Access control is the backbone of physical security, yet we see the same patterns of failure across industries. Teams invest in hardware, install card readers, and set up software—only to leave gaping holes that a determined intruder can exploit within minutes. This guide is for security managers, facility directors, and IT leaders who already know the basics: we are skipping the definition of a credential and jumping straight into the mistakes that waste budget and compromise safety. After reading, you will be able to audit your own system for these five common errors and prioritize fixes based on real-world risk.
1. Over-Reliance on Single-Factor Authentication
Many facilities treat a proximity card or key fob as sufficient for every door. That works until a card is lost, cloned, or stolen. The core mechanism of access control relies on three factors: something you have (card), something you know (PIN), and something you are (biometric). Using only one factor collapses your security to the weakest link in that single token.
For example, most older 125 kHz proximity cards can be cloned with a $10 reader and a few seconds of proximity. We have tested this in controlled environments: a card left on a desk can be duplicated from three feet away. Once an attacker has a clone, they have the same access as the legitimate holder. That is not a theoretical risk—it is a practical one that shows up in penetration tests regularly.
Why this mistake persists
Convenience drives the decision. Handing out cards is fast, and adding PIN pads or biometric readers increases upfront cost and slows entry at high-traffic doors. But the trade-off is stark: single-factor systems make every lost card a potential breach. For sensitive areas—server rooms, labs, executive offices—two-factor authentication should be non-negotiable.
What to do instead
Conduct a risk assessment per door. Public-facing entrances may tolerate single-factor with video monitoring, but internal high-value zones require at least card-plus-PIN or card-plus-biometric. Consider mobile credentials with push notification verification as a cost-effective second factor. The goal is to raise the bar without creating bottlenecks.
2. Neglecting Credential Lifecycle Management
Organizations often issue credentials and never think about them again. Employees leave, contractors finish projects, and temporary visitors come and go—but their access rights remain active. This is the second most common mistake we encounter: a static credential database that grows unchecked.
In one composite scenario, a regional office had 300 active cardholders in the system, but only 180 current employees. The remaining 120 were former staff, interns from two years ago, and a cleaning crew that had been replaced. That means 120 credentials floating around—some returned, some lost, some never accounted for. An attacker who finds one of those old cards can walk in unchallenged.
The lifecycle gap
Most access control systems support expiration dates, deactivation schedules, and integration with HR databases. Yet these features go unused because the security team does not have a regular audit process. Manual quarterly reviews are better than nothing, but automated synchronization with an identity management system (like Active Directory or a cloud HR platform) is the gold standard.
Practical steps
Set up automated deactivation triggers: when an employee record is terminated in HR, the access control system should revoke credentials within 24 hours. For contractors, use time-limited credentials that expire on the contract end date. Perform a semi-annual audit of all active cards and compare against the employee roster. Any mismatch should be investigated within a week.
3. Ignoring Tailgating and Piggybacking Risks
Even the best card reader is useless if you let someone follow an authorized user through the door. Tailgating (unauthorized person slips in behind an authorized person) and piggybacking (authorized person knowingly lets someone in) are responsible for a large percentage of physical breaches. We see this mistake most often in buildings without mantraps or turnstiles, where a single door is the only barrier.
The core problem is that standard access control systems only verify the credential presented—they do not count the number of people who pass through. A card swipe opens the door, and anyone within arm's length can enter. This is a design limitation, not a user failure, but it becomes a vulnerability when security teams do not address it.
Options for mitigation
There are three approaches, each with trade-offs. First, install turnstiles or speed gates that physically force one-person-per-authentication. These are effective but expensive and may not fit historic buildings or wide corridors. Second, add a secondary barrier like a mantraps—two interlocking doors that create a small vestibule. Third, deploy video analytics with people-counting software that triggers an alarm when more than one person enters per valid swipe. The third option is the least obtrusive but requires good camera placement and lighting.
For most organizations, we recommend a layered strategy: use turnstiles at the main entrance and mantrap-style portals for high-security zones, supplemented by staff training on the policy of not holding doors open. The training alone won't stop a determined tailgater, but it reduces casual piggybacking significantly.
4. Poor Integration Between Access Control and Other Systems
Access control is often deployed as a standalone system, disconnected from video surveillance, intrusion detection, and visitor management. This creates blind spots. For example, a door forced open triggers an alarm in the access control panel, but the security guard at the monitoring station has no camera feed to verify what happened. By the time they check the video system separately, the intruder may be gone.
Integration criteria to evaluate
When choosing a system, prioritize platforms that offer native or API-based integration with your existing video management system (VMS) and alarm panel. Look for the ability to correlate events: a card swipe at a door should pull up the corresponding camera view automatically. Likewise, an alarm from the intrusion system should lock down specific doors and alert the access control server to prevent credential use in that zone.
The trade-off is complexity: integrated systems require more upfront planning and may need middleware or custom scripts. But the operational benefit is huge—reduced response time and fewer missed events. We have seen facilities where the access control and video systems were from different vendors with no integration; guards had to monitor two separate screens and manually cross-reference timestamps. That is not sustainable during a real incident.
Implementation path
Start by mapping your critical response workflows: what happens when a door alarm sounds? Who needs to see what information? Then check if your current access control system supports integration via standard protocols like ONVIF or REST APIs. If not, consider a unified security platform that combines access control, video, and alarms in one interface. The upfront cost is higher, but the reduction in false alarms and faster incident response often pays for itself within two years.
5. Treating Audit Logs as a Compliance Checkbox
Every access control system generates logs: who swiped where and when. But many organizations store these logs for compliance reasons and never review them. That is a mistake. Audit logs are a proactive detection tool, not just a forensic record after a breach.
Anomalies in log data often reveal credential sharing, tailgating patterns, or attempted after-hours access that warrant investigation. For example, a single card used to enter two different doors within three seconds is physically impossible—it indicates the credential was cloned or shared. Similarly, repeated failed attempts at a door followed by a successful swipe from a different card may indicate someone testing weaknesses.
Why logs go unused
Volume is the main barrier. A mid-sized office with 100 doors generates thousands of events per day. Manually reviewing them is impractical. The mistake is not generating logs; it is failing to implement automated log analysis. Modern access control platforms offer built-in anomaly detection or can feed logs into a security information and event management (SIEM) system.
Risks of ignoring logs
If you only look at logs after an incident, you are reacting rather than preventing. In one case we studied, a company discovered that a contractor had been entering the server room at 2 a.m. every Tuesday for six months—only after a theft was reported. The logs had recorded every visit, but no one was watching. A simple rule to flag after-hours access to sensitive areas would have caught the behavior early.
What to implement
Set up automated alerts for: multiple failed attempts on a single door, use of a credential outside its normal time window, entry to a restricted area by unauthorized personnel, and duplicate swipes within a short interval. Review these alerts daily as part of your security operations. Also, schedule a monthly log review for patterns that automated rules might miss—like a card used at two geographically separate doors in an impossible time frame.
6. Risks of Choosing the Wrong Architecture
Selecting between on-premise, cloud-managed, or hybrid access control is a decision that affects security posture for years. Each architecture has inherent risks if chosen without considering your specific operational needs.
On-premise systems give full control but require dedicated server hardware, regular backups, and IT maintenance. If the server fails, all doors may unlock (fail-safe) or lock (fail-secure)—and you have to know which configuration you chose. We have seen facilities where the server room lost power, and because the access control server did not have a UPS, all doors defaulted to unlocked. That is a disaster.
Cloud-managed systems offload maintenance but introduce dependence on internet connectivity. A network outage can prevent credential verification at the door, depending on whether the system caches credentials locally. Many cloud systems do cache, but if the cache is stale or the battery backup fails, doors may become inoperable. The risk is not just downtime—it is the possibility that an attacker could cut the internet line and then exploit the confusion to force entry.
Decision framework
For a single-site office with a stable internet connection and limited IT staff, cloud-managed is often the right choice. For a multi-site enterprise with high-security requirements, a hybrid approach (cloud for management, local controllers for door operation with offline mode) offers the best balance. Always test the offline behavior of any system before deployment. And never skip a battery backup for controllers and network switches.
7. Mini-FAQ
What is the most cost-effective way to upgrade from single-factor to two-factor?
Start with the highest-risk doors—server rooms, chemical storage, and executive suites. Add PIN pads to existing card readers; most modern readers support a keypad upgrade. If your readers are older, replace them with models that support both card and PIN. Budget roughly $200–$400 per door for the upgrade, including installation.
How often should we audit our credential database?
At minimum, every six months. But if you have high turnover or many contractors, quarterly is better. Automate the comparison with your HR system to reduce manual effort.
Can tailgating be eliminated entirely?
Not without significant cost. In a standard office, you can reduce it by 80% with turnstiles and staff training. For absolute prevention, you need mantraps with interlocking doors and occupancy sensors—common in data centers and government facilities.
Is cloud access control less secure than on-premise?
Not inherently. The security depends on the vendor's encryption practices, data center certifications, and your own network segmentation. Many cloud providers offer robust security that small teams could not replicate on their own. The real risk is internet dependency, not the cloud itself.
What should I do if I find a cloned card in my audit logs?
Immediately deactivate the original credential and all duplicates. Investigate which doors were accessed and whether any sensitive areas were compromised. Change the access schedule for affected zones and reissue credentials to all users who shared that door group. Consider moving to a credential technology that is harder to clone, such as MIFARE DESFire or mobile credentials with dynamic codes.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!