RFID Access Control Architecture Checklist

Most RFID incidents are architecture failures, not “broken crypto.” Use this checklist to harden end-to-end access control.

Core design checks

• No UID-only trust: Readers must not grant access from static identifiers alone.
• Backend authorization: Access decisions should be server-backed with policy context.
• Card lifecycle: Enforce fast revocation, expiry, and re-issuance controls.
• Anti-passback: Prevent badge sharing and replay across adjacent doors.
• Reader hardening: Lock down reader firmware and debug interfaces.
• Monitoring: Alert on unusual swipe timing/location patterns.

Failure taxonomy

• Protocol-layer: weak credential primitive or downgraded reader mode.
• Backend-layer: stale authorization cache or broken revocation path.
• Operational-layer: poor enrollment, weak issuance, no incident playbook.

Validation criteria

1. Simulated lost-card event revokes access within defined SLA.
2. UID copy without backend credentials does not grant access.
3. Monitoring generates actionable alerts for abnormal badge use.