The Future of Access Control: How to Build Systems That Withstand Hybrid Attacks
When security becomes invisible
For people moving through a building, it should be effortless. Badges that just work, phones that unlock doors without breaking stride, and visitors who are onboarded in minutes – this is what people expect. But for the organization that owns or operates the building, the same system must withstand sophisticated attacks and meet increasingly strict requirements. This is the paradox: the better access control works, the less anyone notices it. Until something goes wrong.
Two developments have changed how we must think about physical security. First, we have seen the rise of hybrid attacks – where physical access to a building becomes the entry point into a cyberattack. When external systems are well protected, attackers look for the weakest physical link: an outdated reader, a cloned card, or a forgotten identity lingering in the access system.
Second, regulations such as NIS2 and CER have elevated physical access control from an operational task to a board-level responsibility. Access control systems must now support traceability, incident reporting, and rapid response. Physical security is no longer separate from cybersecurity – it is a fundamental part of it.
How secure is your oldest access reader?
Many buildings still operate with technology designed decades ago, long before today’s threats existed. A typical legacy system uses low-frequency 125 kHz cards that transmit a fixed ID anyone nearby can capture. The readers lack tamper alarms. Communication between reader and controller runs unencrypted over Wiegand – an old protocol that transmits data in cleartext.
| For attackers, this is essentially an open door.
The attack pattern is well known: clone an access card in the parking lot. Enter the building after closing hours. Find a technical room protected by the same vulnerable reader. Connect a device to the network. Within hours, malicious software spreads across systems that were supposed to be protected by advanced firewalls.
Organizations with access control systems that are ten years old or more face a particularly high risk. Modern access control breaks the attack chain at several points: ID carriers that resist cloning, encrypted communication, readers that detect tampering, and systems that flag unusual patterns. The technology exists. The question is not whether to upgrade, but where to start.
The problem with legacy systems
Four principles that matter
Behind all specifications and product names, solid access control is built on four principles. Think of them as layers – each one must hold for the system to be truly secure.
Secure ID Carriers: The Foundation
Modern ID carriers – whether physical cards, key fobs, or mobile credentials – function as secure microcomputers. They cryptographically authenticate at every transaction. High-frequency smartcards based on MIFARE DESFire EV2/EV3 provide the security foundation: keys stored in secure elements (EAL5+), encrypted authentication between card and reader, and rotating identifiers that prevent tracking and cloning.
Mobile credentials provide the same level of security on smartphones through encrypted NFC and Bluetooth channels. For offices with hybrid workforces or campuses with app-savvy users, mobile credentials offer advantages: instant issuance, remote revocation, no physical production, and high encrypted security.
But real-world operations require flexibility. Many organizations need physical cards for contractors, visitors, environments where phones are prohibited, and situations where the card serves multiple purposes. The question is not physical versus mobile, but how to manage both seamlessly in a single platform – with consistent security policies and complete traceability.
The Access Reader: The Visible Component
Readers are where security becomes tangible. They are also the first thing an attacker approaches.
Modern readers protect encryption keys in dedicated secure hardware. They detect physical tampering through accelerometers and alert security systems immediately. They accept secure firmware updates in the field, allowing them to evolve as threats change.
This matters because buildings live for decades while technology cycles accelerate. Security threats, credential standards, and integration requirements advance faster than infrastructure can adapt. Readers that can be updated remotely—with new protocols, enhanced encryption, or mobile credential support—protect investment over building lifecycles that often span 15 to 25 years.
Protocols: The Invisible Link
Data encryption is one of the most critical elements of access control. From issuance and administration to usage – and with new regulations such as NIS2 – everything must be encrypted and based on secure, documented processes. In legacy systems, the Wiegand protocol still transmits data unencrypted as simple electrical pulses in cables between reader and door controller. Anyone with access to this part of the system can intercept or inject signals.
Modern protocols such as OSDP Secure Channel and SSCP solve this through encrypted, authenticated, bidirectional communication. Every transmission is encrypted, every message authenticated, every endpoint verified.
Organizations upgrading access control should remove unencrypted Wiegand from critical zones and require encrypted protocols end-to-end. The protocol is invisible to users, but it determines whether the system is a security asset or a vulnerability.
Door Controllers: Data Collection
Door controllers make the final decision to grant or deny access, based on data from the access control system. This includes schedules, rules, and card data.
But modern controllers do more than open doors. They provide insight. Access data can support space planning, optimize energy management based on real occupancy, and enable predictive maintenance. This is where access control stops being about doors – and starts being about how buildings actually function.
Access control is critical infrastructure with a long lifespan. The choice between closed proprietary or open standardized solutions shapes security, flexibility, and cost for decades.
Open systems use recognized standards such as DESFire, OSDP, SSCP – and documented APIs that let you replace components without replacing everything. Platforms like Breeze exemplify this: issuing and managing both DESFire cards and mobile credentials from the same platform, with consistent security policies regardless of form factor. As technology evolves or vendors leave the market, open architecture protects the investment.
Proprietary systems create dependency on a single vendor’s roadmap, pricing, and longevity. Over the building’s lifecycle, that dependency can become both a security risk and a cost problem.
Open Architecture: Built for the Future
What Good Solutions Looks Like
Principles become concrete when you can point to documented solutions. For commercial real estate and public infrastructure, the STid Architect series shows what modern reader architecture means in practice. Designed and manufactured in Europe, these readers combine architectural integration with IK08–IK10 vandal resistance and IP65 environmental protection.
With support for both MIFARE Classic and full MIFARE DESFire, you can combine them with virtual STid Mobile ID credentials certified under EN17640 for hacking and data attacks. EAL5+-certified key storage and patented tamper detection secure the visible part. Communication security ranges from OSDP Secure Channel for modern installations to SSCP for ultra-high security.
The modular architecture future-proofs the investment. With options for biometric sensors, QR modules, or low-frequency RFID, you can easily update the solution for better usability or support older card technology until everything is upgraded. All without replacing the reader. STid Architect is built for open ecosystems across both large and small access control platforms, while allowing customers to manage their own configuration and security keys.
For vehicle access, STid Spectre extends the same access platform to parking and perimeter security with long-range UHF up to 14 meters, fully encrypted.
Where to Begin?
When you next evaluate access control, four questions offer clarity:
Are our ID carriers and readers vulnerable to cloning or tampering?
Plan a phased upgrade to ID carriers and readers based on MIFARE DESFire technology. Start with critical zones and exterior doors.
Is communication still unencrypted?
Replace devices using the Wiegand protocol in sensitive areas. Require encrypted and authenticated protocols at all times.
Do we control our own architecture?
Choose standardized solutions where you own the keys and avoid dependency on a single vendor so you can evolve systems independently.
Do we understand the vendor’s security posture?
Verify supply chain risk management, perform regular internal risk assessments, and keep the solution updated with security patches.
Access control today is a combination of convenience, security, and strong operational practices. It has become a fundamental part of cybersecurity, regulatory compliance, and resilient infrastructure. Improvement does not require full replacement. Start with the highest-risk zones and oldest technologies, and move toward open, modern architecture step by step.
Buildings that are well managed will stand for decades. Designing access control for that time horizon means choosing systems that can evolve, upgrade, and balance uncompromising security with effortless operation. Done right, access control becomes part of the infrastructure that keeps people, assets, and information safe without getting in the way.
Want to learn more? Contact us to see how Breeze and STid can strengthen security in your organization.