When you're setting up or upgrading an access control system, one of the first questions is what your people will actually carry. Cards, fobs, phones, or nothing at all — each option has a different cost profile, durability, and security level. The right answer depends on your building type, your user base, and how seriously you take cloning risk. Here's a clear breakdown of each format, with specific notes on what we see in NYC deployments.
Key Cards
Key cards are the dominant credential format in NYC office buildings, co-ops, and commercial spaces. They're slim enough for a wallet, cheap to produce, and universally understood. A lost card gets deactivated in the system — no locksmith required.
The critical detail most building managers don't know: there are two completely different security levels hiding in the same plastic form factor.
125kHz Cards (Low Frequency — Legacy)
HID Proximity, EM4100, and similar 125kHz cards are still the most common format in older NYC buildings. They're cheap (often under $2/card) and work with readers installed 15–20 years ago. The problem: they transmit a static, unencrypted ID number. A bad actor with a widely available RFID cloning device — sold openly online for under $50 — can read your card from a few inches away and write a perfect copy onto a blank card in seconds. The reader cannot tell the difference.
If your building is still on 125kHz Prox cards, you have a credential security problem regardless of how good your door hardware is.
13.56MHz Cards (High Frequency — Recommended)
Mifare Classic, Mifare DESFire EV2/EV3, and SEOS cards operate at 13.56MHz with encrypted communication between the card and reader. DESFire EV2 and EV3 in particular use AES-128 encryption and mutual authentication — the reader verifies the card, and the card verifies the reader. Cloning is not practically feasible. These cards cost $3–$8 each, and the readers cost more, but the security difference is fundamental.
NYC buildings on legacy 125kHz HID Prox cards: This is one of the most common vulnerabilities we encounter on site assessments in Manhattan and Brooklyn. The hardware looks fine, the system works — but the credentials can be cloned in seconds. Upgrading to 13.56MHz Mifare DESFire readers and cards is the single most impactful security improvement for buildings on older access control systems. Our access control team can assess your current system and recommend a targeted upgrade path.
Key Fobs
Fobs are functionally identical to key cards in terms of the radio technology inside — you'll find the same 125kHz vs. 13.56MHz split — but they come in a durable hard plastic housing designed to attach to a keyring. For many users, particularly in residential buildings and light commercial spaces, a fob is simply more convenient than a card that gets buried in a wallet.
Fobs are slightly more expensive than cards (typically $3–$10 depending on technology) and slightly harder to lose because they live on a keychain. They're popular in NYC co-ops, condos, and small office suites where residents or employees are managing their own credentials without a dedicated building manager.
The same security caveats apply: a 125kHz fob is just as cloneable as a 125kHz card. The format doesn't change the underlying vulnerability.
Mobile Credentials
Mobile credentials use Bluetooth Low Energy (BLE) or NFC to turn a user's smartphone into an access credential. The user downloads a management app, and an administrator pushes a digital credential to their device. At the door, they hold their phone near the reader — or, with some systems, simply walk up to it (using BLE long-range mode).
The advantages over physical credentials are meaningful:
- No card to lose. Most people don't go anywhere without their phone. Lost credential calls drop significantly in buildings that switch to mobile.
- Instant remote revocation. Terminate an employee at 5 PM on a Friday — their phone credential is deactivated immediately, from anywhere, with no physical card to chase down.
- Stronger security by default. Mobile credentials use encrypted channels and are bound to a specific device. They can't be physically copied the way a 125kHz card can.
- Touchless operation. With BLE long-range, users don't need to physically tap their phone — they just approach the door.
The trade-offs: users need a compatible smartphone, need to keep the app installed, and need their battery to be charged. In buildings with older tenants or higher turnover populations, the support burden can be real. Many buildings run mobile credentials alongside physical cards as a "choose your preferred format" policy.
Biometrics
Biometric readers use fingerprint scanners, palm vein readers, or facial recognition cameras to authenticate identity without any credential at all. The user themselves is the key.
This eliminates all credential management overhead — no cards to issue, no fobs to lose, no apps to manage. Access logs are tied to a specific individual's biometric, not to a card that could theoretically be shared or passed off.
The practical considerations for NYC buildings:
- Cost. Biometric readers run $300–$800+ per door, compared to $80–$200 for a card reader. Installation and enrollment time add to the cost.
- Speed. In a high-traffic lobby with 200 employees arriving between 8:30 and 9:00 AM, fingerprint authentication may create a bottleneck. Face recognition with anti-spoofing hardware is faster but more expensive.
- Privacy. NYC's commercial tenants increasingly ask about biometric data storage and retention policies. For multi-tenant buildings, this can be a leasing friction point.
Biometrics are the right choice for server rooms, pharmaceutical storage, financial back offices, and other high-security single-purpose doors where throughput isn't a concern and accountability is paramount.
Quick comparison at a glance:
- Key card (125kHz): Cheap, common, cloneable — legacy risk
- Key card (13.56MHz DESFire): Moderate cost, encrypted, recommended standard
- Key fob: Same tech as cards, more durable form factor, keyring-friendly
- Mobile credential: No physical item, instant revocation, requires smartphone
- Biometrics: Highest security, no credential to manage, higher cost, lower throughput
What Buildings Actually Choose
In practice, the majority of new NYC commercial installations we do use 13.56MHz key cards as the primary credential, with mobile credentials offered as an optional secondary format. Fobs are common in residential and co-op installations. Biometrics are reserved for specific high-security doors within a broader card-based system.
The worst outcome — and the most common one we see on upgrade calls — is a building that's been running 125kHz Prox cards for ten years and assumes the system is secure because nothing has gone wrong yet. "Nothing has gone wrong yet" is not a security posture. If your building is still on legacy credentials, contact Seneca Security to talk through what a targeted upgrade would cost and how quickly it can be done.