What is an access control system?

An access control system is the hardware and software that decides who can open which door, when, and produces a record of every attempt. The core parts are credentials (what the user presents), readers (what reads the credential), controllers (what makes the decision), and software (where you manage users and audit events).

Are mobile credentials more secure than physical fobs?

Modern mobile credentials use encrypted Bluetooth or NFC and are generally more secure than legacy 125 kHz fobs, which can be cloned cheaply. They also remove the lost-fob problem. The trade-off is dependency on the user's phone being charged and the staff member having installed the app, which doesn't suit every workforce.

Do I need biometrics?

Biometrics are right when you need to be certain the credential matches the person, typically for high-risk doors like server rooms, cash rooms, or restricted plant. They add cost and privacy obligations under Queensland and Federal law. Most businesses don't need biometrics on every door, only on the few that warrant the extra friction.

How long does access control installation take?

For a single tenancy with three to five doors, a competent installer can complete cabling, hardware fit, and commissioning in two to four days. Larger sites, sites with structured cabling already in place, or sites needing fire-door interface work take proportionally longer. The longest part is usually decision-making about user policies, not the install itself.

Access control systems explained: fobs, mobile credentials, biometrics

For most Queensland businesses, modern encrypted fobs or mobile credentials on a cloud-managed controller cover 90% of the requirement at sensible cost. Biometrics are appropriate on a small number of high-risk doors (server rooms, cash rooms, restricted plant) rather than across the whole site. The choice of credential matters less than the policies around it: who can enrol users, how quickly access is removed when a staff member leaves, and how often the audit log is actually reviewed.

The four parts of every access control system

Strip away the marketing and every system has the same four parts:

Credential: what the user presents (fob, card, phone, fingerprint, face).
Reader: what reads the credential at the door.
Controller: the brain that decides yes or no, sitting between the reader and the door lock.
Software: where you add and remove users, set schedules, and review the audit log. Most modern systems run this in the cloud.

When you compare systems, compare them on these four parts rather than on the brand label.

Credential options, in plain English

Legacy 125 kHz fobs

The black plastic fobs many older buildings still use. Cheap, simple, and easy to clone. A $30 device from the internet will copy one in under a minute. Fine for low-risk internal doors. Not fine for the front door of a business that holds anything valuable.

Encrypted smart cards or fobs (13.56 MHz, e.g. MIFARE DESFire)

The current default for serious commercial systems. Encrypted, much harder to clone, durable, no battery, no phone dependency. Works for any workforce because everyone can carry a fob.

Mobile credentials

The credential lives in an app on the user's phone, presented via Bluetooth or NFC. Better security than legacy fobs, removes the lost-fob administration problem, and lets you enrol or revoke users remotely. The trade-off is that the user needs a charged phone with the app installed. Workforces with shared devices, casual staff, or contractors are harder to cover with mobile-only.

PIN codes

Cheap and universal but the weakest credential, because PINs get shared. Use as a second factor (card + PIN) for high-risk doors rather than as the sole credential anywhere meaningful.

Biometrics (fingerprint, face, palm vein)

The credential is the person. Fingerprint is the most common and lowest cost. Face recognition has matured significantly and works well in good lighting. Biometrics add real cost, add privacy obligations under the Australian Privacy Principles, and add friction. Worth it on the doors that need certainty, not on the front door.

Cloud vs on-premise software

Most current systems run their management software in the cloud, with a small local controller at the site that keeps doors working if the internet drops. Cloud-managed systems give you remote user management, faster software updates, and integration with HR systems for auto-revoke when someone leaves.

On-premise systems still exist and make sense for very large estates with strict data-residency requirements or no reliable connectivity. For most businesses, cloud is the default.

Integrations that earn their keep

CCTV: every access event tagged to a camera frame. Lifesaver for incident investigation. See CCTV & surveillance.
Alarm system: last-out arms the alarm, first-in disarms it. Reduces false alarms and the response charges that come with them.
HR / payroll: when an employment record ends, access is revoked automatically. Removes the single biggest cause of orphaned credentials.
Visitor management: pre-issued mobile credentials for visitors with a time-bound expiry.

What we recommend asking your installer

Is the controller open-protocol (OSDP) or proprietary? Open protocol protects you from being locked into one vendor's hardware.
Where does the audit log live and how long is it retained?
What happens if your internet goes down? (Doors must keep working.)
What's the cost to add a new door in two years' time? (Some systems hide their margin in expansion.)
What's the credential cost per user per year? (Mobile credentials sometimes carry per-user fees.)

The policy layer matters more than the hardware

The most expensive system in the world won't help you if the offboarding process takes a week to remove a leaving employee's credential, or if half the staff prop the back door open. The hardware enables policy. It doesn't replace it.

Three policies worth writing down: who can enrol new users, how access is revoked within 24 hours of a staff change, and how often a named person reviews the audit log for anomalies.

How we work on access control briefs

We're security firm first and integrator second. We design the system around your operational risk, source the right hardware from established Australian distributors, install and commission, and write the user policy alongside the install. For larger or more complex jobs we work alongside specialist integrators. More on access control and security consulting.

Common job locations: Brisbane CBD, Milton, Fortitude Valley, Ipswich. Related read: choosing a CCTV installer in Ipswich.

Get a written scope

Tell us about the doors, the user count, and the workflows you need to support. We'll come back with a written scope and a fixed price. Request a site visit → or call 0414 829 850.

Published 21 May 2026 · Anthony Tupper, Founder · Tupper Security Services holds Queensland Security Firm Licence (Class 1) #4572076.