Access Control Systems: Cards, Biometrics and Mobile Credentials

A modern access control system consists of four core components: credentials (the thing a person presents to identify themselves — a card, fingerprint, or phone), readers (the devices mounted at doors that read the credential), controllers (the hardware that makes the access decision and triggers the door lock), and management software (the application used to configure users, doors, schedules, and access rules). When a user presents a credential, the reader transmits the credential data to the controller, which checks it against its access rules and either grants or denies entry. The decision is logged, and if granted, the controller signals the electric lock to release.

Access control systems range from simple standalone keypads and card readers for a single door to enterprise-grade networked systems managing thousands of doors across multiple sites. In the enterprise space, the controller is typically an IP-connected device that communicates with a central server or cloud platform, allowing administrators to manage access policies, view real-time events, and generate compliance reports from a single interface. For IT resellers, access control represents an adjacent market opportunity — it is increasingly IP-based, software-driven, and integrated with the same networks you already manage.

Proximity (prox) cards are the oldest and most common credential type still in use today. They operate at 125 kHz and transmit a fixed, unencrypted ID number when held near a reader. The most widespread format is HID's ProxCard II, found in millions of installations worldwide. Prox cards are cheap and reliable, but they have a critical weakness: the credential data is transmitted in the clear and can be cloned with a $20 device from the internet. For any security-conscious organisation, proximity cards should be considered legacy technology that needs to be migrated away from.

Smart cards operate at 13.56 MHz and use encrypted, mutual-authentication protocols to communicate with the reader. The most common smart card standards are MIFARE DESFire EV2/EV3 and HID iCLASS SE / SEOS. Unlike prox cards, smart cards perform a cryptographic handshake with the reader — the credential data is never transmitted in the clear, making cloning extremely difficult. Smart cards also support multiple applications on a single card, so the same badge can be used for door access, secure printing, cashless vending, and logical PC login. For Australian organisations concerned about security, upgrading from 125 kHz prox to 13.56 MHz smart cards is one of the most impactful improvements they can make.

Biometric readers use physical characteristics — fingerprints, facial features, or iris patterns — to verify a person's identity. Fingerprint readers are the most common biometric in access control, ranging from capacitive sensors for indoor use to multispectral sensors that work reliably with wet, dirty, or worn fingerprints. Modern fingerprint readers store templates (mathematical representations of the fingerprint) rather than images, and match against a database in under a second. They are well suited for high-security areas like server rooms, pharmacies, and cash-handling zones where card-based access alone is insufficient.

Facial recognition readers have advanced significantly in recent years, driven by AI and deep learning algorithms. Modern readers use infrared depth sensing (similar to Apple's Face ID) to create a 3D map of the face, which is resistant to spoofing with photographs or video. Facial recognition offers the advantage of being contactless and hands-free — the user simply walks up to the reader and is identified within a second. This is particularly valuable in healthcare settings where staff may have gloves on, or in food processing facilities where hygiene requirements prohibit touching shared surfaces. However, privacy legislation in Australia (and globally) is evolving rapidly, and organisations must ensure their use of facial recognition complies with the Australian Privacy Act and any applicable state laws.

Mobile credentials turn a smartphone into an access card, using NFC (Near Field Communication) or BLE (Bluetooth Low Energy) to communicate with the reader. The credential is stored in a secure element or trusted execution environment on the phone and is presented by holding the phone near the reader (NFC) or simply approaching the door (BLE, which can work at longer range). Mobile credentials offer several advantages: they are harder to share or clone than physical cards, they can be issued and revoked remotely in real time, and they eliminate the cost of manufacturing and distributing plastic cards.

The leading mobile credential platforms include HID Mobile Access, Gallagher Mobile Connect, and SALTO JustIN Mobile. Apple Wallet and Google Wallet now support corporate access credentials from select providers, allowing users to hold their phone to a reader just as they would tap to pay. For Australian resellers, mobile credentials are an excellent upsell opportunity — they reduce card issuance costs, improve security, and align with the increasingly digital workplace. However, adoption requires that readers support BLE or NFC, which may necessitate a hardware upgrade for legacy installations.

The protocol used between the reader and the controller is a critical security consideration that is often overlooked. Wiegand is a decades-old protocol that transmits credential data as unencrypted electrical pulses over two wires. It is simple, universally supported, and deeply entrenched in the industry — but it is fundamentally insecure. Wiegand data can be intercepted by tapping the wires between the reader and controller, and the protocol has no encryption, authentication, or tamper detection. An attacker who gains physical access to the reader wiring can capture and replay credential data.

OSDP (Open Supervised Device Protocol) is the modern replacement for Wiegand. Developed by the Security Industry Association (SIA), OSDP runs over RS-485 serial and supports AES-128 encryption (in Secure Channel mode) between the reader and controller. It also supports bidirectional communication, allowing the controller to send display messages, LED patterns, and buzzer tones back to the reader, as well as firmware updates. OSDP readers can also detect tampering and report it to the controller. For any new access control installation, OSDP should be specified as the reader protocol — there is no good reason to install new Wiegand infrastructure in a modern deployment.

Modern access control systems do not operate in isolation — they integrate with video surveillance, intercoms, and building management systems to create a unified security ecosystem. When a door access event occurs, the access control system can trigger the nearest camera to record a clip, associate the video with the access log entry, and store both for later review. This is invaluable for incident investigation — instead of scrubbing through hours of footage, the security team can jump directly to the video associated with a specific access event.

Intercom integration is equally important, particularly for visitor management. A visitor presses the intercom at the entrance, the receptionist sees video of the visitor on their screen, verifies their identity, and remotely unlocks the door — all from the same access control platform. Leading platforms like Gallagher Command Centre, Genetec Security Center, and Verkada provide native integration between access control, cameras, and intercoms. For resellers, these integrated solutions are where the real margin lives — the sale is not just a card reader, it is a complete security platform with ongoing software licences and support.

The access control market in Australia is served by a range of vendors catering to different segments. Gallagher (a New Zealand company) is dominant in the Australian enterprise and government market, known for its robust Command Centre platform and strong local support. Inner Range is an Australian manufacturer popular in commercial and government installations. HID / Mercury controllers are widely used by integrators who pair them with various software platforms. Verkada and Brivo represent the cloud-native approach, offering simpler deployment and management at the cost of some advanced features. The right choice depends on the customer's size, security requirements, integration needs, and budget.