Access Control and Access Management

The Most Common IoT Technologies Used for Access Control are RFID and NFC.

22 Min
May 25, 2024
Access control use case

What to Expect:

Traditional strategies for access management and control are effective in static environments that involve on-premise assets. However, these methods are no longer adequate in modern IT infrastructures that feature hybrid cloud and multi-cloud environments. Assets, apps, resources, and data are stored both on-site and in the cloud. This requires strategies for access control that are more dynamic, going beyond authentication methods like single sign-on (SSO).

1. Status Quo

What is Access Control?

Access control is often the first line of defense against possible criminal activities. In the modern world, data is an integral part of domestic and business life. The number of cyberattacks and data breaches is on the rise. Sensitive, personal, and confidential data is at risk of being stolen, corrupted, or misused. Companies with high-value physical assets need security measures to prevent theft. In summary: Both physical and digital assets must be protected. The key: Dynamic access management and control strategies.

Access control is an element of physical and cybersecurity. It is a security technique and method that is used to protect both physical and digital assets and resources. Access control involve access management systems and privileged identity management. An access control system manages and regulates who can access specific areas, equipment, devices, or resources. It also determines when access is allowed. Access control can either be physical or logical.

Access control systems are frequently used in educational institutions, finance and banking, hospitality and tourism, data centers and IT facilities, residential buildings and gated communities, businesses and offices, and government and military facilities. Modern access control systems are also a part of digitalization in industry, digitalization in transportation, digitalization in logistics, digitalization in healthcare, and digitalization in smart cities (digital city).

Access Control with the Internet of Things (IoT)

Modern access control systems leverage the latest technologies to provide secure, efficient, and flexible access management. Wireless IoT technologies enhance these systems by enabling real-time and remote monitoring and management, and seamless integration with other security and management tools.

Access control with IoT is used to manage physical access control components like locks, credentials and credential readers, and doors. These components are empowered via different IoT technologies. The most common IoT technologies for access control are Radio Frequency Identification (RFID) and Near-Field Communication (NFC) technology.

The RFID access control network ensures maximum security and efficient access to protected areas. An RFID access control system consists of RFID cards or tags, and fixed or mobile RFID readers. RFID door openers offer an innovative and convenient solution for accessing buildings. The security of RFID door openers is guaranteed by modern encryption technologies that prevent unauthorized access.

RFID entry systems are often used in office buildings, or in smart factories, for example. Employees need only present their RFID badges with transponders for access control to the RFID badge reader in order to gain access into the office building.

NFC access control involves NFC tags or cards, and NFC reading devices like NFC readers, smartphones, or tablets. NFC technology is often used for physical and cloud-based access control applications, and for system and property security applications.

Other IoT technologies like Bluetooth Low Energy (BLE) are also emerging in access control applications. Bluetooth LE-enabled smartphones or wearable devices communicate with access points to allow access. In combination with surveillance cameras, IoT and motion sensors are often used near access points to trigger appropriate actions, such as unlocking doors or alerting security personnel in case unauthorized access is detected.

IoT-enabled locks are controlled via smartphones, Bluetooth, or Wi-Fi. They offer features like remote locking/unlocking, access logs, and integration with other smart home devices. In the smart home, ZigBee and the wireless communication protocol and mesh network Z-Wave can be used for access control. These IoT technologies often enable remote access control systems via smartphone apps or web portals.

Physical and Logical Access Control

Physical access control refers to the measures taken to restrict access to physical spaces and resources. This type of access control prevents unauthorized individuals from entering or using physical facilities, such as buildings, rooms, or equipment. Vehicle access control into parking lots is also part of this. Physical access control involves the use of various methods and devices to ensure that only authorized personnel can gain access to these areas. Some common examples of physical access control mechanisms include the traditional mechanical lock and key, security guards and personnel, smartcards, biometric systems, turnstiles and barriers, and surveillance cameras. Physical access control helps prevent theft, trespassing, vandalism, and assault attempts.

Logical access control, on the other hand, deals with restricting access to computer systems, data, and IT networks. This type of access control focuses on ensuring that only authorized users can access digital information and perform specific actions within an information system.

What is Access Management?

Access management encompasses the broader process of managing and monitoring access to physical and digital resources across an organization. It includes not only access control, but also the practices and strategies related to identity verification, authentication, and authorization. There are two different types of access management solutions: workforce access management and customer access management.

There are six main aspects of access management:

1. Identity Management (IdM)

Identity management (IdM), also known as identity and access management (IAM), refers to the technical and organizational processes used to ensure that the right individuals have the appropriate access to technology resources. It is both part of IT security and data management. In IAM, access rights and permissions are registered and authorized in a configuration phase. The next step involves the identification, authentication, and control of access in the operation phase, based on the authorized access rights.

2. Single Sign-On (SSO)

Single Sign-On (SSO) is an authentication service that allows a user to access multiple applications or systems with a single set of login credentials. Once authenticated, the user gains access to all the interconnected systems without needing to log in separately to each one. SSO simplifies the user experience by reducing the number of passwords they must remember and manage. However, if the user credentials are compromised, attackers gain access to all applications associated with the user. 2FA and multi-factor authentication can be used in combination with SSO solutions to heighten access control security.

3. Role-Based Access Control (RBAC)

RBAC involves managing the roles and permissions. It is one of the approaches to access management. It is the most commonly used approach. This approach will be further explained in the section below.

4. Access Governance

Access governance is the process of managing and overseeing user access to an organization’s information systems and data to ensure compliance and security. It involves the systematic administration of users’ access rights, permissions, and roles, ensuring that access is granted according to organizational policies and regulatory requirements.

5. User Experience

In today’s dynamic environments, where security needs are constantly evolving, prioritizing user experience in access control systems helps maintain a balance between robust security and operational convenience. A positive user experience reduces the likelihood of errors and compliance issues, as users are more likely to follow security protocols correctly.

6. Multi-Factor Authentication (MFA)

MFA is key component of IAM. It is a method for authentication where users are required to provide two or more verification factors in order to be granted access to a resource such as a VPN, application, or online account. MFA may include a combination of smartcards, passwords, and biometric data, for example.

What Types of Access Control Are There?

There are five main types or methods of access control: Mandatory access control (MAC), discretionary access control (DAC) role-based access control (RBAC), rule-based access control, and attribute-based access control. These are policies and approaches that are used by access control administrators to assign access privileges.

Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is a highly secure access control model often used in environments where confidentiality and data integrity are critical. In MAC, access permissions are determined by a central authority based on the classification of information and the clearance of users. Users cannot alter permissions. Only system administrators or contractors can set and manage access controls. This includes entering, changing, or deleting data in data processing systems. MAC is commonly used in government and military systems, where data is classified at various levels (e.g., confidential, secret, top secret) and only individuals with the appropriate clearance can access specific information.

Discretionary Access Control (DAC)

Discretionary Access Control (DAC) is a method that allows data owners or administrators to control access to their resources at their discretion. Each user can determine who can access their data and what operations they can perform. Permissions are typically managed through access control lists (ACLs) that specify which users or groups have access to a resource and their level of access.

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) assigns permissions based on the roles of users within an organization. Instead of assigning permissions to individual users, access rights are associated with specific roles. Users are assigned to these roles. For example, roles such as “administrator”, “manager”, or “employee” might have predefined access to certain resources and operations. RBAC simplifies administration and enhances security by ensuring that users have only the permissions necessary for their job functions. It is widely used in business environments. MAC and DAC frameworks can be enforced through RBAC systems.

Rule-Based Access Control

Rule-Based Access Control is a security model that uses specific rules to determine access permissions. These rules are usually based on conditions set by the system administrator and can include factors such as time of day, IP address, or type of device. For instance, a rule might state that access to a particular system is only allowed during business hours or from specific IP addresses. A combination of rule-based access control and RBAC is often used to implement finely tuned access policies and procedures that adapt to changing conditions. This provides an additional layer of security.

Attribute-Based Access Control (ABAC)

Attribute-Based Access Control (ABAC) is a form of logical access control that grants access based on attributes associated with the subject or user, action, resource, and environment that are involved in an access event. Attributes can include user characteristics (e.g., job role, department), resource attributes (e.g., file type and name, data sensitivity level), action attributes (e.g. read, write, edit, copy, or delete), and environmental factors (e.g., time, location), for example. Attributes can be obtained from different sources of data, such as identity and access management systems (IAM) and enterprise resource planning systems (ERP), for example. ABAC policies use these attributes to create complex and granular access control rules. For example, an ABAC policy might allow access to a document only if the user is in the finance department and accessing it during business hours from the corporate network.

Wireless IoT Technologies and Access Management

  • RFID

    Radio Frequency Identification (RFID) tags, cards, and readers are used to enable secure and contactless access control.

  • Bluetooth LE

    Bluetooth LE-enabled smartphones or wearable devices communicate with access points to allow access.

  • NFC

    Near-Field Communication (NFC) enables contactless communication between devices such as smartphones and smart cards, facilitating easy and secure access.

  • WLAN

    Wi-Fi-based access control systems include electronic or wireless locks, readers, and access points. Wireless-enabled electronic locks are the future of traditional locks.

  • Sensor Technology

    IoT motion sensors can be used in access control applications to monitor entry points such as windows and doors.

Products Required for Physical Access Management and Control

There are five main components of a physical access control system.

The first are access points. Access points are the entrances to certain areas or properties. This is not limited to the main entrance. Access points can be set up in different areas of a facility or building. The process of access control takes place at the access points. Turnstiles, boom gates, password-protected doors, or doors equipped with electronic readers or locks are examples of access points. As a further security measure, security personnel and guards are often placed at access points to observe and manage people who enter and exit the building or area.

The second component are the devices that are used to either grant or refuse access. These devices can be readers, keypads, or scanners, for example. These devices allow individuals to present their personal credentials, in order to gain access.

The third component are the personal credentials. Examples include key fobs, PIN codes, RFID or NFC smartcards, or physical features of the human body for biometric scans. After presenting the credential to the reading device, information is fed to the central control panel and server of the access control system.

The fourth component is therefore the control panel that is in charge of granting or denying access, depending on the authorization level of the credentials presented. The control panel communicates with the reading device in order to verify the validity and authorization level of credentials.

The fifth and final component of a physical access control system is the access control server. Here, user data and access privileges are stored. This server also contains records of when access attempts were made, and who made them. Access privileges can be managed and changed for every individual via the access control server.

Products Required for Logical Access Management and Control

There are also five main components in a logical access control system.

The most basic component is a strong password hygiene. This involves ensuring users create and maintain strong, unique passwords for accessing organizational systems and resources. Proper password hygiene can be enforced through company policies, such as requiring passwords to meet certain length and complexity criteria. The only downside to this approach is password fatigue, where users reuse the same password across multiple apps and services. A solution to this is to use a password management application that can generate strong, unique passwords for individual applications and stores them securely for each user.

Another component is the two-factor authentication (2FA) security measure. This security measure enhances the protection of user accounts by requiring two forms of verification before granting access. 2FA often involves a username and password, in addition to a secondary access credential. For example: Upon keying in both the username and password, users are required to enter a PIN code that is immediately sent to their mobile devices, in order to complete access verification.

2FA could also involve readers and scanners for user identification, in addition to the username and password. Similar to physical access control systems, individuals may be required to present specific smartcards, keyfobs, or biometric scans in order to access digital assets or data.

A popular form of 2FA are security tokens. Security tokens display a random number that users must enter to prove possession of the token and be granted access to a system, machine, or network resource. This random number is changed every 30 to 60 seconds. USB security tokens require the user to plug the device into a reader in order to enable identity verification and access authorization by the logical access control system.

The last component of a logical access control system is the access control server. Similar to that of the physical access control system, this server contains user data and access privileges, and records on access attempts. The difference here, is that the stored data relates to the access attempts for digital assets and data, rather than to physical areas. For logical access control, the main focus lies on the access control list (ACL). The ACL includes an entry for each user who can access the system, along with rules that define their access level. It is typically installed on switches and routers. Traffic is filtered based on source and destination.

Facts & Figures

IoT and advanced technologies are being increasingly used in access control. According to a report by the market research platform “Gitnux”, the market for IoT-based access control systems is expected to increase by 20 percent annually until 2025. The market for AI in access control systems is estimated to grow by 12-13 percent over the next decade. More than 50 percent of newly installed access control systems have advanced authentication methods such as multi-factor authentication or biometrics. In the global market for access control solutions, smartcard technology holds approximately 25 percent of the market share.

2. In Practice

Successful Examples of Access Control with IoT

RFID is widely used for security and access control, in addition to NFC technology. Emerging IoT technologies for access control also include Bluetooth LE. The section below lists three real-world examples of access control systems based on IoT technologies in different industries, from production, to sports, and railroad test laboratories.

High Voltage Test Area Access Control at NMBS/SNCB

The Belgian railroad company NMBS/SNCB uses an RFID system from Turck to control access to rooms where 3,000 volt tests are carried out. These tests are dangerous and must be carried out under strict regulations and procedures. Each entrance door and the control desks of the lab are equipped with an RFID reader. Only employees with an RFID badge are granted access to the laboratory. The RFID readers check who is logging in. The PLC checks the authorization levels of the employees before granting or denying access.

Belgian Railways relies on RFID Access Control Solution by Turck in High Voltage Areas
Belgian Railways Uses RFID System to Secure High-Voltage Tests

“The RFID system is very easy to implement. The RFID readers and the signal indicators are connected to IO-Link masters via IO-Link. These also provide power, so there’s not a lot of wiring involved.”

Jimmy Volders

Project Manager, Dymotec

Production – Access Control at Engelhard Arzneimittel

Pharmaceutical manufacturer Engelhard Arzneimittel uses an RFID-based access control system for its production facilities. Transponder boards initiate an identification signal upon activation. An RFID chip is integrated into the transponder for identification at the 15 machine operating panels from Pepperl+Fuchs. These panels are equipped with Balluff read heads. Employee identification and authentication occurs at these panels based on user profiles and access rights.

Teaser: In Engelhard's medicine production, limit values are now collected automatically and via sensors.
Secure Medicine Production with RFID at Engelhard

“Everything is faster when you do not have to enter a password. Not long ago, an employee entered his password incorrectly three times, as a result of which his user account was locked. The administrator also happened to make a mistake, so his admin password had to be re-enabled by the manufacturer. This all took a very long time. With a read head solution in the control panel, this is much easier to deal with. The transponder is held close and there is no risk of incorrect entry. We now have higher security with less downtime. And the nice thing is, we have one system for everything instead of several systems.”

Rüdiger John

Head of Engineering & Technical Site Management, Engelhard Arzneimittel

Logo Engelhard Arzneimittel

Sports – Access Control at Ski Resorts

RFID and BLE ticketing systems are used in many large ski resorts like the Dolomiti Superski in Italy for access control. RFID and BLE access control systems from Axess are used. Ski passes with segmented RFID chips, produced using machines from Rinas Gerätetechnik, are personalized and issued to each skiier. Lift gates are fitted with RFID antennas for contactless access. The card’s validity is quickly verified and the gate opens.

Teaser: Ski Resorts in Alps & Pyrenees Use RFID Tickets from Axess
Ski Resorts in Alps & Pyrenees Use RFID Tickets from Axess

“The technological transformation from RFID cards to mobile tickets in cell phones has already begun. This is something we see and experience as card users ourselves. But a complete changeover will not happen overnight. As far as I know, in 2023, with a few exceptions, all ski resorts in Europe will still be using RFID as the base technology, for example. Access via NFC interface has not yet replaced RFID, not even in the other application areas. BLE will also not become the leading technology within the next five years, at least not on a wide scale, as retrofitting the existing infrastructure is time-consuming and cost-intensive. However, the low power consumption of BLE, the ease of programming and the long ranges are major advantages of this technology. I expect that BLE will become the dominant technology in the long run.”

Armin Rinas

Managing Director, Rinas Gerätetechnik

Logo Rinas

More Access Control Success Stories

3. Panorama

The Future of Access Control

Trends in access control have evolved to meet the needs of companies that want to stay competitive and secure. This transformation is driven by the rise in hybrid working patterns, the increased adoption of cloud technologies, and the increase in demand for interoperable technology in working environments. Touchless access control is now a necessity, rather than a “nice-to-have”, thanks to sensor technology and smartphone apps.

With the increasing adoption of IoT technologies in both business and domestic life, smart technologies are becoming the future for physical security and access control. More and more companies are expected to merge their physical and IT infrastructures in order to increase operational efficiency.

Companies are also turning to mobile credential solutions as opposed to using keyfobs and smartcards. These solutions involve proximity technologies and smartphone apps to unlock doors, for example. AI-powered systems with biometric data will also be increasingly used for access control. AI-enabled video surveillance will also continue to be used in access control solutions.

The integration of access control with other building management systems through IoT will create more holistic and intelligent environments. Smart buildings can utilize data from access control systems to optimize other aspects of building management, such as energy consumption, heating and cooling systems, and lighting. This interconnected approach not only enhances security but also contributes to sustainability for companies.

Cloud-based access control systems will continue to gain prominence, providing remote management capabilities that are especially valuable for organizations with multiple locations. These systems allow administrators to manage access rights, monitor activities, and respond to incidents from anywhere, at any time, using a centralized platform.

The scalability and flexibility of cloud solutions make them ideal for adapting to the changing needs of businesses, whether they are expanding their physical presence or implementing new security protocols.

Advantages of IoT in Access Control

There are many advantages of integrating IoT in access control solutions.

Access control systems with IoT devices are centrally managed via a unified platform. Centralized management allows companies to control and monitor all access points from a single interface, regardless of the geographical distribution of these points. This unified control system provides comprehensive visibility into all access events, enabling security administrators to track who accessed what, when, and where, in real-time.

Remote access management enhances security through real-time monitoring and alerts. IoT-enabled access control systems can send immediate notifications to administrators about unauthorized access attempts or unusual activity. This allows for quick intervention, whether it’s remotely locking down an area, changing access permissions, or alerting on-site security personnel. Such real-time responsiveness helps prevent security breaches and ensures that any potential threats are addressed promptly.

Another significant advantage is the enhancement of user convenience. IoT access control systems often incorporate technologies such as Bluetooth, NFC, and mobile credentials, enabling users to gain access using their smartphones or wearable devices. This eliminates the need for physical keys or cards, reducing the risk of lost or stolen access credentials. Furthermore, the seamless and contactless nature of IoT-based access systems is particularly beneficial in maintaining hygiene and reducing touchpoints, which has become increasingly important in the context of health and safety considerations.

IoT also facilitates the creation of more flexible and scalable access control solutions. Traditional systems often require extensive infrastructure and are challenging to modify or expand. In contrast, IoT-enabled systems can be easily scaled and adapted to meet the changing needs of an organization. New access points can be added with minimal disruption, and permissions can be updated remotely through cloud-based management platforms. This flexibility is especially valuable for organizations with multiple locations or those undergoing rapid growth.

Advantages of Wireless IoT

  • Remote access management
  • Enhanced user experience
  • Centralized access management
  • Scalability and flexibility
  • Improved visibility

The Challenges of Access Control and Management

There are different challenges associated with logical and physical access control systems. There are also certain challenges that must be addressed when setting up IoT-based access control systems.

Logical access control systems are targets for cyber attacks, including phishing, malware, and brute force attacks. Continuous monitoring and updating of security measures are required to mitigate these threats. Strong password hygiene must be implemented and passwords should also be updated regularly to avoid the risk of unauthorized access. Companies must also make sure that all access control software used is always up-to-date to avoid possible breaches.

Ensuring that access control systems comply with regulatory requirements (e.g., GDPR, HIPAA) and providing detailed audit trails can be demanding. Non-compliance can lead to legal and financial penalties. Part of logical access control is human interaction. Users must ensure that access credentials are kept confidential and must remember to log out from public systems properly.

Physical access control systems that use electronic or magnetic locks and smartcards, can be susceptible to security breaches if unauthorized individuals gain access through stolen credentials, duplicated keys, or forced entry. Expanding physical access control systems can be challenging and costly, particularly in large organizations or multi-site operations. Adding new access points requires hardware installation and integration. Physical components, such as locks and sensors, require regular maintenance to ensure reliability. Mechanical failures or wear and tear can lead to security vulnerabilities or access issues.

Integrating physical access control systems with other security and management systems (e.g., surveillance cameras, alarm systems) can be complex and may require significant customization. Physical access control methods can sometimes be inconvenient for users, leading to frustration and potential non-compliance. For example, users may forget their keycards or find biometric systems slow to respond. For this reason, it is important for access control systems to balance security and user convenience.

IoT-based access control systems rely heavily on network connectivity. Network downtime or connectivity issues can disrupt access control functionality, leading to potential security risks and operational disruptions. IoT-based access control systems often involve a variety of devices and technologies from different manufacturers. Ensuring interoperability and integration can be complex and may require significant effort.

Lastly, IoT devices themselves can be susceptible to hacking, malware, and other cyber threats. Ensuring robust security measures, such as encryption and regular firmware updates, is essential to protect these devices and the overall system.

Partners Spezialized in Access Control Solutions

Outlook – Next Level Access Management and Control

Access management and control of the future involves the shift from traditional access control measures and methods to mobile credentials, biometrics, and cloud-based access control.

Mobile Credentials

A popular trend in access control is the use of mobile credentials. Mobile credentials support contactless entry, which is particularly important in a post-pandemic world where hygiene and minimizing physical touchpoints are priorities. It makes use of technologies like Bluetooth LE and NFC enable users to unlock doors and access points without physical contact.

Credentials are stored on the user’s smartphone and communicate with readers via Bluetooth LE or NFC. Credentials are verified and access is automatically granted without having to present the smartphone to the reading device. One of the benefits of this trend is the high user convenience.

Biometric Access Control

Biometrics is considered a progressive technology in terms of access control. Biometric identifiers, such as fingerprints, facial features, iris patterns, and voice recognition, are unique to each individual. This uniqueness makes biometric authentication inherently more secure than traditional methods, such as passwords or keycards, which can be easily lost, stolen, or duplicated. Biometric authentication solutions eliminates the need for users to remember complex passwords or carry physical tokens.

With the growing prevalence of biometric authentication in consumer devices (e.g., smartphones with fingerprint and facial recognition), the general public is becoming more comfortable and familiar with this technology. This increased acceptance facilitates smoother adoption in workplace and public security applications. Facial recognition is currently the most popular form of biometric access control.

Cloud-Based Access Control

With the rise of remote and hybrid work models, cloud-based access control systems provide the necessary flexibility to manage access for employees working from various locations. This ensures that security is maintained regardless of where employees are physically located. It is no longer necessary for on-site security staff since access control can be managed from remote devices like smartphones or computer desktops.

Can't find what you're looking for? Need help finding the right supplier?

Your message was sent successfully!

Thank you for reaching out. We'll get back to you shortly!


Something went wrong. Please try again later.


Thank you for your message. We are processing the information.

Upcoming events

WIoT tomorrow 2024

International Exhibition | Summit


23. - 24.

October 2024




Think WIoT Day August 28th

Livestream on Healthcare


August 28th