Every access control refresh on campus arrives at the same three-way fork: keep improving cards, move credentials onto phones, or verify the person directly. Vendors for each will happily compare their option to the one it replaces. Rarer is the honest three-column view.
The comparison in one sentence: prox cards are cheap tokens that verify nothing about their holder, mobile credentials are harder-to-lend tokens that still verify only possession, and facial authentication is the only option that verifies the person — which is why the right answer for most campuses is layered, not exclusive. Here is the column-by-column case.
What does each credential actually verify?
The question that sorts everything else. A prox or smart card verifies that a card is present — shareable, losable, and for the legacy formats still widespread on campuses, clonable in seconds. A mobile credential verifies that a phone is present: a meaningful upgrade, since phones are guarded more jealously than cards and modern wallet implementations resist cloning — but the phone can still be handed over, and a stolen unlocked phone is a credential like any other. Facial authentication verifies the person: a liveness-checked, one-to-one match against a template the individual enrolled on purpose, authentication rather than recognition. Only the third option closes badge sharing, and only a reader that keeps watching closes tailgating — token upgrades address neither, because neither is a token problem.
What does each cost — visibly and invisibly?
Card programs look cheapest per unit and bleed invisibly: reissuance labor for the thousands of cards lost each year, card-office staffing, and the unpriced risk of every clone and share the logs never see. Mobile credentials trade plastic costs for platform ones — per-credential or per-user licensing, wallet-integration work, and a helpdesk queue that now includes dead batteries, broken phones, and OS quirks at the door. Facial authentication carries the highest per-door hardware cost and the lowest per-user cost at scale: nothing to issue, reissue, or replace, enrollment that takes a minute of the user’s own time, and — at doors currently backstopped by posted guards — the reallocation of the most expensive reader on the market, the human one. The honest accounting compares total cost per verified entry, and only one column verifies.
Where does each fit on a real campus?
This is where the exclusive framing collapses. Cards remain the universal baseline and the permanent fallback — every door, every population, no enrollment required; on the Alcatraz model the badge never goes away. Mobile credentials suit populations and doors where possession-plus-phone-lock is assurance enough and card logistics are the pain being solved. Facial authentication earns its hardware cost where verification or throughput carries real stakes: residence halls, regulated labs and data rooms (often as face-plus-badge two-factor), and the high-flow doors where hands-free entry in under a second beats any pocket search. All three run side by side in the same ACS — the reader presents over Wiegand or OSDP to Genetec, LenelS2, C•CURE, or Genea like any other credential device, so the decision is per-door policy, not platform allegiance. The roadmap post covers the sequencing.
So what should the RFP actually ask?
Not “which credential?” but four sharper questions. Which doors need the person verified, not the token? What is our real annual cost of issuance, reissuance, and the card office? What would tailgating and sharing data from our busiest doors change about this plan? And does the verification option keep the fallback — because an option that removes choice imports the political costs covered in the consent post. Run those four and the three-column table fills itself in per door, which was always the right resolution for the decision.
Want the comparison run against your actual door list and card-office numbers? Book a demo — bring both, and the working session builds your table instead of ours.
Frequently asked questions
What do prox cards, mobile credentials, and facial authentication each verify?
A card verifies that a card is present; a mobile credential verifies that a phone is present; facial authentication verifies that the enrolled person is present, via a liveness-checked one-to-one match. Only the third closes badge sharing, and only a watching reader closes tailgating.
Does a campus have to pick one credential technology?
No — all three run side by side in the same access control system, because the biometric reader presents over Wiegand or OSDP like any other credential device. The decision is per-door policy: cards as the universal fallback, verification where stakes or throughput justify it.
Which campus credential is cheapest?
Per unit, cards; per verified entry, it inverts. Card programs bleed invisibly through reissuance labor and unpriced sharing and cloning risk; mobile adds licensing and helpdesk load; facial authentication costs most per door and least per user — nothing to issue, reissue, or replace.