You've been tasked with securing the back door of your workshop, or maybe you're outfitting a new co-working space with keycard access. The options feel endless: cloud vs. on-prem, RFID vs. Bluetooth, electric strikes vs. magnetic locks. This guide cuts through the noise. We'll walk through the decisions you'll actually face when building your first access control system, from picking a credential type to planning for maintenance. Think of it as a field manual—not a sales pitch.
Where Access Control Shows Up in Real Work
Access control isn't just for corporate headquarters. We've seen it deployed in small medical offices to restrict medication storage, in warehouses to separate shipping docks from inventory areas, and in shared studio spaces where each tenant gets a different door code. The common thread: someone needs to know who entered which door at what time.
In a typical project, you might start with a single door—say, a side entrance that currently uses a physical key. The immediate goal is convenience: no more cutting keys or rekeying when an employee leaves. But soon the conversation expands. What about the server room? The supply closet? The rooftop access? This is where the ecosystem metaphor becomes useful. Each door is a node, and the controller (or cloud service) is the brain. The wiring, the locks, the credentials—they all need to speak the same language.
We've seen teams succeed by starting small but planning for growth. Choose a controller that supports at least 8 doors even if you only wire one now. The hardware cost difference is often less than the labor of swapping a controller later. Similarly, pick a credential format that's widely supported—like 125 kHz proximity cards or 13.56 MHz smart cards—so you're not locked into one brand.
Common Entry Points
Most first-time systems protect one or two of these: a main employee entrance, a back door, a sensitive room (server closet, chemical storage), or a parking gate. Map your needs before shopping. You'll save money on hardware you don't need and avoid buying a system that can't grow.
Who This Guide Is For
This is for facility managers, small business owners, IT generalists, and anyone who's been handed the keys—literally—and told to "fix the door situation." You don't need to be an electrician or a network engineer. You do need to ask the right questions of vendors and installers. That's what this blueprint provides.
Foundations That Often Get Confused
Let's clear up a few terms that trip up first-time buyers. Controller vs. reader: the reader is the thing you tap your card on; the controller makes the decision to unlock. In many modern systems, the reader and controller are combined in one unit, but understanding the separation helps when troubleshooting. Fail-safe vs. fail-secure: fail-safe locks unlock when power is lost (important for fire exits); fail-secure locks stay locked (good for high-security areas). Get this wrong, and you could block an emergency exit.
Another common mix-up: credential type matters far more than most beginners realize. Proximity cards (125 kHz) are cheap and simple but offer no encryption—they can be cloned with a $20 reader. Smart cards (13.56 MHz) like MIFARE offer encryption and can store multiple credentials. Mobile credentials (Bluetooth or NFC) add convenience but depend on phone batteries and app compatibility. Biometrics (fingerprint, face) are the most secure but also the most finicky—dirty sensors, wet hands, and software updates can lock people out.
Wired vs. Wireless: Not a Simple Choice
Wired systems (RS-485, Power over Ethernet) are reliable and don't need battery changes. But running cable through finished walls is expensive. Wireless locks (Zigbee, Wi-Fi, Bluetooth) are easier to retrofit but require battery changes every 6–12 months and can suffer from signal interference. Many practitioners recommend a hybrid: wire the controller and use wireless for doors that are hard to reach.
Cloud vs. On-Prem: What It Means Day-to-Day
Cloud-managed systems (like those from Brivo or Kisi) handle the controller logic off-site. You manage users through a web portal. On-prem systems (like Lenel or Mercury boards) keep everything local. Cloud systems are easier to set up and update, but they depend on internet connectivity. If your internet goes down, some cloud systems can cache credentials locally; others go into a fail-secure or fail-safe mode depending on configuration. On-prem systems give you full control but require IT knowledge to maintain servers and software updates. For a first system with fewer than 10 doors, cloud is usually the simpler path.
Patterns That Usually Work
After reviewing dozens of setups, a few patterns consistently deliver good results for first-timers. First, start with a single-door controller that can scale. Many brands offer a 1-door board that can be daisy-chained with additional boards later. This lets you learn the software and wiring without a huge upfront investment.
Second, use the same credential format across all doors. Mixing 125 kHz cards for one door and mobile credentials for another creates confusion. Pick one primary credential (we recommend 13.56 MHz smart cards for their balance of cost and security) and stick with it. You can always add mobile as a secondary option later.
Third, plan for the access schedule. Most systems allow you to set time schedules—e.g., only allow entry during business hours. This is one of the biggest benefits of an electronic system. But we've seen teams create overly complex schedules that frustrate employees. Start simple: one schedule for weekdays, one for weekends, and a few exceptions for cleaning staff.
A Typical Small Office Setup
Imagine a 10-person office with two entry doors and a server room. A common workable pattern is: two wireless locks on the entrances (to avoid trenching through concrete), a wired lock on the server room (for reliability), and a cloud controller that manages all three. Credentials are 13.56 MHz key fobs for everyone. The server room also has a keypad override in case the network goes down. Total hardware cost: around $1,500–$2,500, plus installation. The cloud subscription runs about $30–$50 per month.
When to Use PoE Locks
Power over Ethernet (PoE) locks are a newer pattern that works well when you have network cabling already in place. The lock gets both power and data over a single Ethernet cable. They're easy to install and manage, but they require a PoE switch and careful planning of cable runs (max 100 meters). For retrofit projects, PoE is often cleaner than running separate power and data cables.
Anti-Patterns and Why Teams Revert
Not every access control project goes smoothly. Here are the anti-patterns we see most often. Over-engineering the first door: buying a 16-door enterprise controller for a single back door. The complexity of the software overwhelms the team, and the system ends up unused. Start small; you can always upgrade.
Ignoring fail-safe/fail-secure requirements: installing a fail-secure lock on a fire exit is a code violation and a safety hazard. Check local building codes before ordering hardware. Many installers have learned this the hard way after a fire marshal inspection.
Choosing a proprietary ecosystem: some manufacturers lock you into their own cards, readers, and software. If they go out of business or discontinue a product, you may have to replace everything. Stick with open standards (Wiegand, OSDP, MIFARE) and controllers that support multiple reader brands. OSDP is increasingly favored over Wiegand because it's encrypted and more secure.
Underestimating battery drift: wireless locks that report low battery often give false alarms. We've read accounts of teams replacing batteries monthly because the reporting threshold was set too conservatively. Test your specific lock's battery behavior before deploying at scale. Schedule quarterly battery checks rather than relying solely on alerts.
The "Set and Forget" Trap
Many teams install the system, add users, and then never touch the software again. But access control needs ongoing attention: removing former employees, updating schedules, applying firmware patches. A system that's not maintained becomes a security liability—old credentials never expire, and vulnerabilities go unpatched. Assign someone to review the user list monthly.
Maintenance, Drift, and Long-Term Costs
Maintenance is the part of access control that catches first-time buyers off guard. Hardware drift: magnetic locks lose holding force over time as the magnet and armature plate wear. Electric strikes can jam if the door frame shifts. Readers exposed to weather can corrode contacts. Plan to inspect all hardware annually.
Software drift: cloud systems update automatically, but on-prem systems require manual patches. If you skip a version or two, upgrading later can be painful. Budget for a software maintenance contract or allocate staff time for updates.
Credential replacement: cards and fobs get lost or damaged. Factor in the cost of replacement credentials—typically $2–$5 each for basic proximity cards, more for smart cards. Mobile credentials don't have this cost but require users to install and maintain an app.
Battery costs for wireless locks: a single wireless lock might go through 4–8 AA batteries per year. Multiply by 20 doors, and that's $100–$200 annually just in batteries, plus labor for changes. Some locks use rechargeable battery packs, which reduce waste but require a charging station.
Hidden Costs
Installation labor is often the largest cost, especially for wired systems. Running conduit, drilling through firewalls, and terminating cables can double the hardware cost. Get multiple quotes and ask about hidden fees like core drilling or after-hours work. Also, some cloud systems charge per user per month—if you have 100 users, the monthly fee adds up quickly. Look for plans with unlimited users or a flat per-door fee.
When Not to Use This Approach
The blueprint we've described works for small to medium deployments (1–50 doors) with moderate security needs. But there are situations where a different approach is better. Very high security environments (government facilities, data centers) require multi-factor authentication (card + PIN + biometric) and often need to meet specific standards (FIPS 201, NIST). Those systems are best designed by a security engineer, not a generalist.
Temporary installations: if you need access control for a construction site or an event that lasts a few weeks, consider a portable system like a keypad lockbox or a battery-powered lock that doesn't require wiring. The cost and complexity of a full system aren't justified.
Very small spaces: a single door for a two-person office might be better served by a smart lock (like August or Yale) that integrates with your existing deadbolt. These are cheaper and easier to install, though they lack central management and audit trails.
Buildings with strict historical preservation rules: drilling through old masonry or altering original doors may be prohibited. In those cases, surface-mount wireless locks or standalone keypads that don't require wiring might be the only option.
Finally, if your team doesn't have anyone willing to manage the system after installation, it's better to hire a managed service provider who handles monitoring, user changes, and maintenance for a monthly fee. The cost is higher upfront, but it saves headaches later.
Open Questions and FAQ
Can I install an access control system myself?
Yes, if you're comfortable with basic wiring and networking. Many cloud-based systems are designed for DIY installation. However, if you're running cables through walls or working with electric strikes that require precise alignment, a professional installer can save you time and rework.
Do I need a dedicated server for an on-prem system?
Most on-prem systems can run on a standard Windows PC or a virtual machine. You'll want it to be always-on and backed up. Cloud systems eliminate this requirement entirely.
How do I handle lost credentials?
In the management software, you can deactivate a lost card or fob instantly. Some systems also allow you to set a temporary PIN as a backup. For mobile credentials, the user can revoke access from their phone or the admin can remove them from the system.
What's the difference between Wiegand and OSDP?
Wiegand is an older, unencrypted protocol that sends card data over two wires. It's simple and widely supported but can be intercepted. OSDP (Open Supervised Device Protocol) is a newer, encrypted standard that also allows two-way communication (e.g., reader can report tampering). For new installations, OSDP is recommended.
How often should I update firmware?
Check for firmware updates every 3–6 months. Critical security patches should be applied as soon as possible. Most cloud systems handle updates automatically.
Summary and Next Experiments
Building your first access control system doesn't have to be overwhelming. Start by mapping your doors, choosing a credential format, and deciding between cloud and on-prem. Buy a controller that can grow, and don't over-engineer the first door. Plan for maintenance—budget for batteries, firmware updates, and user reviews. And remember: the best system is the one that actually gets used and maintained.
Here are three concrete next steps:
- Sketch your floor plan with all doors you might want to control, even if you only wire one now. Note power sources and network drops.
- List your must-have features: remote unlock from phone? Time schedules? Audit logs? Biometric? This will narrow your vendor choices.
- Get quotes from two or three vendors—one cloud-based and one on-prem—and compare total cost over three years (hardware + installation + subscription + maintenance).
Once your system is live, run a simple experiment: grant temporary access to a visitor and revoke it after they leave. See how easy (or hard) that workflow is. That one test will tell you a lot about whether your system is ready for real-world use.
Comments (0)
Please sign in to post a comment.
Don't have an account? Create one
No comments yet. Be the first to comment!