Asritha Nibhanupudi← Back to work

PUBLISHED RESEARCH · 2024

Multi-Level RFID and PIN Authentication Research

A standalone access-control system combining RFID identification with a second PIN-verification step. The work explored how layered authentication could improve access security while remaining practical for embedded hardware.

This is a research prototype, not a production-ready commercial security system.

Research problem

Single-factor RFID access control is vulnerable to card cloning and loss, and PIN-only access control is vulnerable to shoulder-surfing and keypad observation. Either factor on its own gives a weak guarantee that the person at the door is the person who is authorised to enter.

Motivation

We wanted to explore whether combining two independent authentication factors - possession of an RFID card and knowledge of a PIN - could meaningfully raise the bar for unauthorised access while remaining practical to build on embedded hardware (a microcontroller, an RFID reader, and a keypad) rather than requiring a networked access-control backend.

Proposed authentication flow

Two-factor authentication flowRFID card is read by the reader, then the user enters a PIN. Both factors must pass; any failure denies access.RFID cardPossession factorReaderIdentity checkPIN entryKnowledge factorVerifyBoth must passAccessElse: deny
Flow: RFID card → reader → PIN entry → verify (both must pass) → access. Any failure denies.
  1. User presents an RFID card to the reader.
  2. Microcontroller verifies the card identifier against a stored allow-list.
  3. If the card is recognised, the user is prompted for a PIN on the keypad.
  4. Microcontroller verifies the PIN against the entry bound to that card.
  5. Access is granted only if both factors pass; any failure defaults to deny.

Hardware and software components

  • Microcontroller acting as the controller for both authentication factors
  • RFID reader module for the first-factor identity check
  • Matrix keypad for second-factor PIN entry
  • Status indicator (LED / display) for the access decision
  • Firmware implementing the flow, the allow-list, and the fail-closed behaviour

My contribution

Co-authored

Contributed to system design, hardware-software integration, and experimental validation of the combined RFID + PIN scheme, and co-authored the resulting paper.

Experimental setup

The combined scheme was assembled on a standalone microcontroller-based prototype wired to the RFID reader and keypad. We exercised each layer independently and then end-to-end: presenting valid and invalid cards, entering correct and incorrect PINs for each card, and observing how the system handled subsystem-level faults.

Findings

  • Combining an independent possession factor (RFID) with an independent knowledge factor (PIN) is meaningfully stronger than either factor alone, because the attacker now has to defeat two unrelated mechanisms.
  • The combined flow was practical to implement on embedded hardware without a networked backend, which makes the design suitable for the standalone access-control scenarios we targeted.
  • Designing the system to fail closed on any subsystem fault is just as important as the cryptographic or procedural strength of either individual factor.

Limitations

  • This is a research prototype, not a production access-control product.
  • The allow-list is stored locally on the device, which limits scalability across many doors.
  • The threat model does not include physically tamper-resistant enclosures or networked revocation.
  • PIN entropy and lockout behaviour would need to be hardened before any real deployment.

Publication

View paper on IEEE Xplore ↗

Published as 'Multi-level authentication combining RFID and PIN-based access control' at IEEE ICMACC 2024.

← Back to all work