Fobs, Cards, PINs, Phones or Fingerprints: Access Credentials Compared
By the DC Fire & Security engineering team — installing and maintaining fire and security systems since 2010. Updated June 2026.
Quick answer
Fobs and cards are the default: cheap, fast and instantly revocable — choose modern encrypted types (MIFARE DESFire), not legacy 125kHz fobs which are clonable at kiosks. PINs are the weakest (shared and shoulder-surfed) but fine as a second factor. Mobile credentials suit phone-native teams and remote issue. Biometrics give the strongest binding to a person at the cost of GDPR overhead.
How the options compare
| Credential | Security | Cost per user | Best for |
|---|---|---|---|
| Fob/card (MIFARE DESFire) | High — encrypted, revocable | £3–£10 | The standard for offices, flats, schools |
| Fob/card (legacy 125kHz) | Low — clonable in minutes | £1–£3 | Nothing new — replace on upgrade |
| PIN code | Low — shared, observed, never 'lost' | Free | Second factor, low-risk internal doors |
| Mobile credential | High — encrypted, remote issue/revoke | £0–£15/yr | Distributed teams, visitor passes, no fob logistics |
| Fingerprint/face | Highest binding to the person | Reader cost, not per user | Server rooms, cash offices, high-accountability doors |
The cloning problem nobody mentions
The fobs most UK buildings still use — 125kHz proximity — transmit a fixed ID with no encryption, and high-street kiosks and £20 devices copy them in seconds. If your fobs are thin teardrop-style and the system predates ~2015, assume residents and ex-staff hold duplicates you'll never see in the software. Modern encrypted credentials (MIFARE DESFire EV2/EV3) mutually authenticate with the reader and aren't practically clonable; an upgrade often reuses cabling and locks, replacing readers and fobs only.
When biometrics earn their complexity
Fingerprint and face readers bind the credential to the body — nothing to lend, lose or clone. The trade-offs are UK GDPR obligations (biometric templates are special category data needing a DPIA, a lawful basis and a genuine alternative for those who decline) plus enrolment admin and environmental limits (wet fingers, gloves, PPE). The honest rule: biometrics for the few doors where individual accountability really matters; encrypted fobs or mobile for everywhere else.
Frequently Asked Questions
Can key fobs be copied?
What happens when someone loses a fob?
Are phone credentials safe if the phone is stolen?
Can one credential work across sites?
Need help from a professional installer?
We install and maintain fire and security systems across Bedfordshire, Hertfordshire and London — with fixed written quotes, a 36-month warranty, and certification your insurer will accept.
Request a free survey
Free site visit · No obligation · Response within 24 hours