Choosing the right access control system for your organization can be a daunting task. One of the primary reasons why is that the range of authentication methods to choose from is broader today than ever before.

Each method has its strengths, too. The right technology is the one that fits your organization’s access control needs the best. So how do you pick one?

Physical Security - Security CameraYou need to start by assessing the specific physical security risks your company faces and choose the technology that counters them the best. This article breaks down the key components of physical access control systems and details the leading authentication technologies available in 2022, so you can make an informed decision about how to upgrade your company’s physical security. 

Key Components of a Physical Access Control System 

At a high level, a physical access control system is comprised of: 

Access points

Access control points are simply the locations where you stop personnel and require them to authenticate before proceeding. For example, an access point could be a locked door, a gate, turnstile, or any other physical barrier that someone cannot bypass until they take the actions you require to gain entry.


Personnel must present credentials to authenticate themselves at an access control point. Many different options are available in 2022, each offering different types of control. There are so many options to consider that we’ve devoted a whole section to them below.


An access control point needs a sensor or reader to scan a user’s credentials. Data is sent from the reader to the system’s control panel and server. Some readers come as part of an interactive terminal, where you can prompt users to enter additional information when they’re authenticated.

Control panel

These are remote computer systems, typically on-site in the facility where you carry out access control. Readers send scanned user credentials to the panel, which verifies whether they have access and unlocks the door or other barrier accordingly.

You could also program the control panel to take one or more triggered actions when they read credentials. For example, it could alert on-duty security guards if someone tries to access a high-security location to which they are not authorized.

Some newer access control systems don’t use control panels, instead using straight reader-to-server authentication. The best configuration depends on your facility and IT network layouts, so it is best to consult those teams to determine which model system makes the most sense for your facility.

An access control server

This central management system tracks, analyzes, and reports access control data to you. If you’re in a small facility, this could be in the same location as your doors and control panels. But it could just as well be anywhere in the world. 

The access control server maintains a complete list of each user you’ve granted access to and all of the conditions attached to their access. It also generates reports you can use for your own internal security audits or meet different regulatory standards. In addition, because user profiles can be stored in standard formats, it’s easy to integrate your access control with other security systems at this server level.


Access Control Credential Types in 2022 

There are a bewildering number of access control technologies on the market today. Here are the leading options. 

Knowledge-Based Authentication (KBA)

A knowledge-based authentication system requires users to authenticate themselves with something they know—for example, a password or PIN code. KBA access control systems are less expensive because they require less infrastructure, and there are no physical access control tokens to purchase or manage. That makes it trivially easy to add new users. All you have to do is generate a new PIN or code for them. 

The downside is these systems tend to be less secure. Unlike physical or biometric authentication, it is very easy for users to share passwords or PIN codes, compromising the security of your assets. 


Biometric authentication involves scanning an attribute of the person requesting access. 

FingerprintsAccess control authentication using fingerprints

Since fingerprints are unique to each individual and stay consistent throughout our lives, they make an easy, permanent biometric record you can use for access control. A fingerprint reader compares stored print records to the fingerprint a user scans. 

Bad actors cannot simply scan a fingerprint photo to gain entry. Like smartphones, fingerprint scanners use a capacitive screen that only responds to contact from electrically-conductive materials, like skin. 

Fingerprint readers can require more maintenance than other biometric types because they require physical contact to work. Screens can quickly become dirty. In a post-COVID world, many organizations might also prefer to find a non-contact access control method. 

Facial Recognitionaccess control facial recognition authentication

Facial recognition scanners use pattern matching software similar to those used in fingerprint scanners to match the shape of a user’s face against scanned records. But unlike fingerprint scanners, this is a non-contact form of biometric authentication. They are also very difficult for attackers to bypass. 

One potential downside is that facial recognition only works in good lighting, which means it might not be suitable for some environments. It can also be more temperamental than fingerprint scanning, as things such as facial hair, smiles, or frowns can sometimes impact whether a scanner can properly read a face. 

Iris Eye ScansIris scanning for access control authentication

Much like fingerprints, the irises in a person's eye hold a unique pattern that remains stable throughout their life. A scanner can detect that pattern and match it against access control records. 

Iris eye scans are highly accurate and difficult for an attacker to defeat. They are also fast and easy to use, scanning from several inches to several feet away in seconds. 

However, much like facial recognition scans, they require consistent lighting. In addition, some medical conditions like diabetes can also alter a person’s irises, invalidating earlier records. 

Retinal Scans

This system uses infrared light to record and match someone’s unique blood vessel pattern. Retinal scanning has a near-zero failure rate, making it the most secure biometric. Users are authenticated quickly, making it suitable for high-traffic environments. However, some users find retinal scanning uncomfortable and intrusive. 

Voice RecognitionAccess control authentication using voice recognition

Voice recognition access controls match your users’ spoken passphrases against high-definition digital records. As a result, this authentication method can be more accessible than eye or facial scanning systems, which often must be mounted at a particular height. They also require significantly less training compared to most other biometric authentication systems. 

However, they are only suitable in quiet environments. Background noise can interfere with authentication. They are also more open to attack than other systems. Known passphrases can be recorded for attacker playback. 


Physical Tokens

Unlike knowledge-based credentials, which a user memorizes, or biometrics, which are attributes of the user themselves, physical token authentication requires the user to present an item they carry. 

Swipe CardsSwipe card access control

These identification cards have an embedded magnetic strip holding identification data swiped through readers. Magnetic swipe cards are the least expensive physical token option, usually just a few cents per card. Replacement cards and associated materials are always in supply.  

However, their availability is also a vulnerability, as criminals have just as ready access to materials as security professionals. And the commoditization of swipe card systems and the ease with which they’re copied makes them appropriate only in lower security environments. 

Smart Tokens

Instead of encoding credentials on magnetic strips, this technology uses computer chips embedded in ID cards, fobs, or other tokens. Credential data sent from the card to the physical access control system is encrypted—or scrambled—making it hard for attackers to intercept. Smart tokens are not interchangeable. They must be encoded to work with specific systems, making them exceptionally hard to counterfeit. 

RFID TokensRFID Tokens access control

These are specialized smart cards that use Radio Frequency Identification (RFID) to communicate wirelessly with access control systems. They are unpowered and have a short-range, usually about 6” (15cm). As a result, RFID scanners can scan multiple tokens simultaneously, reducing wait times at busy access control points. 

While RFID is a robust wireless standard, its transmission range is very short. And RFID technology cannot transmit through some common materials, including metal and water. 


Mobile Credentials

Mobile access control systems use an app on a smartphone to act as credentials. Administrators issue users with IDs through the app. Users wave their smartphones at access control points, which can read credentials via the phone’s short-range wireless antenna. 

Mobile credentials are difficult to forge. You can also deploy these systems quickly compared to some other access control systems since they use smartphones as a physical token, which most users already carry around with them. 


Balance Security and Usability 

As you can see, each authentication system carries its advantages and disadvantages. Each has its place in business security. It’s just a matter of determining what makes sense in your particular organization.