The Ultimate Guide to Access Control

What is Access Control?

Access control is a form of physical security that manages who has access to an area at any given time. Access control systems restrict access to authorized users and provide a means to keep track of who enters and leaves secured areas

Key Components of Access Control

In an access controlled building, authorized persons use credentials to make unlock requests at readers mounted proximate to entries, which send information to an Access Control Unit (ACU) that makes access control decisions, that then triggers electrified door locking hardware.

  • keycard-reader-icon


    Credentials can be key cards, PIN codes, smartphones, or even biometric input like fingerprints. Credentials provide the user with a method of access and only certain methods are supported by different access control systems. It's worth noting that support for mobile credentials requires that the access control system have readers, ACUs, and access control software that support Bluetooth and/or Internet-based communication.

  • readers-icon


    Readers are devices installed near entries that receive inputs from user credentials via radio frequency signal (RFID, NFC, or BLE) which they then relay over a wired or wireless connection to ACUs installed nearby.

  • door-icon


    Entries include any electrified or automated opening: doors, parking gates, elevator floors, storage cabinets — anywhere that needs to restrict access.

  • lock-icon

    Locking Hardware

    Door entries are typically configured with electric or electromagnetic locks that are paired with Request to Exit (REX) and door contact sensors that can determine when someone is leaving, propping open a door, or tampering with the lock.

  • chip-icon


    Readers send credential data to an ACU (also known as a controller or a control panel), which decides if a user has access or not. If they have access, the ACU then instructs the door locking hardware to unlock. One ACU usually supports between 2 and 8 readers.

  • computer-icon

    Access Control Software

    All of this hardware is managed with access control software — an application where you define users, credentials, access schedules, entries, and so on. The information defined in the access control software syncs with the ACU, which is how it knows whether to grant or reject access.

How to Use Access Control

Access control systems restrict access to entries based on a number of factors:

  • Access can be defined based on the user — for example, a manager might need 24/7 access to all entries in a site.
  • Users can be assigned to groups and those groups can have unique access restrictions. For example, night shift employees require different schedules than day shift employees.
  • Access can be defined on the entry itself — for example, front doors can be unlocked during business hours.

Using schedules and groups enables administrators to more effectively manage their users and ensure the right access privileges are assigned to the correct users for the right times.

Types of Access Control Systems

  • server-icon

    Traditional, dedicated server access control systems

    Traditional access control solutions use dedicated servers onsite that communicate with ACUs and readers over a LAN connection. In the case of multiple buildings or sites, separate servers and software must be purchased, installed, and maintained at each location in order for the system to run.

  • browser-icon

    Browser-based (a.k.a. web-based) access control systems

    Browser-based access control systems operate similarly to dedicated server systems but also include a web application. Internet access is not required for the application to work; the application connects to the LAN and can be accessed on any device within that network.

  • cloud-icon

    Cloud-based access control systems

    Cloud-based access control runs the access control software in the cloud (i.e. on a remote server) that regularly syncs with the local ACUs. Because the software is cloud-based, administrators can easily add new users or revoke access using any web-enabled device, and the ACU is updated automatically. This type of access control system requires Internet access, but can still function without it — any updates made using the software will take effect after Internet access is restored.

Benefits of a Cloud-based Access Control System

There are several benefits that come with implementing a modern, cloud-based access control system:

  • shield-icon

    Increased security with reduced overhead

    A modern access control system keeps unauthorized persons out while also making it easy to revoke access or remotely lock entries at any time. Modern systems are easier to install configure and manage, reducing the need for ongoing, costly IT resources. No servers to manage, no software to patch, no VPN or MPLS network. In a mobile-enabled system, administrative overhead is reduced as you don't need to print, issue, collect, and track physical badges, fobs, and keycards.

  • mouse-icon

    Better accessibility

    Instead of traditional locks and keys or access cards (that are easily lost or cloned), mobile credentials offer an easier, more secure way to enter access-controlled spaces. Guest access links let you easily provide access to visitors via email or SMS, and remote unlock capabilities mean you can unlock entries from anywhere. Plus, cloud-based access control is ideal for providing access across multiple buildings and sites because it's designed to scale with your needs.

  • integrations-icon

    Seamless integrations with smart office technology

    Modern cloud-based access control systems are designed to work with the latest technologies – make the most of your access control by integrating with HVAC, lighting, alarm systems, as well as directory services (like Azure Active Directory, G Suite, and Okta) and messaging platforms like Slack. Compare this to traditional access control systems which are often proprietary and only offer a few select native integrations.

Who Needs Access Control?

Everyone needs and uses access control. Government buildings, healthcare providers, banks, and other places with sensitive data are generally required to use some form of access control. But access control isn't just for restricted facilities — most modern offices want to track who goes where and who has access to expensive equipment. Software companies and startups that deal with intellectual property need a way to manage access that interferes minimally with productivity. The same goes for multi-family residential buildings as apartment owners and landlords want to make it easy and safe for tenants and guests to access properties and amenities. Access control is also great for visitor management — it lets you create temporary credentials for guests so you can control exactly how much and for how long someone has access.

Door Access Control Methods: How It Works

How Does Access Control Work?

In an access-controlled environment, users present credentials to readers in order to unlock doors. But how exactly does this work.


First, a credential is authenticated. After a user presents a credential (mobile credential or car/key fob) at a reader, that credential’s data is sent to the Access Control Unit (ACU), where the ACU determines if this credential is known and recognized by the system. If a credential has been added to the system during an Internet outage, the ACU will not recognize the credential until the Internet is restored.


Next, the ACU determines if the user to which this valid credential belongs is authorized for access – does the user have access to this particular entry? Are they using the right kind of credential and trigger type for this entry? Are they attempting to unlock the entry within any applicable schedules? In order to be authorized, a user must:

  • Have access to the entry they’re trying to unlock
  • Use one of the predefined allowed credential types (for example, mobile credential)
  • Use one of the predefined allowed trigger types (for example, onsite 2FA)
  • Make the unlock request within any schedules defined on the entry or assigned to the user or their group


Once authenticated and authorized, the ACU then sends a command to the door locking hardware to unlock the entry. In the case of electromagnetic locks, power is temporarily interrupted when unlocked (also known as fail safe) whereas with door strikes power is temporarily applied to unlock the door (also known as fail secure).


Managing a cloud-based access control system includes adding or removing entries, users, credentials, schedules, and alerts using administrative software that syncs automatically with Internet-connected ACUs. Some access control systems can integrate with directory services like Google G Suite and Azure Active Directory, streamlining the management process.


Administrators can audit access control systems by generating reports for access logs, including both user activity and entry activity. This is useful for general system reviews; ensuring that the system is working as expected and that there are no issues with accessing entries. Reports are also helpful for meeting compliance standards, such as HIPAA, that require a certain level of physical access control.

Mobile Access Control Solution and How It Works

What is Mobile Access Control?

Mobile access control solutions let you use mobile credentials instead of (or in addition to) physical key cards or fobs to unlock doors (or parking gates, turnstiles, or elevators). A mobile credential is a smartphone that, through the use of an access control mobile app, can be used to make unlock requests at access control readers. They’re typically a feature of cloud-based access control systems.

How Mobile Access Control Works

In the access control administrative software, a user is assigned a mobile credential. The user installs the access control mobile app on their smartphone, logs in, and approaches a reader. The user then makes an unlock request using their smartphone - either by tapping a button in the app, holding up the phone to the reader, or by simply touching the reader with their hand while their phone is in their pocket or purse. This request is sent to the ACU through the reader via Bluetooth, or directly to the ACU via WiFi or cellular data. Once the mobile credential is authenticated and authorized, the entry unlocks.


Benefits of Mobile Credentials for Door Access

Mobile credentials offer several benefits:

  • They replace the need for key cards (which are easily shared, lost, or duplicated).
  • They enable the ability to use 2FA and biometric authentication.
  • Convenient features like Remote Unlock mean you don't have to be next to the reader in order to unlock the entry.
  • Easily manage visitors by sharing Guest Access Links, which let visitors unlock doors via web links (without needing to install the mobile app).
  • Touch Entry means you can unlock a door without ever needing to take out your phone.
  • Mobile credentials are fully encrypted, end-to-end, ensuring a higher level of security.

Cost and Application

Mobile credentials are cost-effective, as there's no need to purchase key cards or fobs. They're useful for high traffic offices and buildings, since assigning and revoking credentials is fast and easy. Mobile credentials are also ideal for businesses that want to leverage smart office technology, and can be integrated with legacy access control systems.

Common Misconceptions About Mobile Credentials

There are a few myths surrounding mobile credentials and their capabilities:

  • Mobile credentials are slow

    You might think that mobile credentials are slower than traditional methods, but in fact most doors unlock within milliseconds.

  • Mobile credentials don't work offline

    Openpath's solution is designed to withstand power and Internet outages, meaning mobile credentials work even if there's no WiFi or cellular data.

  • Mobile credentials drain phone batteries

    Even though it runs in the background, the Openpath mobile app is designed with its own battery optimization features, resulting in negligible battery usage.

  • Mobile devices need to be connected to WiFi or paired with the reader.

    Mobile credentials work over cellular data and Bluetooth, so WiFi is not required. Additionally, mobile devices do not need to pair with readers for Bluetooth to work – they connect automatically.

Alternatives to Mobile Credentials

For situations where mobile credentials aren't the right fit, or for users who prefer a traditional access method, encrypted key cards and fobs are suitable alternatives. Mobile credentials can also be used as a secondary access method (in addition to a key card or fob), as part of 2FA practices.

Cloud Access Control and How It Works

What is Cloud-based Access Control?

Cloud-based access control uses software hosted on remote servers over the Internet, rather than local servers and dedicated workstations as in a traditional system. This software can be accessed on any web-enabled device and communicates with access control units (ACUs) over the Internet.

How Cloud-based Access Control Works

In a cloud-based access control system, the hardware is installed on site and configured using the cloud software. Users, entries, schedules, and site information are set up in the software and then automatically synced with the ACUs. Similarly, unlock requests and entry status changes are reported to the cloud software in real time. In the case of power and Internet outages, the system will still function but communications between the software and the ACUs will only take place once power and Internet are restored.

Benefits of Cloud-based Access Control

  • Modern security practices

    Cloud access control systems let you take advantage of the latest security practices, including end-to-end encryption, two-factor authentication (2FA), and mobile credentials.

  • Integrate with applications you use every day

    Because the access control software is online, it’s easy to integrate with third-party applications like Slack and G Suite, keeping everything in sync.

  • Scalability

    With a cloud-based system, scalability isn’t an issue because there’s no limit on the number of users or entries you can have in a system. New hires, new tenants, new offices – cloud-based access control is designed to be flexible. Downsizing is also an option, so you only pay for what you need.

  • Manage multiple sites

    Cloud-based access control systems make maintaining multiple sites simple – since everything can be configured in one place and from any device, maintaining remote sites is easy and streamlined.

  • Easier Maintenance

    With a cloud-based access control system, software updates and security patches are rolled out automatically. User-friendly interfaces mean adding users, credentials, and entries is simple and straightforward, reducing the need for a dedicated IT person to handle access control duties.

Cost and Application

Cloud-based door access control solutions typically charge a monthly or yearly fee and are usually priced per door or per user. They're ideal for growing businesses, coworking spaces, and landlord/tenant situations where flexibility is key. Upfront costs are usually lower than traditional server access control systems because less hardware is required.


Legacy vs Cloud-based Access Control: Which One is Better?

Legacy Door Access Control Types

In the access control industry, the term "legacy" generally refers to systems that use old communication protocols, outdated security practices, and traditional credential types like key cards and PIN codes. Legacy access control systems primarily use the Wiegand protocol (also known as the 26-bit card format) which was popularized in the 1980s. Although this technology is still used today, it’s fallen out of favor of security experts because it’s a unidirectional protocol (i.e. it can only send information one way, from the reader to the panel), it transmits card data unencrypted, and is prone to hacking and other security vulnerabilities. Similarly, traditional credentials like key cards and PIN codes are easily lost, shared, or cloned, posing another security risk. Legacy access control systems are commonly seen in older office buildings, where upgrading systems can be arduous due to time, cost, and effort.

There are two major types of legacy access control systems:

  • Server-based
  • Browser-based

Server-based Access Control System

A server-based access control system is one of the oldest types of access control still around today. In this setup, the readers and access control panels are wired to an on-premise server that has access control software installed on it. Optional workstations can be connected to the server, that administrators can use to manage the system. Server-based systems do not use the Internet; rather, everything communicates over a local area network (LAN) connection.

Browser-based Access Control System

Browser-based access control systems (also known as web-based) are similar to server-based systems but they differ in that the access control software is pre-loaded on the access control unit itself, and then accessed via a web browser. Like a server-based system, everything communicates over a LAN, so an Internet connection is not required.


Cost and Application

The costs associated with a legacy access control system include the following:

  • PCs/servers to host the access control software

    In legacy access control systems, dedicated hardware is required in order to run and manage the access control system. This hardware must be purchased and then maintained throughout the life of the access control system.

  • Additional workstations to manage the access control system

    In addition to the access control server, workstations are often used to make maintaining the system more flexible and remote-friendly. The cost of hardware for additional workstations is specially an issue for large, multi-building sites.

  • Administrative software licenses

    Software that is installed on dedicated servers and workstations often requires individual licenses to operate. Also, major software upgrades might come with additional costs, including any IT resources needed to perform the upgrade.

  • Key cards/fobs

    Key cards and fobs might seem like a small expense, but the upfront cost of providing credentials to employees and tenants is a factor to consider. Also, the cost of replacing lost and stolen credentials can add up quickly.

  • Ongoing maintenance and upgrade costs

    Often, legacy access control systems are maintained by dedicated IT resources, which can be expensive.

Legacy vs. Cloud-based Access Control

There are several challenges associated with legacy access control systems:

  • They're high maintenance

    The main difference between legacy systems and cloud-based systems is that in legacy systems, the software resides on hardware maintained by the end user offline, and in cloud-based systems, it resides in the cloud (i.e. on a remote system of servers) maintained by a third party online.

  • They're not remote-friendly

    In a legacy system, since the access control software can only be accessed over a LAN, that means administrators must use in-network devices in order to make changes to the system, making it difficult to manage remotely.

  • They're less secure

    They typically use outdated security methods, and they're limited in the types of credentials they support: PIN pads, key cards, and fobs.

In contrast, cloud-based systems are designed to be remote-friendly, easy to use, and support mobile credentials and modern security practices like end-to-end encryption and multi-factor authentication (MFA).


This website stores cookies on your computer. These cookies allow us to remember you, customize your browsing experience, and analyze web traffic. To find out more about the cookies we use, see our Privacy Policy.