Buying Guide · Credentials
Credential selection for commercial access control.
A security-tier walkthrough for picking the right credential technology — 125 kHz prox, 13.56 MHz smart cards, mobile credentials, and biometric overlays. The clone-resistance trade-offs, the platform constraints, and the credential migration patterns that work.
01 / Credential Tech Comparison
Five categories. Different threat models.
─────────── ─────── ────────── ────────── ──────────────────────
125 kHz prox 125 kHz High None Legacy commercial
HID iCLASS 13.56 MHz Medium Proprietary Legacy 13.56 deployments
MIFARE Cls. 13.56 MHz Medium-High Broken (2008) Avoid for new installs
DESFire EV2 13.56 MHz Very Low AES-128 New commercial default
DESFire EV3 13.56 MHz Very Low AES-128 + Higher-security commercial
iCLASS SE 13.56 MHz Very Low Seos / AES HID-platform deployments
Mobile Cred NFC/BLE Very Low Cert-based Modern hybrid
Biometric n/a Very Low n/a Two-factor overlay
125 kHz prox is cheap and ubiquitous but trivially cloneable with $10 readers off Amazon. For any new commercial install on a security spec, the default is DESFire EV2 or higher.
02 / Clone Resistance Matters
Why prox needs to die.
A 125 kHz prox card can be cloned in under 5 seconds with a handheld reader-writer ($30 on any marketplace). The cloned card is indistinguishable to the access controller. The threat model:
- Lost prox cards mean lost site security. Re-issuing every card is expensive.
- Insider threats can clone shared cards without leaving a trace in the access log.
- Investigators (and security auditors) increasingly flag prox as a residual risk on annual reviews.
- Many cyber-insurance carriers now require modern credentials as a condition of access-related coverage.
DESFire EV2/EV3 use AES-128 with mutual authentication — cloning requires breaking AES, which isn’t a $30 attack. For any door protecting valuables, IP, or sensitive areas, the credential upgrade pays for itself the first time you avoid an insider incident.
03 / Mobile Credentials
Convenient. Not always cheaper.
Phone-based credentials (HID Mobile Access, Brivo Mobile Pass, ProDataKey Mobile, Kantech Connect) trade a physical card for a smartphone app. Practical considerations:
- Recurring per-user fees — typically $5-15/user/year. At scale this exceeds card costs.
- Reader compatibility — must support NFC and/or BLE. Older readers won’t work.
- Phone management — what happens when an employee replaces their phone or loses it. Most platforms handle this cleanly via admin re-issue, but the workflow needs documentation.
- Battery dependency — dead phone = no access. Modern phones have battery share / lockout fallback, but operations need to know.
- Acceptance varies by workforce — many union shops resist phone-on-employer policies. Plan for hybrid (cards + mobile) deployment.
Modern best practice: support BOTH cards AND mobile credentials at the reader level. Issue cards as the primary credential and mobile as a convenience option. Reduces friction without forcing the workforce onto phones.
04 / Migration Patterns
Moving off legacy prox without re-issuing 500 cards in a week.
Most credential upgrades happen in phases, not flag-day cutovers. Practical migration patterns:
- Multi-tech readers — install readers that accept BOTH old prox and new DESFire (HID multiClass SE, ZK MR series). Run both credential types in parallel during transition.
- Tiered rollout — issue new credentials to senior staff and high-security area users first. Most-frequent users migrate first.
- Decommission by area, not by date — close out old prox at the controller level once a given area is fully migrated. Avoids the “card stopped working today” support spike.
- Maintain old prox on legacy doors — some doors (utility closets, mechanical rooms) can keep old credentials longer if the threat model justifies. Don’t force everywhere.
- Document the migration plan — when auditors ask about credential security 18 months later, you want a documented timeline, not “we got around to it eventually.”
05 / Platform Pairing Notes
Credentials match the head-end.
Most access platforms support multiple credential technologies but optimize for specific ones. Pairing notes:
- Kantech EntraPass — supports HID prox, iCLASS, DESFire, Kantech Mobile. Default to DESFire for new installs.
- Lenel OnGuard — broad credential support; HID iCLASS SE and DESFire are common defaults for new deployments.
- HID-native platforms — Mercury Security, ICT — strongest with HID iCLASS SE / Seos. Mobile Access via HID Origo.
- ProDataKey — cloud-native; supports DESFire and ProDataKey Mobile out of the box.
- ZK Teco — DESFire EV2 native; cost-effective for high-volume DESFire deployments.
For the full reader/controller spec walkthrough, see the access control buying guide.
Credential Spec Review
Planning a credential upgrade?
Send the existing head-end, current credential type, user count, and security tier requirement. We come back with a migration plan, compatible credentials, and rollout sequencing before the order ships.
Equipment Referenced · Credentials & Readers
Credentials and readers in this guide.
Related Guides
Deployment Architectures
Related Categories