Can prox cards really be cloned?

Yes. Low-frequency 125 kHz prox cards (HID Prox II, EM4100) clone in under 10 seconds with a $30 Flipper Zero or Proxmark device held near a legitimate card in an elevator or coffee shop. High-frequency 13.56 MHz cards with site-specific encryption (HID iCLASS SE, MIFARE DESFire EV3) stay defensible with proper key management. Most legacy buildings still run the older cards because nobody upgraded the readers.

What is tailgating and why does AI care about it?

Tailgating is when an unauthorized person walks in behind someone with a valid badge. It bypasses every credential because the door already opened. Camera analytics count people through the entry; if two go in on one swipe, the system flags it. Verkada, Avigilon Alta, and Genetec do this on their own cameras; Intenseye and Dragonfruit AI do it as a camera-agnostic overlay on cameras the customer already owns. The signal is most useful at high-sensitivity zones (server rooms, pharmacies, finance offices), less useful at a busy front lobby where the noise floor is high.

How do mobile credentials work in practice?

The credential is provisioned to the employee's phone over the air from the admin console. The employee taps the phone to the reader, which checks the credential against the cloud or local controller, and the door unlocks. Most platforms (HID Origo, Avigilon Alta, Brivo Mobile Pass, Kisi, Genetec Synergis Cloud) support both the vendor's app and Apple Wallet or Google Wallet on newer readers. Where personal phones aren't allowed (production floors, secure facilities), run hybrid: badges on the floor, mobile in the office.

Does mobile credentialing cost more than prox?

Per credential, no. Mobile is usually cheaper because there's no plastic to print, mail, and replace. The reader is the cost: $400 to $900 per door for mobile-capable versus $200 to $500 for prox-only. Cloud platform fees match legacy access control at $50 to $150 per credentialed user per year. Swap readers as they age out, not as a forklift project. Mobile readers are backwards-compatible with prox cards, so the existing badge stack keeps working.

How do we keep former employees from accessing the building after they leave?

Webhook integration with the HR system, not a quarterly audit. Access platforms (Brivo, Avigilon Alta, Kisi, Genetec, HID) expose REST APIs and webhook endpoints that fire when an HR system marks someone terminated. Workday, BambooHR, ADP, and Rippling all support outbound webhooks. The credential gets revoked the same hour, not next quarter. PCI-DSS, HIPAA, and FTC Safeguards assessors look for this evidence; a stale credential list is the most common audit finding in mid-market security reviews.

Access control

Access control in 2026: why keycards aren't enough

Keycards run most office buildings, and most of them use credentials that clone in seconds with hobbyist gear. The 2026 fix isn't ripping out plastic. It's adding three layers: mobile credentials tied to a person not a card, identity verification at the reader so a swipe matches a face, and searchable cloud audit logs. Mid-market buyers run hybrid: existing prox on internal doors, mobile credentials with biometric step-up at the front door and any regulated zone, and HR-system integration that revokes credentials the day someone leaves.

Get the details

or reach us directly

Call us855-577-0400

Free

How can we help?

Tell us what you're working through. We read every note and follow up.

The three failure modes every plastic credential shares

A keycard says "let this person through." It can't tell whether the person tapping it is the one it was issued to. It can't refuse to work after that person leaves. It can't notice when two people walk through on one swipe. Every fix in modern access control is a workaround for one of those three gaps.

Cloning. The 125 kHz prox cards that run most office buildings clone in under 10 seconds with a $30 Flipper Zero or Proxmark device. An attacker holds the gear near a legitimate card in an elevator or a coffee shop and walks out with a working duplicate.

Stale credentials. Most mid-market organizations don't revoke a former employee's badge the day they leave. The HR system marks the person terminated, IT disables their email, and the access system sits with an active credential for weeks until a quarterly audit runs. PCI-DSS, HIPAA, and FTC Safeguards assessors flag this constantly.

Tailgating. The legitimate badge holder walks through; an unauthorized person follows. The door opens and closes once, no log entry. Without camera analytics counting people through the entry, the system never sees it.

Tailgating: the AI case that's actually real

Most "AI security" claims dissolve under inspection. Tailgating detection holds up. The camera at the entry counts people through; if two badged on one swipe, the system flags it.

It earns its cost at server rooms, pharmacies, finance offices, IT closets, and any zone where an unauthorized entry is expensive enough that a guard would be the alternative. A flagged tailgate at 2 AM at the server room door is a signal worth investigating. It doesn't earn its cost at a busy front lobby at 9 AM, where the model fires constantly, staff ignore the alerts, and the system devolves into noise. Use it for high-stakes zones, not every door.

Migration: hybrid, not forklift

Don't rip out everything that works. The smart play is hybrid: existing prox stays on internal doors where the threat model is low, mobile credentials with biometric step-up go on the front door and any regulated zone, and the cloud platform unifies the logs. That cloud side migrates first because it's a software change, not hardware.

Mobile readers are backwards-compatible with prox cards on every major platform, so the migration happens at the reader-replacement cycle (typically 7 to 10 years). New buildings and tenant fit-outs go straight to mobile. Existing buildings stay hybrid until the readers age out.

Common questions

Frequent buyer questions

Can prox cards really be cloned?: Yes. Low-frequency 125 kHz prox cards (HID Prox II, EM4100) clone in under 10 seconds with a $30 Flipper Zero or Proxmark device held near a legitimate card in an elevator or coffee shop. High-frequency 13.56 MHz cards with site-specific encryption (HID iCLASS SE, MIFARE DESFire EV3) stay defensible with proper key management. Most legacy buildings still run the older cards because nobody upgraded the readers.
What is tailgating and why does AI care about it?: Tailgating is when an unauthorized person walks in behind someone with a valid badge. It bypasses every credential because the door already opened. Camera analytics count people through the entry; if two go in on one swipe, the system flags it. Verkada, Avigilon Alta, and Genetec do this on their own cameras; Intenseye and Dragonfruit AI do it as a camera-agnostic overlay on cameras the customer already owns. The signal is most useful at high-sensitivity zones (server rooms, pharmacies, finance offices), less useful at a busy front lobby where the noise floor is high.
How do mobile credentials work in practice?: The credential is provisioned to the employee's phone over the air from the admin console. The employee taps the phone to the reader, which checks the credential against the cloud or local controller, and the door unlocks. Most platforms (HID Origo, Avigilon Alta, Brivo Mobile Pass, Kisi, Genetec Synergis Cloud) support both the vendor's app and Apple Wallet or Google Wallet on newer readers. Where personal phones aren't allowed (production floors, secure facilities), run hybrid: badges on the floor, mobile in the office.
Does mobile credentialing cost more than prox?: Per credential, no. Mobile is usually cheaper because there's no plastic to print, mail, and replace. The reader is the cost: $400 to $900 per door for mobile-capable versus $200 to $500 for prox-only. Cloud platform fees match legacy access control at $50 to $150 per credentialed user per year. Swap readers as they age out, not as a forklift project. Mobile readers are backwards-compatible with prox cards, so the existing badge stack keeps working.
How do we keep former employees from accessing the building after they leave?: Webhook integration with the HR system, not a quarterly audit. Access platforms (Brivo, Avigilon Alta, Kisi, Genetec, HID) expose REST APIs and webhook endpoints that fire when an HR system marks someone terminated. Workday, BambooHR, ADP, and Rippling all support outbound webhooks. The credential gets revoked the same hour, not next quarter. PCI-DSS, HIPAA, and FTC Safeguards assessors look for this evidence; a stale credential list is the most common audit finding in mid-market security reviews.

→ Keep reading

Bring us your door schedule. We'll bring the gap list.

Free working session with the Tec-Tel team. Door-by-door walk, a clear picture of gaps against your actual threat model, vendor-neutral cost band per door.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.
Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Get the details 855-577-0400

Or send the details

How can we help?

What you're looking for, plus any details. We review it and follow up, usually the same day.

Access control in 2026: why keycards aren't enough

How can we help?

The three failure modes every plastic credential shares

Tailgating: the AI case that's actually real

Migration: hybrid, not forklift

Frequent buyer questions

Access control systems explained

Vendor comparison matrix

Compliance quick reference

Bring us your door schedule. We'll bring the gap list.

How can we help?