Access control has moved onto mobile devices, with smartphone-based credentials appearing in installations across every major market. Hardware vendors and software providers now offer readers and secure protocols that link a user’s device directly to door controllers, transforming how buildings manage entry.
Trade exhibitions have spotlighted those advances. At ISC West in Las Vegas this past spring, attendees found demo stations for wallet-based readers and cloud-hosted control panels. A few weeks later at GSX, interactive displays showed credential issuance from a phone and real-time entry logs on a tablet. Vendors from lock manufacturers to cloud software firms demonstrated integrations syncing phone credentials with elevator access, vehicle lanes and visitor management in a single interface.
Each year, our Access Control Deep Dive asks integrators and on-site technicians to explain which solutions they deploy and how those tools address client needs. Last year, cloud topped discussions. Back then, few had explored phone-based credentials beyond pilot phases. This year, digital wallets dominate project meetings and site walkthroughs in education, health care, corporate and government installations.
Meetings with field teams reveal a blend of legacy and modern methods. Some clients stick with on-premise controllers, using proximity readers and badge printers. Others adopt hybrid schemes that combine local panels for critical points with cloud services for standard doors. A growing segment skips badges entirely, relying on secure digital keys and optional biometric scanners. That trend seems likely to grow; many integrators expect digital wallets to become the default credential format within 18 months.
Chuck Robinson leads regional development for Integrated Protection Services, a Cincinnati-based integrator. His team installs fire alarms, access control systems, video surveillance networks and small IT infrastructures from offices in Columbus, Ohio; Lexington, Kentucky; and Nashville, Tennessee. Many engagements involve Fortune 500 firms, public school districts and data centers. Robinson estimates that roughly 30 to 40 percent of his company’s revenue derives from access control projects.
Robinson says clients want unified oversight.
“Recently I would argue that the majority of the customers want the same thing the enterprise customers wanted for years,” he says. “They want a single pane of glass; they want an integrated solution; they want something that gives them business intelligence on their facility and things of that nature.”
He adds that integrated analytics dashboards reduce overhead while speeding deployments and easing capital requirements.
Integrated Protection Services now approaches projects cloud-first, Robinson says. Many hosted offerings deliver tiered access control, elevator interfaces and visitor management in a single subscription package. Shifting from large capital outlays to smaller monthly fees appeals to midsize clients. Door status, credential logs and camera feeds appear in a hosted portal, and system updates occur on vendor schedules, lifting work off local IT teams.
Todd Burner is chief product officer at Kastle Systems in Houston. Founded 54 years ago as an access control specialist, Kastle expanded into visitor management, remote video guarding and parking solutions. Burner says Kastle treats each engagement as a full managed service.
“We think about ourselves as offering a managed service,” he says. “We do everything from the design of the system to the installation of the system, the ongoing operations of the system, the monitoring of the system, even the maintenance of the system.”
“Really, it is one throat to choke [or] one back to pat, depending on which way you want to think about it, from an outcomes perspective,” he adds. “I think the insight that Gene Samburg had when he founded the company back in the 1970s was [this]: Security is only as strong as its weakest link.”
Burner refers to access control as the building’s central nervous system. It identifies each person, tracks entry points and enforces movement restrictions.
“If you get it right, it kind of fades in the background, and people don’t even notice it,” he says. “Access control is absolutely center to Kastle’s identity.”
Ryan Schilling oversees engineering at Parallel Technologies in Eden Prairie, Minnesota. The firm installs video surveillance, access control, intrusion alarms and network services across the Twin Cities and on remote assignments. Clients include K-12 schools, colleges, municipalities and corporate campuses, each demanding different performance goals and compliance checks.
“We’re doing everything video, surveillance, access control, your intrusion systems and beyond on a daily basis,” Schilling says. “We live and breathe it.”
End users no longer accept generic approaches. Robinson notes that clients research solutions in advance: they expect demo sites, proof-of-concept labs and clear upgrade paths. They ask about IT security standards, healthcare accreditation rules and data retention policies. Ignoring those prep sessions leads to mid-project change orders and frustrated stakeholders.
Cloud offerings now compete directly with on-premise panels. Some service providers deliver local control at high-risk doors and cloud-managed services elsewhere. Others install thin-client panels at the network edge, all managed from a central console. Both architectures require secure tunnels or VPN links, driving early collaboration with IT departments and cabling teams.
High-rise commercial towers often charge premium rents for tenant suites. Burner says Kastle targets Class A or trophy buildings that expect a high-end experience. System branding, entry speed and integrated parking control feed leasing narratives. Wallet credentials let owners embed custom icons and color schemes in digital wallets, reinforcing a building’s brand before a visitor even steps into the lobby.
Wallet credentials rely on secure elements built into modern phones. Apple Wallet, Google Wallet and Samsung Wallet each isolate access tokens from other applications. Readers use NFC or BLE to retrieve encrypted messages. Credential portals generate key pairs and push them to devices during onboarding. That approach removes badge reissuance and badge-holder management: administrators can revoke digital credentials in a portal or push a disable command instantly when a device is lost.
“If you can create an experience through things like wallet credentials that allow people to use their phone as the way to access space, [it] becomes part of the story that the building is telling prospective tenants,” Burner says. He adds that early adopters use wallet passes for marketing events, conference access and exhibit previews, giving leasing agents a tech-forward talking point.
Schilling describes his team’s process as a partnership. They run a workshop to map door schedules, elevator zones, staff roles and visitor flows. They review badge templates, issuance workflows and expiration rules. Technicians test phone signal strength in lobbies, garages and corridors, avoiding dead zones and ensuring a reliable minimum signal at every reader.
“Things like that, they’re a little bit more below the surface, so that’s where we find the most success in delivering a great product that our clients are very happy with,” Schilling says. He recalls a museum project where narrow hallways forced custom I/O boards with extended cable harnesses, smoothing field commissioning and eliminating extra site visits.
Many organizations start access control projects after a security breach. Robinson says IT teams push for new controls once an incident occurs, generating change orders for better credential rotation, fresh card formats or rescued video archives. Some entities mandate electronic readers in new builds or major renovations. Those proactive installs often include intrusion alarms, panic stations and data integrations. The first discussion in those cases centers on compliance drivers and potential threat scenarios.
Regulated industries drive much of that work. Robinson cites IT audit cycles, healthcare accreditation surveys and data privacy rules that require log retention. Municipal buildings face fire marshal mandates. Integrators must explain certificate renewal schedules, software update policies and handheld reader calibration. Organizations moving from mechanical locks to electronic readers must plan for battery swaps, padlock thickness and tamper alarms—an insurance policy against regulatory fines or downtime.
Price remains the primary objection. Robinson says clients who request quotes often base budgets on outdated numbers. If the integrator opens the conversation, pricing seems part of a broader feature and service discussion. If the client reaches out first, they may have a ballpark figure in mind that undercuts required infrastructure. That gap leads to tough negotiations. Conversely, clients budgeting line items for security accept recurring fees for hosting and maintenance more readily.
Burner says new construction lets teams set credentials before drywall goes up. It’s a chance to imagine visitor flows, staff shifts and service technician paths. That vision can yield ambitious ideas: lobby registration kiosks, timed turnstile gates and product check-in stations. Those use cases require network drops in mechanical rooms, change-over panels and queued door logic. When architects learn what is possible, they often adjust plans to include extra conduits or dedicated switch closets near key gateways.
Parallel Technologies typically joins at the design phase to sketch wiring diagrams and chain-of-custody logic. Schilling recommends credential lifespans, partition schemes and reporting schedules. He adds that dry-run login exercises let project managers verify door response times and test credential revocation flows. Watching a phone credential disconnect in real time addresses lost-device concerns and credential reuse questions before final acceptance.
Integrators monitor trade journals, attend sector meet-ups and compare notes in panel sessions. Robinson tracks published roadmaps from forward-thinking manufacturers to spot upcoming features. He surveys firms that embrace open standards and release software development kits. That insight helps forecast which products will land in test labs six to 12 months ahead. Burner’s team attends cross-industry consortiums to spot integration platforms that could pair with Kastle’s offerings.
Kastle maintains product, engineering and hardware divisions to deliver custom features on demand. Some customers ask for proprietary card formats, back-of-house printer systems or firmware tweaks. Having in-house teams lets Kastle build modified readers or adjust server code to meet those requests. When a tenant group or security department has unique compliance needs, that approach speeds delivery and later becomes an option in Kastle’s standard menu.
Technology demand flows both ways, Burner notes. Clients request new use cases—temperature checks at entries, test-station paths or occupancy sensors—that evolve into integration projects. Kastle shares insights across its customer base, steering new clients toward proven solutions. That two-way exchange shapes product roadmaps and service enhancements, since the most robust designs often emerge from field deployments.
Schilling stresses tight ties with hardware vendors in SaaS engagements. Features change more often than firmware cycles, so integrators test new releases and update training materials on a regular cadence. That collaboration ensures updates arrive as promised and internal teams can support client inquiries immediately. It also helps when a manufacturer assigns engineers to troubleshoot a late-night bug that any customer might face.
Requests for biometrics have surged. Parallel Technologies has installed fingerprint readers and iris scanners for high-security doors. Robinson’s team has trialed Alcatraz AI facial recognition at select corporate sites. He expects cost declines to push iris and face solutions into standard office and health care deployments. Clients that want zero-touch authentication for high-traffic lobbies or during flu season see real value in those options. Integrators must plan privacy policies and confirm how sensor data joins existing credential directories.
Robinson says artificial intelligence features appear now in many access control platforms. He predicts a fast path to conversational interfaces like ChatGPT.
“I really am interested to see how generative AI takes hold,” he says. “We’re starting to see it more and more in the product lines and it’s making the products even easier to use for the customers. I really think we’re not too far off from being able to see customers have just a ChatGPT-style interface with their system, and they can have a conversation with it, and it produces the results they’re looking for.”
Video surveillance platforms have absorbed many AI tools, too. Kastle launched a cloud-native video service in 2012 and has added object detection, analytics engines and remote monitoring workflows. Burner says feature choices depend on the problem to solve; not every site needs facial recognition or license-plate reads. Often clients deploy basic recording at all doors and advanced analytics only at high-risk points.
“We have an open set of APIs, SDKs, we work with lots of different hardware manufacturers, even in some cases where we might have an alternative hardware offering ourselves, but our work is always driven by what the customers are asking for,” Burner says.
Life sciences and utility control centers lead in biometric deployments, given their chain-of-custody needs. By contrast, high-end residential communities favor card or phone credentials and use biometric checkpoints in amenities like fitness centers or package rooms.
Visitor management remains vital in education. Schilling says districts deploy kiosk-based check-in systems that photograph guests, run watch-list checks and issue temporary badges automatically. That workflow cut lobby wait times by half in one district. Those controls satisfy staff concerns, ease front-desk burdens and feed emergency muster reports for evacuations.
“We definitely give them the options and talk them through the pros and cons of each,” Schilling says. “What’s really the best conversation to be had is: what is the return on investment? Whether it be ease of operations or various levels of risk mitigations, there is always a driving ROI for our customers to go in a specific direction.”
Firms now view recurring monthly revenue (RMR) as essential. Robinson says Integrated Protection Services includes hosting or maintenance agreements in every contract, covering software updates, feature add-ons and service calls. That approach aligns vendor incentives with client uptime goals. He notes that after a quarter of cloud-first deployments, his team saw a 15 percent rise in average account monthly revenue.
Clients resistant to subscriptions often cite unknown long-term costs. Robinson says his team models total cost of ownership over five to ten years and shows that subscription options can deliver lower outlay in year one. To convince skeptics, teams propose limited pilots—migrating a few doors to the cloud, proving value and then expanding to full coverage.
“IPServices was late to the RMR game,” Robinson says. He adds that the firm now seeks about 20 percent of annual revenue from recurring fees. Burner says RMR features have been part of Kastle’s DNA since its founding. He commits to long-term partnerships, handling updates, patches and system health checks under managed service agreements.
“We are not going to hand this over to you and wish you good luck,” Burner says. “We’re going to be that ongoing partner with you and that there’s a service fee for that. But if we’re doing our job right, we’re delivering better outcomes at a lower total cost of ownership than somebody would if they were to try and cobble together a lot of different vendors and playing air traffic control amongst them.”
Burner compares access control to electric service.
“When my lights turn on in the morning, I don’t high-five the electric company that the lights went on. But when they don’t, I’m pretty upset,” he says. “Access control is kind of the same way. Nobody high-fives you when the door opens. But when it doesn’t, that’s a problem.”
He explains that managed service teams monitor door activity 24/7 and dispatch technicians at the first sign of trouble. Dedicated response units track alarms, hardware health checks and credential anomalies around the clock. Those proactive touches minimize tenant complaints and prevent multi-unit lockouts, keeping daily traffic flowing.
Schilling says manufacturers now treat SaaS features as core products. Integrators receive frequent notifications about new releases and required upgrades. That cadence demands a process to validate each version, update documentation and adjust client policies. He says successful teams automate code checks in a virtual lab environment to catch bugs before they hit live sites.
Cloud credentials and IoT sensors have brought IT departments into security conversations. Schilling notes that IT teams now handle VLAN assignments, firewall rules and certificate rotations for access control networks. That cooperation reduces help-desk tickets, since firmware and patching move off internal calendars and onto vendor schedules. IT staff value the ability to review system logs in near real time via secure API gateways.
Schilling calls wallet- and smartphone-based credentials the default path forward. He says phones are ubiquitous, regularly updated and harder to lose than low-cost cards. If a user forgets a phone, staff can issue a QR code or temporary badge remotely. That electronic handshake sidesteps physical-key management and cuts administrative calls by more than 30 percent.
Burner expects full adoption of wallet credentials across sectors within two to three years. Property owners planning conduits and switch closets today include BLE- or NFC-ready ports to avoid drilling and rewiring when digital passes go live. That up-front planning eases later phases and reduces surprise costs.
Schilling points out that managing lost devices, credential transfers and remote revocation remains a learning process. Software teams are building admin portals that surface device status, access history and usage patterns. Those tools help managers identify orphaned tokens and disable everything tied to a single device serial number with one click.
Schilling compares the shift to other technology rollouts: time is needed for users to become comfortable. Early adopters pilot small door sets, test reliability under real-world traffic and validate update processes. Broad rollouts follow only after pilots prove stable and functional.
Access control systems today blend software, hardware and managed services in a tightly woven ecosystem. Integrators who can design, install, host and maintain every piece stand to win the largest portfolios. Clients appreciate reduced complexity, unified reporting and a single monthly invoice. As more sectors embrace subscription models and smartphone credentials, the lines between security, IT and facilities blur—leaving one clear winner, the organization that gains improved situational awareness.
