Many states are also looking at implementing similar requirements. Under HSPD 12, all federal employees and contractors will be issued an access card that not only controls their physical access, but these "smart cards" also enable their logical access.
Other technological advancements are on the horizon in addition to the federal government's "smart cards." One company is adding a biometric fingerprint reader to the card that requires correct users to have their finger read at the door. Pretty high-tech, but the cards are running about $150 a pop and that's a little pricey for my application.
The technology behind the actual cards has remained fairly static over the years. The issue for many is whether to use a standard format for the card or go to a custom format. A card's format is based on the number of bits used to differentiate one card from another, with 26-bit format as the general standard. Using a custom format reduces the likelihood that duplicate cards might exist. But using the standard format reduces costs. Check with your vendor for actual pricing differences.
Regardless of what technology you wind up adopting, you should never rely on the card alone as proof-positive of personal authentication. In the security world, you always want at least two-factor authentication (TFA) to allow access to the critical areas of your data center. Two-factor authentication refers to (1) "something you have" and (2) "something you know" -- or in the case of a biometric implementation, "something you are".
One option to keep costs down is implementing TFA only at the main door to the building. This works by requiring all personnel to enter or exit through that door, using TFA for access. Once past that door, you've established this individual is in possession of their access card and you can use badge-only readers for the rest of the building. Another option is to implement additional TFA on the most sensitive interior areas of your building.
This was first published in February 2007