Access Control Systems: Standalone vs Networked, Proximity Cards, Fob and Biometric Readers — Installation Basics
Quick Answer: Access control systems range from standalone battery-powered keypads (no network needed) to fully networked IP systems managing hundreds of doors from a central server. Credential types include proximity cards (125 kHz), smart cards (13.56 MHz Mifare/DESFire), fobs, PIN pads, and biometric readers. Selection is driven by the number of doors, audit trail requirements, integration needs, and budget. All electric locking hardware on fire escape routes must fail-safe (fail-open on power loss) in compliance with BS 8220 and the Regulatory Reform (Fire Safety) Order 2005.
Summary
Access control is one of the fastest-growing segments of the security installation market. It ranges in scope from a £150 standalone keypad on an office door to a multi-site IP system managing 500 doors across a corporate estate. The underlying principle is always the same: deny or permit access based on a verified credential, and record who went where and when.
For the installer, the critical decisions at design stage are the locking hardware type (fail-safe vs fail-secure), the credential technology, and whether the system will be standalone or networked. These three decisions drive almost all the downstream installation detail — power requirements, cable routes, door hardware, and integration with fire and intruder alarm systems.
A recurring compliance issue on access control installations is fire safety. Electric strikes, magnetic locks, and electric locking bolts all have different fail-state behaviours. Fitting a fail-secure lock (stays locked on power loss) on a fire exit is a serious safety violation under the Regulatory Reform (Fire Safety) Order 2005. Every access-controlled door must be assessed for its designation as a fire exit, escape route, or means of escape before locking hardware is selected.
Key Facts
- Standalone access control — no network connection; credentials stored locally on the device; suitable for 1–4 doors; no central audit trail
- Networked access control — controllers connected via IP or RS-485 to a head-end server; central management, real-time audit trail, anti-passback, zone counting
- 125 kHz proximity (EM4100) — legacy technology; easily cloned with £30 handheld cloner; no longer recommended for new installations requiring any security
- 13.56 MHz smart cards (Mifare Classic) — widely deployed; Mifare Classic encryption is broken (Crypto-1 attack); use Mifare Plus, DESFire EV2/EV3, or SEOS for new installs
- Mifare DESFire EV3 — current best practice for card-based credentials; AES-128 encryption; GDPR-friendly (no cardholder data on reader)
- Mobile credentials — Bluetooth or NFC credentials on smartphones; increasingly common; HID Mobile Access and Allegion Engage are leading platforms
- Biometric readers — fingerprint, iris, and facial recognition; GDPR requires explicit consent as biometric data is Special Category data under UK GDPR Article 9
- Fail-safe locking — lock is energised to lock, de-energises to open; required on fire exits and means of escape; magnetic locks and some electric strikes
- Fail-secure locking — lock is de-energised in locked state, energised to open; suitable for high-security doors not on escape routes; electric bolts and most mortise electric locks
- Wiegand interface — 26-bit legacy protocol between reader and controller; no encryption; susceptible to interception; upgrade to OSDP where possible
- OSDP v2 (Open Supervised Device Protocol) — RS-485 protocol with AES-128 encryption and tamper monitoring between reader and controller; IEC 60839-11-5; now the recommended interface
- Anti-passback — prevents a credential being used to enter a zone twice without exiting (prevents tailgating exploitation); requires in/out readers
- BS EN 60839-11-1:2013 — overarching standard for electronic access control systems
- Data retention — audit log data is personal data under UK GDPR; document retention periods (typically 30–90 days) in the site's privacy notice
Quick Reference Table
Spending too long on quotes? squote turns a 2-minute voice recording into a professional quote.
Try squote free →| Credential Type | Frequency | Cloning Risk | Security Level | GDPR Implications |
|---|---|---|---|---|
| EM4100 proximity | 125 kHz | Very high | Very low | Low (ID number only) |
| Mifare Classic | 13.56 MHz | High (Crypto-1 broken) | Low | Low |
| Mifare Plus SL3 | 13.56 MHz | Low | Medium | Low |
| Mifare DESFire EV3 | 13.56 MHz | Very low | High | Low |
| SEOS/iCLASS SE | 13.56 MHz | Very low | High | Low |
| Mobile (BLE/NFC) | BLE/NFC | Very low | High | Medium |
| Fingerprint | N/A | Low | High | High — explicit consent required |
| Facial recognition | N/A | Low | High | Very high — explicit consent + DPIA |
Detailed Guidance
Standalone vs Networked: Choosing the Right Architecture
Standalone systems are self-contained units that store all credentials and access schedules locally. No network cabling to a server is required. They are typically powered from a local PSU with battery backup.
Suitable for:
- Single-door applications (small office, server room)
- Remote locations without network infrastructure
- Budget-constrained installations where audit trail is not required
- Temporary or short-term installations
Limitations:
- Adding/removing users requires attending the door or using a manufacturer app via Bluetooth
- No central audit trail across multiple doors
- Most units are limited to 1,000–5,000 credentials
- Anti-passback and zone control are not possible
Networked systems use field controllers (door controllers or intelligent readers) connected via IP or RS-485 back to a head-end server running the management software.
IP networked systems connect directly to the LAN. Each controller gets a fixed IP address and communicates with the server using the manufacturer's proprietary protocol (or OSDP over IP in modern systems).
RS-485 panel/controller systems (older or cost-optimised architectures) wire multiple doors back to a panel that then connects to the server via a single IP link. Common in older Paxton Net2, Salto, and Lenel installations.
| Feature | Standalone | Networked |
|---|---|---|
| Audit trail | Per-door only, limited | Central, real-time |
| User management | Per-device | Centralised |
| Anti-passback | No | Yes |
| Integration | Limited | Fire, intruder, HR, CCTV |
| Installation cost | Low | Medium–High |
| Maintenance | Low | Medium |
Electric Locking Hardware
This is the area where the most costly mistakes are made. The wrong lock on the wrong door creates both security vulnerabilities and life-safety risks.
Magnetic locks (maglocks):
- Fail-safe by nature — require power to hold closed
- Holding force: 280 kg (600 lb) single, 560 kg (1,200 lb) double — always verify against fire door closer force
- Must release on fire alarm activation
- Not suitable for external doors in most configurations (weather ingress to armature)
- BS EN 54-11 interface relay required for fire alarm release
Electric strikes:
- Fail-safe or fail-secure versions available — check the part number carefully
- Fail-safe strikes are spring-loaded to release
- Drop-in replacement for mechanical strike plate in most door frames
- Load capacity lower than maglocks; suitable for standard internal doors
- Not suitable for high-security applications without secondary locking
Electric bolts:
- Typically fail-secure (locked without power)
- Used on high-security doors, server rooms, vaults
- Must never be fitted to fire exit doors
- Require careful door alignment — tolerance sensitive
Electric mortise locks:
- Integrated into the door leaf; motorised deadbolt
- Can be fail-safe or fail-secure depending on model
- Require door leaf and frame prep similar to mechanical mortise
Fire Safety and Access Control
The Regulatory Reform (Fire Safety) Order 2005 requires that all fire exits and escape routes can be readily opened without a key or special knowledge. Access control on escape routes must release automatically on fire alarm activation and must allow manual override.
Key requirements:
- Break glass unit or green button on the secure side of every controlled fire exit — allows manual release without credentials
- Fire alarm interface — access controllers must receive a dry contact input from the fire alarm panel and release all fire exits
- Fail-safe locking only on designated fire exits
- Dogging facility on panic hardware — allows the door to be held open during evacuation without needing credentials
Always check the Fire Risk Assessment (FRA) for the building before designing access control. The FRA may prohibit access control on specific doors entirely.
Cable Installation
Controller to reader (OSDP): 4-core shielded cable (Belden 9842 or equivalent); RS-485 terminated at 120 Ω at both ends; maximum run 1,200 m at 115,200 baud.
Controller to reader (Wiegand): 6-core or 8-core cable; maximum run 150 m; no encryption — keep cable within secure perimeter.
Maglock power: 12 V DC or 24 V DC depending on lock model; cable sized for the lock's current draw plus 20% margin; typically 0.5 A for a single maglock at 12 V.
Controller data (IP): CAT6 UTP or STP to the nearest IDF/switch; IEEE 802.3af PoE for IP controllers or dedicated PSU.
All access control cabling should be run inside secure areas or in surface conduit where it cannot be accessed. Wiegand cable runs in exposed areas are a security weakness — consider upgrading to OSDP or physical protection.
Frequently Asked Questions
Do I need to inform employees that access control is being installed?
Yes. Under UK GDPR, the organisation installing access control (as data controller) must inform employees through a privacy notice before the system is operational. The notice must state what data is collected (entry/exit times, credential ID), why (security management, health and safety), how long it is retained, and their rights. For biometric systems, explicit consent must be obtained from each employee before enrolment.
What is the difference between a Grade 1 and Grade 3 access control system?
BS EN 60839-11-1 grades access control systems 1–4 similarly to intruder alarm grades. Grade 1 is low security (PIN only, no audit trail). Grade 3 requires encrypted credentials, OSDP or equivalent communication, audit trail, and tamper monitoring. Most commercial installations should be Grade 2 minimum; high-value sites need Grade 3.
Can I connect access control to an intruder alarm panel?
Yes, and it is increasingly expected in commercial installations. Integration allows the alarm panel to arm/disarm based on the last person leaving (using an access control output), prevents access to armed areas, and generates alarms for forced entries. Integration methods vary — dedicated protocol gateways are available for most major combinations (Paxton Net2 + Galaxy, Texecom + Salto, etc.).
How many users can a typical system handle?
Standalone units: 500–5,000 users. Networked systems: typically unlimited from a practical standpoint (database limited, not hardware). Most SME-grade systems handle 10,000–50,000 users with standard SQL databases.
What is GDPR's impact on facial recognition for access control?
Facial recognition data is biometric data — Special Category personal data under UK GDPR Article 9. Processing requires either explicit consent from each individual or another specific legal basis. A Data Protection Impact Assessment (DPIA) is mandatory before deployment. ICO enforcement in this area is active. Most UK solicitors and HR teams advise against facial recognition for routine access control — use card or mobile credentials instead.
Regulations & Standards
BS EN 60839-11-1:2013 — Electronic access control systems; system and component requirements; defines security grades
IEC 60839-11-5:2016 — OSDP (Open Supervised Device Protocol); encrypted reader-to-controller communication
BS 8220:2000 — Guide for security of buildings against crime; includes access control system guidance
Regulatory Reform (Fire Safety) Order 2005 — requires fire exits to be openable without keys or special knowledge; governs fail-safe requirements
BS 9999:2017 — Code of practice for fire safety in the design of buildings; Section 18 covers electromechanical locking on escape routes
UK GDPR (Data Protection Act 2018) — governs collection, retention, and disclosure of access log data and biometric data
BS EN 54-11:2001 — Manual call points; relevant to fire alarm interface for access control release
PD 6662:2017 — UK application document; access control integrated with intruder alarm systems
BS EN 60839-11-1 — BSI standard for electronic access control systems
ICO Guidance on Biometric Data — Information Commissioner's Office guidance on biometric data processing
BSIA Access Control Code of Practice — British Security Industry Association code of practice for access control
SIA Access Control Systems — Security Industry Authority licensing requirements for access control installation
HID Global Technical Resources — Credential technology guide (DESFire, SEOS, Mobile Access)
nsi ssaib approval guide — Approval requirements for access control installers
cable installation security systems — Cable types and routing for security systems
security system commissioning — Commissioning and handover for access control systems
door entry systems installation — Door entry systems as a subset of access control
intruder alarm grades — Integration of access control with graded intruder alarm systems