Physical access security is the set of controls that prevent unauthorized people from reaching buildings, rooms, racks, or devices. For IT support roles, it matters because a stolen laptop or a tampered switch can bypass many software defenses. In CompTIA A+ Core 2 (220-1202), Domain 2, Objective 2.1, you're expected to recognize these controls and explain how they reduce risk in real workplaces.
This topic starts with credentials that grant entry, including keys, key fobs, smart cards, and mobile digital keys. Each option has trade-offs in cost, convenience, and how easily it can be copied, shared, or revoked. Understanding those trade-offs helps when you support badge systems, user access requests, and incident response.
Next, you'll see how biometrics (fingerprint, palm print, retina scanners, facial recognition technology (FRT), and voice recognition) can strengthen authentication, but also raise privacy and reliability concerns. You'll also cover environment controls like lighting, which discourages after-hours access and improves camera footage.
Finally, detection and screening tools such as magnetometers add another layer at entrances and high-risk areas. For example, if an employee loses a key fob, an attacker could enter, tailgate into a server room, and walk out with a laptop before anyone notices.
What It Protects
In CompTIA A+ Core 2 (220-1202), Domain 2, Objective 2.1, physical access security focuses on stopping the wrong person from getting close enough to cause harm. That harm is not limited to theft. It also includes tampering, unsafe changes, and simple disruption that leads to downtime. In practice, these controls protect people, property, and systems, because an attacker who can touch equipment can often bypass software rules.
Think of physical access security as the boundary between "can see it" and "can reach it." It protects building entrances, interior rooms, network closets, server racks, workstations, and portable devices like laptops. It also protects the supporting evidence you need after something goes wrong, such as access logs and camera footage.
If someone can enter the space, they can often change the outcome, even without admin rights.
Layers of protection, doors, rooms, and devices
Good physical access security works best as defense in depth. One control might fail, but several controls in sequence force mistakes, slow an intruder down, and raise the chance of detection. The idea is simple: you don't rely on a single lock to protect your most sensitive assets.
A common real-world setup starts at the lobby. First, reception or a staffed desk sets a social barrier. It discourages casual walk-ins, challenges unknown visitors, and reduces tailgating. Next, a badge reader at an interior door adds an authentication step. It prevents someone from moving deeper into the building just because they got past the front door. After that, a locked IT room limits access to a smaller, approved group. Finally, inside that room, a locked rack or cabinet protects the most critical devices, even from people who have general building access.
Each layer blocks a different type of failure:
- Lobby reception: Prevents "I'm here for a meeting" walk-ins and pushes visitors into a controlled check-in process.
- Badge reader on an interior door: Prevents unauthorized movement beyond public areas, even during business hours.
- Locked room (network closet, server room): Prevents opportunistic access to switches, patch panels, and servers.
- Locked rack and device locks: Prevents hands-on tampering, cable changes, and hardware theft inside a secured room.
Some sites also add a two-door entry concept (often called a mantrap). The main goal is to stop tailgating and to make sure only one person enters per authentication event.
Physical layers also include the "supporting cast" from the A+ objective list. Lighting improves visibility and makes cameras more useful, especially after hours. Magnetometers can reduce the risk of weapons entering higher-risk areas. Even basic controls like clear signage and door-closed policies matter, because they reduce "accidental access" that turns into a real incident.
Why physical security is part of cybersecurity
Cybersecurity often sounds like firewalls, encryption, and passwords. However, physical access can short-circuit many of those controls because it puts an attacker one step away from the equipment and the users.
A simple chain shows why it matters:
- An unauthorized person gets inside the building (tailgates through a door).
- They reach an unattended workstation or an open office.
- They plug in a rogue USB device (for example, a malicious storage device or a keyboard emulator).
- The system runs code, captures logins, or plants a backdoor.
- Stolen credentials then unlock email, file shares, VPN access, or cloud apps.
This chain stays concrete for a reason. Many defenses assume the attacker is remote. Once the attacker is in the room, they can target the weakest link, which is often a rushed user or an unlocked screen. Even if the attacker never steals data, they can still cause downtime by unplugging network gear, pressing reset buttons, or cutting power.
Physical security also protects against "quiet" attacks that look like accidents. A moved patch cable can take down a department. A small change in a network closet can break phones, Wi-Fi, and badge readers at the same time. In other words, availability depends on physical control as much as software control.
What you should document for audits and troubleshooting
When an incident happens, teams often lose time because they cannot answer basic questions: Who entered, when, and what happened next? Clear documentation turns guesswork into a timeline. It also helps with routine audits and access reviews, because you can prove that access matches job needs.
Start by recording the sources of truth you will rely on later. Most organizations need at least these items:
- Access control logs: Door events (granted, denied, forced open, held open) with user ID and door location.
- Badge reports: Who has badges, which areas each badge can open, when access was added or removed, and who approved it.
- Visitor sign-in records: Names, company, escort, purpose, and entry and exit times.
- Camera footage retention details: Which cameras cover which doors, how long footage is kept, and how you retrieve it.
- Incident tickets: A written record of what was observed, what actions were taken, and which evidence was collected.
Timestamps matter more than many teams expect. A badge swipe at 9:12 p.m. can line up with a camera clip, an alarm event, and a help desk ticket about an outage. When those times match, you can narrow the cause quickly. When they don't match (because clocks drift), troubleshooting stalls.
To keep records useful, keep them consistent. Use clear door names (for example, "MDF Room Door, Floor 2") and standard event notes in tickets. Also document normal exceptions, like cleaning crews or after-hours contractors, because those patterns help you spot odd access later.
Good documentation does not prevent every incident. Still, it reduces recovery time, supports internal reviews, and helps you fix the control that failed instead of guessing.
Access Credentials
In CompTIA A+ Core 2 (220-1202), Domain 2, Objective 2.1, you need to recognize the main credential types that open doors and secured areas, then explain their strengths and weaknesses. Credentials matter because they sit at the start of the access chain. If the credential is easy to copy, share, or keep after someone leaves, the rest of the security plan weakens.
Most workplaces mix credential types. A public office door may use a mechanical key, while a network closet uses a badge reader, and a data center uses smart cards plus a PIN. The goal stays the same: allow the right person in, block everyone else, and keep a record you can audit.
Traditional keys, simple but hard to track
Mechanical keys are the oldest physical access credential. They work without batteries, networks, or software, which is why many sites still use them for exterior doors, storage rooms, and cabinets. The trade-off is accountability. Once a key leaves your hands, you often lose clear visibility into who can open the door.
Master key systems add convenience, but they also increase risk. A master key can open multiple doors, sometimes an entire floor or building. That saves time for facilities and IT staff, yet it also creates a high-value target. If a master key goes missing, the impact is wide, and the response is often expensive.
Re-keying is the main recovery method after a lost key or staffing change. Re-keying means changing the lock pins so old keys stop working, then issuing new keys. That costs time and money because it may require:
- Locksmith labor and scheduling (often after hours)
- New keys for every affected user
- Operational disruption when doors stay offline or monitored
Key control reduces these problems, but it takes discipline. Teams often treat keys as "small hardware assets" with an owner, a location, and a record of custody. Strong practices include:
- Key cabinet or secure key box: Store spare keys in a locked cabinet, ideally in a controlled office area.
- Sign-out logs: Record who took a key, when they took it, and when they returned it.
- Restricted duplication: Limit who can request copies, and keep duplication under a trusted process.
- Periodic inventory: Perform a scheduled count, then reconcile missing keys early, not after an incident.
A key is easy to carry and easy to lose, so the real control is the process around it.
Even with good key control, mechanical keys rarely provide detailed audit trails. As a result, organizations often keep keys for low-risk areas and use electronic credentials where tracking and quick revocation matter.
Key fobs and proximity badges, fast entry with central control
Key fobs and proximity badges are common electronic credentials used with access control readers. A key fob is usually a small token on a keyring, while a proximity card (often called a badge) is a plastic card carried in a wallet or on a lanyard. In many systems, the user presents the credential near the reader, and the system checks whether that credential has access at that door and time.
The big advantage is centralized control. If someone reports a lost fob, an administrator can deactivate it in the access control system. That change can take effect quickly, sometimes in minutes, without changing the door hardware. This helps during offboarding, role changes, or security incidents when speed matters.
However, badge systems only work as well as their enrollment and daily use. Several problems show up in real workplaces:
- A weak enrollment process, where identity checks are casual, can lead to credentials issued to the wrong person.
- Shared badges (one badge "for the team") reduce accountability because access logs stop pointing to a single person.
- Tailgating defeats the reader. One person scans in, and others follow through the door without scanning.
Tailgating is partly a culture issue. People hold doors to be polite, especially in offices. As a result, policies need practical support, such as training, signage, and in higher-risk areas, physical controls like mantraps or alarms for doors held open.
RFID cloning is another concern, but the risk depends on the system design. Some older proximity technologies are easier to copy than newer, more secure standards. Because of that, organizations should select modern credential and reader standards and watch for odd patterns in logs. For example, the same credential badge used in two distant locations within minutes should trigger review.
A well-run badge program focuses on two outcomes: quick revocation when needed, and logs you can trust during investigations.
Smart cards, better protection for higher-risk areas
Smart cards are chip-based credentials. Unlike simple proximity badges that may only present an ID number, smart cards can support stronger authentication methods, including cryptographic checks. In practice, this makes copying and unauthorized use harder when the system is configured well.
Organizations often use smart cards to protect higher-risk areas, such as:
- Data centers and server rooms
- Research labs and test facilities
- Regulated environments where access must be documented and reviewed
Smart card systems usually pair the card with a reader, and sometimes add a second factor like a PIN. That "card plus PIN" model helps because a stolen card alone is less useful. It also supports better user separation, since each person has a unique credential tied to an identity record.
Strong smart card programs treat the credential as part of a lifecycle, not a one-time badge print.