printer friendly version

Holding all the cards

After so many years of offering alternatives to card technology for access control, one could be forgiven for assuming we are all using biometrics or mobile credentials for all our physical and digital access requirements. Of course, one would be wrong.

Cards and fobs, even those that have been proven unsecure and easily cloneable, are still very much in control. Estimates vary, but between 60% and 75% of organisations still rely on ID badges or card-based systems as their primary method of physical access control. This is confusing to some, as modern biometrics and mobile credentials seem able to offer so much more value. You do not have to remember to bring your biometrics to work, and in the mobile-addicted time we live in, even our grandmothers always have their cellphones with them. Moreover, as the security world moves into integrated, software-driven solutions that provide intelligence on almost everything, cards seem very outdated.

On a positive note, the HID Global Security Trends report for 2025¹ notes that 61% of security leaders identify “mobile identity proliferation as a top trend and nearly two-thirds either deploying or planning to deploy such solutions”. At the same time, the report notes that 84% of organisations still use a mix of mobile and physical credentials.

Walter Rautenbach

To find out what is happening in the local market, SMART Security Solutions asked Walter Rautenbach, MD of neaMetrics, distributor of the Suprema biometric range (among others), to talk about how he sees the access control market.

SMART Security Solutions:

Looking at cards in general, do you find many companies are still using cards? What security issues should companies using these older technologies consider (e.g., encryption, cloning, etc.)?

Rautenbach: Yes, many organisations still use older, less secure card technologies such as unencrypted 125 kHz EM cards, although their use has declined as secure MIFARE options have become more affordable.

The main risk with these legacy cards is cloning, which compromises credential uniqueness. When used as a single authentication factor, they provide no real security. In biometric deployments, where the card acts only as a user identifier, the risk is reduced – but only while all users authenticate biometrically. The moment card-only access is enabled, whether for convenience or visitors, overall system security is undermined.

For this reason, unsecured card technologies are not recommended. It is also worth noting that simply using a ‘smart card’ does not guarantee security; without proper encryption and key management, even MIFARE-based systems may fail to deliver the expected protection.

SMART Security Solutions:

What security and operational benefits do newer technologies like 13.56 MHz MIFARE DESFire EV and iCLASS SE offer – such as secure identity storage, mutual authentication via crypto keys between card and reader, etc.?

Rautenbach: Secure card technologies allow credentials to function as a trusted authentication factor rather than merely an identifier. This enables secure card-only deployments and use cases such as Template-on-Card, which is increasingly adopted where data privacy is critical and biometric data should not be stored centrally. In these scenarios, strong encryption and secure key management are essential.

Technologies such as DESFire EV and iCLASS SE use mutual authentication between the card and reader, exchanging cryptographic keys before data access, to prevent cloning, replay attacks, and unauthorised readers.

Suprema supports multiple secure credential technologies, including MIFARE (DESFire EV and Plus), FeliCa, and iCLASS (SE, SR, and Seos), each offering different security levels and cost considerations. As encryption standards evolve, organisations should ensure their access control platforms can support future credential generations through firmware updates rather than becoming locked into ageing technologies.

SMART Security Solutions:

Are cards being used for multiple functions, such as T&A, payments, or secure printing, or is access control still the primary use?

Rautenbach: Using cards for multiple applications can be beneficial, but it is still not that common. This should be understood from a Suprema-in-Africa viewpoint, where many customers prefer frictionless biometrics and often avoid cards entirely. That said, where cards are used, we have even seen implementations where users even leverage personal bank cards as an additional modality.

The convergence of physical and logical security has been far too slow in my opinion, but it is progressing. This creates an ideal opportunity for integrated security – for example, using your physical access credential to sign into your workstation or to enable secure print release. Applying business rules in these environments (such as “no workstation access or printing unless you are physically in the building”) can deliver significant operational and security value.

SMART Security Solutions:

Is OSDP now a standard for information transfer in access control, or do you still find Wiegand installations (are people still asking for Wiegand)?

Rautenbach: OSDP offers secure, bidirectional communication, which Wiegand does not. Where controllers are used, OSDP should be considered the de facto standard. That said, the use of Wiegand remains prevalent, largely due to legacy controller installations and the cost associated with upgrading existing infrastructure.

Suprema supports both Wiegand and OSDP, but we actively encourage controller partners and system designs that utilise OSDP. While improved security is a key driver, the operational benefits of bidirectional communication are often underestimated. These include reader supervision, online status monitoring, and the ability for the controller to exchange data and confirm access decisions – capabilities that are not possible with Wiegand and are increasingly important in modern access control design.

SMART Security Solutions:

One criticism of using cards (old and new) is the management overhead of issuing and reissuing cards, as well as security issues such as tailgating. Do you agree that managing card-based access is more cumbersome than, for example, mobile credentials or biometrics, and why?

Rautenbach: Managing the issuance and reissuance of physical cards is resource-intensive and costly, and it introduces human dependency into the security chain. Any process that relies on manual handling carries inherent risk, whether through error, misuse, or, in some cases, deliberate abuse.

Tailgating is not a card problem in itself; it should be addressed through proper system design, including door hardware, turnstiles, and enforcement policies. However, card sharing remains a real risk, whereas mobile credentials are rarely shared, and biometrics cannot be shared at all. Lost or duplicated cards also require replacement and reconfiguration, adding further operational overhead.

Whether mobile credentials are cheaper than cards depends on the provider and licensing model, but when factoring in reissuance, administration and long-term sustainability, physical cards carry hidden costs. The environmental impact of disposable plastic cards is another consideration that organisations are increasingly factoring into decision-making.

SMART Security Solutions:

What benefits (security and other benefits) do mobile credentials offer companies that differentiate them from traditional cards, and are users happy to have these credentials on their devices? And what about backward compatibility with different technologies?

Rautenbach: User acceptance of mobile credentials depends largely on implementation and user demographics. At the lower end of the market, where users rely on entry-level smartphones with limited storage and performance, resistance can be high. In these cases, adding work-related applications to personal devices is often seen as a burden rather than a benefit.

More broadly, and without over-generalising by generation, attitudes are shifting. For many users today, the expectation is increasingly that services should be accessible on their mobile devices. If it is not on their phone, they are simply not interested. This observation is shaped by experience within a technology-driven environment and across younger, more digitally fluent users.

That said, where resistance persists, whether due to technological limitations or personal preference, access control systems should be designed with flexibility in mind, offering alternative credential options rather than enforcing a single approach.

Companies should be able to rely on backward compatibility and phased migration. An access control platform should support a controlled transition from older card technologies to newer, more secure credentials, including future card standards and mobile credentials, without requiring a full system replacement.

Suprema’s approach is built around this principle, supporting multiple card frequencies, ongoing modernisation of encryption technologies (for cards and data), and mobile credentials. This allows organisations to migrate at their own pace, aligning upgrades with operational, budgetary, and security requirements rather than adopting an all-or-nothing approach.

SMART Security Solutions:

What is your company’s approach to card and mobile credentials? What solutions do you provide, and how do you approach the issue of backward compatibility?

Rautenbach: Suprema’s approach to credentials is centred on flexibility, security, and long-term viability. We support secure card technologies, mobile credentials, and biometrics, allowing organisations to choose the right mix based on their risk profile, user acceptance, and operational requirements.

From a card perspective, the focus is on modern, encrypted technologies rather than legacy formats. At the same time, we recognise that large customers rarely move in a single step. Backward compatibility and phased migration are therefore core to our approach, enabling customers to transition from older card technologies to newer secure credentials or mobile access without disruptive system replacements.

Mobile credentials are treated as a first-class option rather than an add-on, offering secure over-the-air provisioning, simplified lifecycle management, and strong integration with biometric authentication where required. Across all credential types, the emphasis is on supporting evolving standards through firmware and platform updates, ensuring customers are not locked into ageing technologies as their security needs change.

^[1] https://tinyurl.com/y29jjumz

Share this article:

Further reading: