Choosing an Access Control Company: What Most Organizations Get Wrong (And What to Look for Instead)
A credential cloning device costing less than $30 can duplicate a standard proximity card in just 15 seconds, and major retailers now have self-service kiosks where anyone can clone access cards as easily as cutting a key. Yet countless facilities across New York City—from commercial buildings to healthcare facilities to corporate offices—still rely on these vulnerable 125kHz proximity cards and key fob systems installed by access control companies in NYC that never assessed whether this technology was appropriate for their security needs.
This isn't just a technology problem—it's a fundamental failure in how access control companies approach physical security. While most installers focus on getting hardware up and running, they miss the critical first step: understanding whether that hardware actually protects your facility from unauthorized physical access.
The Real Problem with Most Access Control Companies
The access control industry is flooded with companies that can mount a reader and run cable, but lack the security engineering expertise to truly protect your facility. These installers might be technically proficient at their craft, but they don't understand the fundamentals that matter most:
Physical security threat assessment – Who are you protecting against, and what are their capabilities?
Vulnerability analysis – Where are the weak points in your building's access security?
Credential technology comparison – How do different credential types stack up against real-world threats?
Integration requirements – How should access control work with video surveillance and intrusion detection?
Compliance needs – What do NYC building codes, HIPAA, or industry-specific regulations require?
The consequences of this installer-only approach are severe. Unauthorized building access can lead to theft, vandalism, workplace violence, or corporate espionage. Internal threats from disgruntled former employees with cloned credentials remain one of the most overlooked vulnerabilities. Organizations face liability issues when unauthorized persons gain access to restricted areas, regulatory violations in healthcare or finance, and insurance implications when security measures prove inadequate.
At Connextivity, we approach every project differently. Our team includes Certified Protection Professionals (CPP) and Certified Security Project Managers (CSPM)—credentials that represent deep security engineering knowledge, not just installation skills. But more on that later.
Common Access Control Applications Across NYC Businesses
Whether you're securing a multi-tenant commercial building, protecting an office suite, or managing a corporate campus, the fundamental security principles remain the same. Access control for business takes many forms across New York:
Commercial door entry systems range from simple key fob door access at building entrances to sophisticated multi-factor authentication for executive suites. Office door entry systems often include card readers, keypads, or mobile credential readers integrated with video surveillance for visitor verification.
Key fob systems for business remain popular due to their familiarity, though as we've discussed, not all key fob entry systems for buildings offer adequate security. Traditional building key fob solutions using 125kHz technology should be considered legacy systems requiring upgrade.
Keyless entry systems for buildings represent the future—eliminating physical keys and vulnerable key fobs in favor of encrypted smart cards or mobile credentials. These commercial keyless entry systems offer superior security, instant provisioning and revocation, and detailed audit trails of who accessed what and when.
Many controlled entry systems also incorporate specialized hardware for specific applications. High-security facilities may require turnstile entry systems, while residential buildings often need commercial doorbell buzzer systems for visitor management. Each application requires thoughtful security engineering, not just product installation.
The Hidden Vulnerability in Your Access Control System
The 125kHz Proximity Card Crisis
Let's talk about the elephant in the room: those ubiquitous white access cards hanging from lanyards throughout your building.
Since its introduction to the security market in the 1980s, contactless RFID has been the standard for physical access control credentials, but the security was largely assured by 'security through obscurity'. For decades, the assumption was that because reading these cards required special equipment, they were secure.
That assumption is dangerously outdated.
The main issue is that the information contained on 125kHz prox cards isn't encrypted. This means a card copying device can extract the relevant information—site code and card number—easily and transfer it to a blank card. And these copying devices? Anyone can purchase a cloner on Amazon for less than $25.
But it gets worse. Devices like Flipper Zero, selling for less than $200, can easily clone existing proximity credentials. And if someone doesn't want to buy their own equipment? KeyMe kiosks in retailers like Bed Bath & Beyond allow anyone to duplicate low-frequency cards in minutes. The service literally markets itself as being able to copy "RFID keys, fobs and access cards."
Here's the scenario that should keep facility managers up at night: An unauthorized person doesn't need to steal your employee's access card. They can scan it from their pocket while passing in a hallway—a "bump and clone" that takes seconds and goes completely unnoticed. A former employee could clone credentials before their departure. A contractor could duplicate a card during their work period. Once cloned, these credentials provide unfettered physical access until the entire system is upgraded.
After 30+ years in widespread use, the methods of compromising proximity cards are now common knowledge. What was once "security through obscurity" is now security through nothing at all.
Even "Secure" Systems Have Vulnerabilities
Perhaps you're thinking, "We upgraded to the newer smart card technology—we're protected, right?"
Not necessarily.
Newer high-frequency credentials can be vulnerable to "downgrade attacks" when readers still support legacy Proximity technology. Here's how this works: Many organizations upgrade their credentials to more secure 13.56MHz smart cards but leave their readers configured to accept the older 125kHz technology for "compatibility" or because some employees still have old cards.
The exploit uses the weakest link—an available path to low-frequency or legacy technology to clone or attack the high-security portion of the reader/credential system. An attacker can encode the high-security credential information onto a legacy proximity card, and the reader—still supporting that legacy protocol—will accept it.
It's like installing a high-security lock on your front door but leaving a window open.
Even the highest-rated systems have shown vulnerabilities. Recent vulnerabilities discovered in HID's iCLASS SE CP1000 Encoder received a CVSS 7.2/10.0 severity rating—a rating considered "high" by the National Vulnerability Database.
So why do installers miss these critical vulnerabilities? Simple: they're focused on making the system "work," not securing it against physical threats. They often use whatever credential technology the facility already has or recommend the cheapest option. They don't conduct threat assessments to determine appropriate security levels for physical access, and they lack the security engineering background to understand vulnerability chains.
Understanding Credential Technology Options
Not all access credentials are created equal. Here's what you need to know about the security spectrum:
Lowest Security: 125kHz Proximity Cards and Key Fobs
These cards and key fobs operate at 125kHz frequency with no encryption. While fob systems for doors remain popular across NYC buildings due to their low cost and ease of use, they represent the most vulnerable option. Whether it's a key fob building entry system for your commercial property or simple key fob door access for office suites, 125kHz technology can be compromised in seconds.
This applies equally to cards and fobs—the form factor doesn't matter when the underlying technology is insecure. Many organizations refer to these generically as their "building keyless entry system," but truly keyless systems should use mobile credentials, not easily-cloned fobs.
Medium Security: 13.56MHz Smart Cards
These operate at a higher frequency with basic encryption. Examples include HID iClass and MIFARE Classic. They're more secure than standard Prox cards but still have known vulnerabilities, particularly if not properly configured.
Best for: General office environments with moderate security needs where the threat level doesn't include sophisticated actors.
High Security: Advanced Encrypted Smart Cards
This is where serious security begins.
MIFARE DESFire EV3: This technology has the highest standard of card security currently available with advanced encryption. The encryption makes unauthorized duplication exceptionally difficult.
HID SEOS: Uses advanced encryption technology making duplication virtually impossible through mainstream cloning devices. Built on a software-based infrastructure, it can secure trusted identities across multiple form factors.
These solutions cost more, but that cost is an investment in actual security, not just access control.
Necessary for: Healthcare facilities, data centers, financial institutions, research labs, government facilities, or any environment where unauthorized physical access could have serious consequences.
Highest Security: Multi-Factor Authentication
For your most sensitive areas, a single credential—no matter how sophisticated—shouldn't be enough.
Two-factor authentication follows the "Something You Have AND Something You Know" verification path, making spoofing or cloning a card only half the effort needed to gain access. Even if someone successfully clones a credential, they still can't get through without the second factor.
Common combinations include:
Card + PIN code
Card + biometric (fingerprint or facial recognition)
Mobile credential + biometric
Card + video verification
Essential for: High-security areas, executive suites, evidence rooms, pharmaceutical storage, server rooms, research and development spaces.
Emerging Technology: Mobile Credentials
The newest evolution in access control leverages the security features already built into smartphones.
80% of American universities are already adopting or planning to implement mobile credentials, and the trend is rapidly expanding across all sectors. Mobile credentials offer several security advantages: smartphones require biometric authentication (FaceID or fingerprint) to unlock, credentials can be instantly provisioned or revoked remotely, and the encryption built into modern smartphones exceeds that of most physical cards.
The "Something You Have" becomes your phone—something people are far less likely to lose or leave unattended compared to an access card.
What to Look for When Choosing an Access Control Company
When evaluating access control installation in NYC, ask potential contractors about their security engineering background. A qualified access control installer in NYC should hold security-specific certifications, not just electrical licensing. Now that you understand the vulnerabilities, here's how to choose a company that will actually secure your facility:
#1: Security Assessment Before Installation
This is non-negotiable. A legitimate security engineering company should conduct a thorough security assessment before recommending any hardware. They should ask probing questions:
What are you protecting, and from whom?
What's the consequence of unauthorized access to different areas?
What are your most valuable assets, and where are they located?
What are your insider threat concerns?
What compliance requirements do you face?
How do employees, visitors, and contractors currently access the building?
Only after understanding your threat landscape can they recommend appropriate credential technology and system architecture.
At Connextivity, we begin every project with a comprehensive security assessment. We don't start with a product catalog—we start with understanding your security needs.
#2: Industry Certifications & Licensing That Matter
Look beyond basic electrical licensing. Seek companies with security-specific credentials:
Certified Protection Professional (CPP): This is the "gold standard" security certification, demonstrating expertise in security assessments, threat analysis, risk management, and security program design. CPPs understand security as a discipline, not just a product installation.
Certified Security Project Manager (CSPM): This specialized certification proves capability in managing complex security projects from assessment through design, installation, and commissioning.
Manufacturer Certifications: Look for deep product knowledge certifications like Axis Certified Professional, which demonstrate technical expertise with specific security technologies.
NYS Department of State Licensing: In New York, this licensing is required for security and fire alarm installation—it's not optional.
These certifications represent security engineering knowledge that goes far beyond installation skills. Anyone can mount a card reader; understanding which reader, which credential technology, and why requires genuine security expertise.
Our team at Connextivity holds CPP and CSPM certifications alongside our New York State licensing and Axis professional certifications. This combination of security knowledge and technical capability is what sets security engineering firms apart from basic installers.
#3: Engineering Mindset, Not Just Installation Capability
The company you choose should demonstrate sophisticated understanding of:
Credential technology trade-offs across the security spectrum from Prox to iClass to SEOS to DESFire to mobile
Multi-factor authentication strategies for different security zones within your facility
System integration with video surveillance (for visual verification), intrusion detection, visitor management, and building management systems
Physical security design including proper reader placement to prevent tailgating
Network security architecture for access control systems (yes, physical security systems have cybersecurity implications)
Migration paths for evolving from legacy systems to modern solutions without complete replacement
A security engineering firm should ask you detailed questions about your operations, not just show you equipment catalogs. They should be able to explain the pros and cons of different approaches specific to your threat environment.
#4: End-to-End Capability
Look for companies that can handle the complete project lifecycle:
Initial security assessment and risk analysis
System design and security engineering
Equipment specification and procurement
Professional installation by licensed technicians
System commissioning and rigorous testing
User training and comprehensive documentation
Ongoing support and periodic security audits
Future upgrades and system evolution
This end-to-end capability ensures accountability. When one company handles assessment, design, installation, and commissioning, there's no finger-pointing if something doesn't work correctly. At Connextivity, we own the entire process from initial assessment through long-term support.
#5: Technology-Agnostic Recommendations
Be wary of companies that only offer one manufacturer's products or push the same solution for every client. The best security engineers select the right tool for the job, not the job for their preferred tool.
They should be able to explain why they're recommending specific technologies for your particular security needs, complete with trade-offs and alternatives.
Red Flags to Watch For
Run away from companies that:
Push specific products without conducting a security assessment
Can't explain why they're recommending particular credential technology
Don't ask detailed questions about your security objectives and threat landscape
Provide quotes that skip assessment or design phases—just equipment lists and labor
Dismiss legacy system vulnerabilities with "Nobody's going to clone your cards"
Make promises that sound too good to be true on pricing (quality security engineering requires expertise, and expertise costs money)
The Future of Physical Access Control
Technology continues to evolve rapidly, and your choice of access control partner today will impact your facility's security for the next 5-10 years. Here's where the industry is heading:
Mobile Credentials Are Rapidly Expanding: Smartphones are replacing physical cards entirely across all sectors. The security advantages are compelling—biometric unlock, instant provisioning and revocation, elimination of lost cards, and enhanced convenience for users.
Cloud-Based Management Becoming Standard: 92% of businesses already operate systems via the cloud. Cloud-based access control allows centralized management of multiple properties, real-time monitoring, faster incident response, and easier software updates without disrupting operations.
AI and Machine Learning Integration: Artificial intelligence is beginning to enhance physical security by detecting anomalous access patterns, integrating with video analytics to identify tailgating, providing predictive maintenance alerts, and enabling automated threat responses like area lockdowns.
Multi-Factor Authentication Becoming Essential: MFA is becoming standard as physical security threats become more sophisticated. Layered security combining credentials with PINs, biometrics, or mobile authentication is increasingly the norm for sensitive facilities.
Biometric Integration Expanding: Biometric technologies such as fingerprint, facial recognition, and iris scans are being integrated to confirm user identity. Privacy concerns are diminishing as the technology becomes commonplace in smartphones and improves in accuracy.
The right access control partner can help you navigate this evolution strategically. Poor initial implementation makes future upgrades costly and complicated, while thoughtful security engineering today creates a foundation that can evolve with emerging threats and technologies.
As Axis Certified Professionals with ongoing manufacturer training, Connextivity stays current with emerging technologies. We design systems that can evolve with your needs without requiring complete replacement.
The True Cost of Choosing Wrong
Let's talk about what's really at stake when you choose an installer over a security engineering firm.
Beyond the immediate unauthorized access incident, inadequate physical security creates cascading consequences: theft of valuable equipment or intellectual property, potential for workplace violence when unauthorized individuals reach employee areas, significant liability exposure if inadequate security allows an incident, regulatory fines for HIPAA violations in healthcare or building code violations, reputational damage that causes clients and tenants to lose confidence in your facility, and insurance implications including higher premiums or denied claims.
The rip-and-replace trap is particularly costly. Many users admit that convenience and function were far more important design considerations than security for early prox users. Now those users face mandatory upgrades as vulnerabilities become widely known. Organizations that "saved money" with basic proximity card systems five years ago are now spending three times what proper security would have cost initially—plus dealing with the disruption of a complete system replacement.
Here's a real-world scenario: A NYC commercial building installed a basic Prox system to cut costs. A tenant experienced theft after a former employee cloned credentials. The building faced liability claims and had to upgrade the entire system. The total cost exceeded three times what implementing proper security initially would have cost—plus they lost the tenant and damaged their reputation.
Perhaps worst of all is the hidden cost of false security. Believing you're protected when you're not is more dangerous than having no system at all. It creates complacency, reduces vigilance, and delays necessary security improvements until an incident forces action.
Is Your Current Access Control Adequate?
Let's recap what we've covered:
Your existing proximity cards can be cloned in 15 seconds with a $30 device
Most access control companies are installers, not security engineers—they can wire a reader but can't assess your threats
Without proper security assessment, you're gambling with physical access to your facility
The right credentials (whether DESFire, SEOS, or mobile), properly configured with assessment-driven design, make all the difference
Even upgraded systems remain vulnerable if legacy protocols aren't disabled on readers
Now ask yourself these critical questions:
Did your access control company conduct a security assessment before installation?
Do they understand the difference between 125kHz Prox, encrypted smart cards (DESFire, SEOS), and mobile credentials?
Can they explain why they chose your specific system based on your threat landscape?
Are your readers still accepting legacy protocols that create downgrade attack vulnerabilities?
Do you have a strategy for evolving your system as threats change?
Would your system prevent a former employee from accessing the building with a cloned credential?
If you answered "no" or "I don't know" to any of these questions, it's time to talk to a security engineering firm, not just an installer.
The Connextivity Difference
At Connextivity, we approach every project as security engineers first. Whether you need a complete commercial door entry system, an office door entry system upgrade, or are transitioning from vulnerable key fob security systems to modern keyless card entry systems, our team provides comprehensive security solutions.
We serve organizations throughout New York City with access control systems designed for your specific security needs—from basic door security systems for offices to sophisticated multi-site deployments with advanced authentication.
Our team of Certified Protection Professionals (CPP) and Certified Security Project Managers (CSPM) leads comprehensive security assessments before we ever recommend a single piece of hardware. As New York State licensed installers and Axis Certified Professionals, we combine deep security expertise with technical installation excellence.
Our end-to-end approach includes:
Thorough security assessments and vulnerability analysis
Security engineering and system design
Professional installation by licensed, certified technicians
Complete system commissioning and testing
Comprehensive user training and documentation
Ongoing support and periodic security audits
Strategic planning for system evolution
We don't just install access control systems—we engineer physical security solutions that actually protect your facility from unauthorized access.
How confident are you that your access control system prevents unauthorized physical access to your facility?We'd love to hear about your experiences or concerns—share your thoughts with us.