By Ross Bale

For many years the topology of an access control system has involved a server, door controller and field devices such as card readers, locks and request to exit buttons as a few examples.

However in recent years, with Internet of Things (IoT) developments and new ways of communicating, in my opinion, the days of the security controller may be numbered.

Internet of Things Influences

The IoT movement is all about small, cost effective devices that perform one or more specific functions, such as monitoring temperature or light levels and sending this data to one or more services. These services can interpret this data and make decisions based on it.

If, in the near future, manufacturers of devices such as card readers, locks and request to exit buttons produce intelligent devices capable of using wireless transmission methods and protocols such as MQTT (a lightweight machine to machine internet of things communications protocol). Each device would be able to directly interact with each other and send data back to a central server without requiring the door controller.

At Build 2017, Microsoft showed their Workplace Safety Demonstration, demonstrating how IP video surveillance cameras could be used with artificial intelligence powered by the Microsoft Azure cloud platform. It could be used to identify people, objects and potential hazards in the video image without edge based analytics, or any kind of local server processing – just with cloud hosted artificial intelligence and local IP cameras.

Whilst this is technologically possible now, there are some practical limitations…

Offline Communications

One function that door controllers provide is the ability to hold card holder data locally and process requests to enter or exit a door if the network or sever goes offline, especially important if the system relies on a server based in a different location.

Whilst the card reader could hold an authorised card holder database in its memory, as the card reader is outside of the secured area, it would expose sensitive information.

In addition, the card reader still needs some form of communication path between itself and the other devices around the door.

Cyber Security

Hard-wired access control systems are considered secure as data being transmission around the system cannot be hacked.

A secure access control system can only realistically be achieved by ensuring that the system is using card readers that support the Open Supervised Device Protocol (OSDP) protocol and all cabling is physically secured and monitored by the access control system for tampering, e.g. someone cutting a cable or trying to introduce additional equipment between the card reader and the access controls system.

Using card readers that support the Wiegand protocol, or cabling that is not physically secured would result in a system no more secure than a Wi-Fi or Bluetooth connected device.

While it may be possible to sniff data from equipment on the unsecured side of the door in a fully peer to peer IOT style configuration, encryption and authentication methods within the MQTT protocol mitigate this risk.

MQTT requires each device to subscribe with a central authority within the MQTT server environment to be able to send or receive data, hence it would be fairly straightforward to identify unauthorised devices.


This is difficult to quantify at this stage as devices that can achieve this type of configuration are not yet available.

Assuming the equipment just needs to be mounted and wired around the door, using POE for power and a little commissioning , it would be reasonable to expect installation costs including hardware to be equal to or slightly less than a conventional system.


Many sites will not want to take the risk of introducing unproven, new cutting edge technology unless it is developed by a trusted and proven manufacturer as the risk of failure or compromise of the system may be too high for the end user.

There needs to be a clear business benefit to deploying a cutting-edge solution over conventional installations.

So, should the door controller be worried?

Whether the door controller is in fact hurtling towards obsolescence is likely within the next few years, especially with the development of cloud platforms such as Microsoft Azure, smaller, more intelligent sensors, and faster wireless communications technologies including 5G.

What is clear is that the internet of things movement is gathering pace and momentum. The process is creating new system models, ways of working and new devices at a pace much faster than traditional security manufacturer’s research and development processes, which could threaten the traditional access control system architecture and market.

How do you think the internet of things will impact on traditional access control?

Comment below to let our Security team know.

Join the conversation! 1 Comment

  1. I used to work in the security market (access control & CCTV) but now work in the lighting market. However, there is a common denominator when discussing IoT devices. My concern as lighting could potentially mean a IP address per light fitting as well as all the associate control devices such as PIR’s I/O ans switches is that a typical 20 floor office would have many thousands of IP addresses. (not to mention all the other IoT systems).

    Do we really need to be working with all theses IP addresses or is the solution a hybrid of IoT to local wireless collectors that are hard wired back to a router and then to the cloud ? This solves 2 potential problems- IP addresses restricted to collectors only and wireless communications kept relatively simple within a smaller area per collector, so that low/ intermittent signal strengths don’t become an irritating issue ? There is a lot of steel and electromagnetic energy in a typical commercial building. I know there are wireless mesh systems, but I am unsure about scalability vs latency on larger projects.

    Access control systems that can’t reference a card or bio metric reader to a data base for security verification via a card database before opening the door is not by definition, an access control system ?



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Ross Bale, Security


, , , , , , , ,