in a reader (similar to a bank card at an ATM) and, if its data matches that on a list of pre-authorized visitors, a photo can be taken and the visitor badge is printed. The self-processing procedure is very quick and cost-payback period for a kiosk can be short; however, most complex situations — a visitor who has not been preauthorized or who has a non-uniform credential — still requires staff assistance.

David G. Aggleton, CPP, CSC, is president and principal consultant at Aggleton & Associates, Inc., a security systems design and consulting firm. Dave has been planning and designing security systems for more than 30 years and can be reached at dave.aggleton@aggleton.com