Security has changed tremendously over the last five years. Today, security professionals must dig through a technology market saturated with solutions that promise to deliver the exact results they’re looking for. Meanwhile, security directors face budget cuts as organizations look to tighten the purse strings. “Do more with less” has become the mantra. To help bring you up to speed and find some calm in the chaos, we’ve created a guide to physical access control.
In this guide, we break down the evolving landscape of access control: from the rise of cloud-native and hybrid deployments to credential management across key cards, biometrics, and smartphones. If you’re tasked with deploying or upgrading a system that has to scale with your organization and hold up under scrutiny, this is where you start.
What is Physical Access Control?
Physical access control is the process used to allow or deny entry to a specific area. Let’s break down the definition with some real-world examples: You know that lock on your bathroom door? That’s a form of physical access control. The plastic key card you tap in the elevator at work – that’s also access control. If you live in a gated community with security guards, believe it or not, you’re protected by a form of physical access control. Simply put, “physical access control” is a catch-all term used for live or technology-based security that manages entry.
What is a Physical Access Control System?
What kind of physical access control system do I need? That’s a loaded question.
Many different types of physical access control systems (PACS) exist. They range from simple lock-and-key access control to complex, cloud-based access control, which allows hundreds of buildings to be managed from a single platform. Additionally, types of physical access control get classified into various categories – the top-most level being traditional vs. electronic access control. We’ll start here.
Traditional vs. Electronic Access Control: What’s the Difference
Traditional access control has been around for a loooong time with mechanical wooden locks discovered in Iraq as far back as 4000 BC.
As you may imagine, traditional locks solely rely on mechanical locks and keys. Some examples of traditional physical access control systems are metal locks and keys, padlocks, and combination locks. However, while traditional access control is still widely used in community, residential, and small business security, electronic access control systems are becoming more common.
Electronic access control systems use an electric current to operate. These include remote-controlled gates, keycard systems, biometrics, Bluetooth- and NFC-operated systems, and so much more.
In this guide, we’ll focus on electronic access control systems.
Components of Physical Access Control Systems
All PACS use the same basic components. So, whether you’re shopping for your first system or looking to upgrade, you’ll have choices for each of the components below.
- Server: The server holds all the information and data of your physical access control system, including your users, entry privileges, access history, floor plans, customizations, and API integrations.
Shopping Tip #1: Determine what kind of server you need before buying any other hardware or software. The three choices are on-premises access control, cloud-based access control, and hybrid access control. Learn more about these now.
- Software Database: The software database, sometimes referred to as a It stores names of people you give access to (e.g. employees, family members, guests), the areas they’re permitted to enter, the times allowed, and intruder alerts. These platforms can be extremely customizable. You may also be able to integrate your physical access control with other parts of your security system, like video cameras, motion sensors.
Shopping Tip #2: Software varies tremendously depending on the manufacturer. The main difference between software platforms is customizability. For example, basic platforms may allow you to add multiple types of users, but an advanced system may give you time-based credentials, which allow people access within a designated time.
- Controllers (commonly referred to as an access control panel): This is the control center and main hub that processes signals from door readers and access credentials. It’s the brain of a physical access control system.
Shopping Tip #3: Controllers differ based on the number of doors you need to secure. They often come in two types – proprietary and non-proprietary door controllers. Proprietary access control ties you to one manufacturer while non-proprietary access control uses open architecture and allows you to change providers if needed.
- Barriers: These include doors, turnstiles, gates, and elevators.
- Readers: An often boxy piece of hardware that reads credentials and transmits the credential information to the controller for verification.
- Locks: Once the controller verifies a scanned credential, a signal is sent to unlock the barrier. There are different types of locks, such as electric door strikes, electromagnetic locks, wireless locks, wired locks, and smart locks.
- Credentials: Credentials are tokens that store unique data, allowing the user to gain access. Types of access control credentials include: biometrics, PIN codes, keys, key cards, key fobs, and smartphone badges.
Shopping Tip #4: Often, the credential type will be tagged before “access control” (e.g. biometric access control). When researching access control systems, use these terms to find deeper information about which credential type might be right for you.
As you can see, you’ll have many choices when it comes to building your security. Let’s take a look at some types of access control based on their components.
Cloud-based vs. On-premises vs. Hybrid Access Control: Which is Best?
One of the first decisions you’ll make when upgrading or buying an access control system is its server type. Server types fall into three categories: cloud-based, on-prem, and hybrid. Check out the chart below for a quick comparison of each.
| Feature | Cloud-based Access Control | On-premise Access Control | Hybrid Access Control |
| Server Location | Third-party servers (AWS, Microsoft Azure, IBM Cloud) | On-site server | Combination of on-site and third-party hosting |
| Maintenance | None | You’re responsible for all the maintenance | Combination |
| Scalability | High – Increase or decrease your server size depending on your business needs | Low – It’s difficult and expensive to add new servers quickly | Medium – This varies greatly depending on your setup |
| Remote Access | Easy | Difficult – Must tunnel in using other software tools | Difficult |
| Software Updates | Managed by the vendor | Managed by you | Shared responsibility |
| Upfront Costs | Low | Medium | High |
| Ongoing Costs | Subscription (monthly/yearly) | Both license and subscription fees | Maintenance fees and subscription fees |
| Popular Access Control Companies | Avigilon, Brivo, Kisi, BluBox | Honeywell MAXPRO, Johnson Controls | LenelS2, Honeywell, Genetec |
Cloud-based Physical Access Control
Cloud-based access control allows businesses, hospitals, communities, and more the ability to prioritize upfront cost efficiency, remote access management, and scalability.
From an operational standpoint, security teams can monitor and control access to their facilities from anywhere – all they need is an internet connection. A single internet connection connects organizations directly to their entire security network. From anywhere in the world, you can provision credentials, monitor access events, and adjust authorization. Additionally, updates and patches are handled automatically, so you don’t have to take time to install new software.
When it comes to the hardware, maintenance, and upfront expenses are considerably less expensive. You pay for the storage you need, instead of buying equipment and storing it on site. Maintenance is taken care of by the third-party provider, giving you time to focus on other important tasks.
Cloud-based access control is most beneficial for multi-site companies, large organizations like hospitals, and organizations with hybrid or remote work forces. For example, a fast-growing tech startup with employees in various parts of the world can more quickly assign and distribute credentials using a cloud-based system.
With security budgets being reduced, the cloud helps security directors do more with less.
Hybrid Physical Access Control
Not quite ready to commit to a cloud system? Hybrid access control might be the perfect middle ground. These systems offer a balanced solution for businesses, schools, and institutions that want the flexibility of the cloud while retaining some control of traditional systems. While on-site, organizations can continue managing their security using their Ethernet network. However, when working remotely, they can enjoy the ease of connecting via the internet.
From an operational perspective, hybrid systems allow for local control during power outages while still offering cloud-based features like remote credential provisioning and system alerts. Security teams can still access dashboards and user logs from anywhere, but mission-critical functions like door unlocks can continue even when offline.
Hybrid systems include more upfront expenses than cloud-based access control, but are far less costly to maintain than an on-prem setup. So if you’re thinking of eventually moving to the cloud, hybrid access control is the best choice.
Hybrid access control is best suited for institutions like universities, regional businesses, or organizations undergoing digital transformation. For instance, a school district with multiple campuses can centralize management while still maintaining critical operations that can be performed locally. This is very helpful in the case of network issues.
On-premises Physical Access Control
Finally, to the old guard – on-premises access control. These systems give organizations the highest level of control over their security infrastructure and data storage. On-prem systems are managed entirely in-house, without reliance on third-party cloud providers.
Operationally, these systems do not require an internet connection to function, meaning you’ll get maximum privacy and data ownership. While sticking with an on-premises access control system requires a dedicated IT or facilities team, it also minimizes external vulnerabilities.
The tradeoff is in cost and maintenance. Be ready to make a significant upfront investment in servers, software licenses, and ongoing maintenance. Updates and patches must be installed manually as well, and consequently, this means your team will be more consumed with these tasks.
On-prem access control is most beneficial for organizations with strict compliance needs or those that operate in high-security environments. For example, a financial institution managing sensitive client data might choose an on-prem system to ensure all security operations remain within its firewall and fully under its control.
Credentials: Key Card Access Control, Smartphone Credentials, and Biometrics
Ever tried to open your locked front door without a key? Unless you’re Harry Houdini or you run a professional heist business, it probably wasn’t a fun experience. Access control keys and credentials are another important aspect to consider on your research journey. The three most popular access control credentials for commercial security are key card access control, biometric access control, and smartphone access control. Below is a comparison of these credential types.
| Access Control Type | Key Card Access Control | Biometric Access Control | Smartphone Access Control |
| Credential Type | Physical, plastic card | Fingerprint, facial recognition, iris scan | Digital badge stored on mobile device; often requires Google, Apple Wallet, or the manufacturer’s app; |
| Security | Low- Can be shared, lost, stolen, or cloned | High | Medium- Protected by phone security and is less likely to be misplaced |
| Convenience | Easy- Simple to use but easiest to lose | Easiest | Easy |
| Provisioning | Most difficult- Requires an in-person exchange | Easiest | Easier- A digital key can be sent to the user’s phone; No in-person exchange required |
| Maintenance | Card replacements and reader upkeep | Sensor calibration | App updates and cyber security checks |
Key Card Access Control
Key card access control is the most widely used method of commercial security. As you likely know, users gain access by tapping or swiping their card at a reader. The system checks the stored credentials and grants access if authorized.
Why are these systems still used? The short answer is they’re simple to manage and don’t present user privacy issues. Credentials can be quickly issued or deactivated through a centralized platform, and activity logs provide a clear audit trail. While there are ongoing costs for printing and replacing cards, the infrastructure is reliable and familiar.
Keycard access is ideal for offices, schools, and hospitals where users benefit from a straightforward, proven solution. For example, a corporate office might use keycards to separate access by department or floor, helping maintain secure, organized movement throughout the building.
Smartphone Access Control
Smartphone access control lets users store digital key cards and unlock doors on their mobile devices. These systems use radio-frequency identification (RFID) to gain access. When presented to the door reader, an NFC or Bluetooth LE signal with the credentials is sent to the reader. Once the system authenticates the credential, access is granted.
For security administrators, this technology simplifies credential distribution and management. Security teams can issue or revoke mobile credentials instantly through a centralized dashboard, making printing and handing out physical cards obsolete. When it comes to costs, smartphone access reduces the need for physical cards and card printers, lowering long-term expenses. There’s also less hardware to manage, especially in systems where mobile access is integrated with cloud-based control.
Biometric Access Control
Now, for the type of access control most likely to remind you of the 1990’s Total Recall – biometric access control. Unlike key card and smartphone access control systems, biometrics don’t require users to carry anything extra. Instead, to access an area, users present their fingerprint, face, or iris to a reader.
Biometric access control offers strong identity assurance and reduces the risk of credential sharing or theft. However, some users may feel like storing biometric information is a violation of privacy.
From an expense perspective, biometrics have a higher initial cost due to advanced hardware and software, they often reduce ongoing operational costs by eliminating card issuance and replacements.
Biometric access control is most beneficial in environments where high security and accountability are top priorities, such as research labs, healthcare facilities, or data centers.
What Access Control System Do I Need?
The best type of access control system depends on your needs. (That’s probably not earth shattering news to you.) We’ve developed a checklist of considerations below. So, whether you’re managing a 100-door hospital, a small business with a front and back door, a residential community, or a global commercial enterprise, the list below will help.
Checklist: Top 7 Access Control Considerations for Your Security
- Current Security Challenges
- Doors and Entrances
- Number of Users
- Features
- Integrating Your Security
- User Interaction
- Future Plans
1. Current Security Challenges
Start with a realistic assessment of your current security challenges. Is theft happening at your enterprise every day, or do you only need to keep an eye on the occasional employee tailgating? Consider the most used and least protected entrances. Are there problems at these points? Before investing in an access control system, it’s important to clearly articulate your goals to all the decision makers involved. Then, come up with a plan on how you’ll measure the success of the system.
2. Audit Doors and Entrances
Prioritize the doors and entrances you need to protect. Count the number of entry points you’ll need to secure. Consider creating a list that ranks each entry point by use, risk, and priority. By auditing your entrances, you’ll understand where and when the most (and least) foot traffic occurs. An audit will also help you pinpoint the low-security areas of your facility.
3. Number of Users
A 30-person office and a 3,000-employee campus face totally different problems. If you’re manually updating credentials or printing badges every time someone’s role changes, you’ll probably want a system to help with automation. Consider how often users come and go, but don’t just stop with employees. Who else will need access – contractors, vendors, interns, delivery people?
4. Software Features
So you’ve got a thorough understanding of your door usage, the number of people in your facility, and security vulnerabilities. With all this information, you can now determine the features you need most.
Some practical access control features to look for include:
- Time-based credentials: Specify when a credential is active
- Floor Plans: Map cameras and doors to the blueprints of your building
- Quick Door Open: Unlock or lock a door instantly.
- Emergency Plans: With a single click, automatically lock down any doors instantly during an emergency.
Remember, having more features doesn’t mean better software. Find what you need and don’t settle for bloated platforms.
5. Integrating Your Security
The most powerful security advancement of the last five years is easier integration. If your cameras, alarms, and access control don’t talk to each other, you are probably spending a lot of time jumping between software platforms. It’s difficult to manage a bunch of hardware. With API integrations, your access control system will act as a hub for all your other security infrastructure. For example, when a door is forced open, you should be able to instantly pull up camera footage. If your HR system updates an employee’s status, their badge access will change automatically. As you talk to manufacturers, consider the API integrations they offer now and what is on their roadmap.
6. User Interaction
You picked out the perfect access control system, persuaded upper management for the necessary budget increase, and now you’re ready for launch. Unfortunately, your end users hate the system. All that work you did – pointless.
User buy-in impacts the effectiveness of your physical access control and leads to vulnerabilities in your security. One way to preemptively address use buy-in issues is by reaching out and talking to employees. Consider using surveys to gauge how users feel.
7. Future Plans
Your organization and the security technology available will change, so it’s important to think of access control in both the short term and long term. Consider your organization’s direction over the next 5 to 10 years. How fast is it growing? Is there a plan to add new office locations and employees? It is especially helpful to collaborate with executives to determine the direction of the company.
A phased build-out may be the most realistic and budget-friendly approach. Instead of rolling out access control across every site at once, many organizations start with high-risk or high-traffic areas, like data centers, executive offices, or front entrances. After the initial rollout is complete, you can continue to expand. In short, pick a system that helps you today, yet is ready for tomorrow.
The Best Access Control System for You
Technology changes fast, and sometimes it’s difficult to separate what’s trendy from what’s important. That’s why we’re here.
SafeTouch experts will help you assess, purchase, install, and monitor your security. With over 30 years of industry experience, we’ve got the knowledge to guide you through cloud platforms, mobile credentials, AI-based monitoring, and more. We’ll help you find a system that won’t become obsolete in a few years. Give us a call at 888.985.SAFE (7233) to speak with a SafeTouch expert today!