Proximity Cards (Prox Cards)
125 kHz proximity cards (HID 125 kHz being the dominant standard) have been the workhorse of commercial access control for 30 years. The card contains a simple RF transponder that broadcasts a facility code and card number when held near a reader. No battery required — the reader powers the card via RF induction.
Advantages: Proven, inexpensive ($2–$5 per card), widely supported, simple to program and deactivate, no user training required.
Disadvantages: 125 kHz cards are easily cloned. A handheld reader available for under $50 can clone a 125 kHz card in under a second without the cardholder knowing. Cloned cards are a known attack vector. For any application with meaningful security requirements, 125 kHz proximity cards are no longer appropriate.
Smart Cards (13.56 MHz)
Modern smart cards (MIFARE DESFire, iCLASS Elite, and similar standards) operate at 13.56 MHz with encrypted communication between card and reader. Unlike 125 kHz prox, the card and reader must complete a mutual authentication challenge-response before access is granted. This prevents cloning attacks.
Advantages: Encrypted, cannot be trivially cloned, supports multiple applications on the same card (access + cashless vending + time/attendance), available in card, fob, sticker, and mobile formats.
Disadvantages: More expensive ($8–$20 per credential vs. $2–$5), requires compatible encrypted readers. Upgrading from 125 kHz to smart card typically requires replacing both cards and readers.
HID 125 kHz proximity is the most widely deployed—and most widely compromised—access credential in commercial buildings. If your building uses standard prox cards, credential cloning is a realistic attack that requires no specialized skills or expensive equipment. Upgrading to encrypted smart cards is a high-priority security improvement.
Key Fobs
Key fobs use the same RF technology as cards — available in both 125 kHz (legacy) and 13.56 MHz encrypted versions. The difference is purely form factor. Fobs are typically smaller, attach to a keychain, and are preferred by users who don't carry a wallet regularly.
The security profile exactly matches the card type used — a 125 kHz fob has the same cloning vulnerability as a 125 kHz card. Choose encrypted fobs if you choose fobs.
Mobile Credentials
Modern access control systems support Bluetooth Low Energy (BLE) and NFC credentials stored on smartphones. The user's phone becomes their credential — no physical card to carry, lose, or clone. Credential management happens through a cloud portal; remote provisioning and deactivation is instant.
Advantages: Difficult to clone (phone authentication adds a second factor), easy remote management, no physical credential to issue or collect from terminated employees.
Disadvantages: Requires smartphone adoption by all users (a realistic barrier for some workforces), phone battery dependency, requires cloud connectivity for administration.
PIN Codes
PIN-only access (keypad without card/fob) is appropriate for low-security applications — storage rooms, after-hours staff access, amenity areas. PINs are easy to share and can be observed (shoulder surfing), making them inappropriate as a sole credential for any door protecting sensitive areas or significant assets.
PIN codes are most useful as a second factor combined with a card — card + PIN is substantially more secure than either alone, because an attacker must possess the card and know the PIN.
Biometric Credentials
Biometric readers (fingerprint, palm vein, iris, facial recognition) authenticate on something the user is rather than something they carry or know. The security advantage is that biometric credentials cannot be forgotten, loaned, or lost.
Practical limitations for most commercial applications:
- Fingerprint readers fail in dirty environments: Warehouse workers with calloused or cut hands have high rejection rates. Construction sites and food processing are poor fingerprint environments.
- Enrollment takes more time than card issuance: Each user must physically enroll at the reader or a central enrollment station — a logistical challenge for large workforces.
- Privacy considerations: Biometric data is sensitive. Storage and handling requirements are increasingly regulated.
- Cost: Biometric readers are significantly more expensive than card readers.
Biometrics are well-suited for: server rooms, pharmacies, financial vaults, and other high-security applications where the enrollment friction and cost are justified by the asset value being protected.
Choosing for Your Application
| Application | Recommended Credential |
|---|---|
| Office (under 50 employees) | Encrypted smart card or mobile |
| Multi-tenant building lobby | Encrypted smart card (different facility codes per tenant) |
| After-hours staff access (low security) | PIN + card combo |
| Server room / high-security | Card + PIN or biometric |
| Warehouse with dirty environment | Smart fob (avoids fingerprint issues) |
| Property with high turnover (retail) | Mobile credential (instant revocation) |