Skip to main content


Eptura Knowledge Center

Visitor access: why QR codes are a great option

Our access control platform uses QR codes containing a secure token number to allow visitors to gain entry to your premises.

Using QR codes for access provides a fantastic visitor experience. One reason for this is that they can easily be shared with visitors in advance. You might think this makes them less secure - below, we show how they maintain the security of your premises.
Visitor access why QR codes are a great option.png

Three key considerations to ensure that QR code visitor access remains secure:

  1. When they are issued their QR code?

  2. How have you configured the Proxyclick access control integration?

  3. The locations where the QR code readers are deployed?

Let’s take a closer look at each of these points.

1. When they are issued their QR code

You are in full control of when you issue your visitor a QR code.

Would you like to initially provide visitor access to a low-risk area, such as a parking lot?
- Send the QR code with the visitor invitation email.

What about providing access to a more secure location, such as a lounge within your building or through turnstiles?
- Giving the QR code after the visitor has identified themselves during check-in makes sense.

Would you like to make use of both scenarios? Take a look at our next point...

2. How you have configured the Proxyclick access control integration

Proxyclick’s access control integration can upgrade the access permissions of a visitor as they progress through the check-in process.

Prior to check-in, you can provide a low level of access, designed to allow convenient entry into semi-protected areas. Once a visitor is marked as on-site or checked-in, their access can be upgraded to allow them to enter areas of greater security. Between arrival and checking in, you can have a process to verify their identity.

This also applies to wrapping up their visit - Proxyclick can deactivate access so that the QR code no longer allows access.

3. The locations where the QR code readers are deployed

You typically would not deploy QR code readers throughout the building, only installing them where visitors need access. This may encompass both low and high-security areas but only be located where you want your visitors to have unattended access.

Keep in mind that visitors are only on-site to meet someone, were invited by a trusted person, and are typically not expected to access the entire building unattended.

Some additional points to consider when looking at the use of QR codes:

  • Proxyclick QR codes may be:
    - Emailed visitors in advance
    - Only emailed upon arrival after checking-in
    - Not emailed at all: you can choose to print the QR onto a badge after the visitor checks in.

  • QR codes add a lot of value to the guest experience, minimizing the manual process of assigning and handing out physical access cards or tokens.

  • This also means you save on the admin involved in manually managing this process and the potential security risk of human error or cards not being returned.

  • QR codes can be printed and shared, but this is traceable in the ACS.

  • Physical cards can also be handed to the wrong person, passed back to allow a second person through, or used to allow multiple access attempts.

  • Proxyclick QR codes are also time limited; they are only active during the meeting time and tied in with specific actions such as checking in and checking out.

The first option above offers a scenario where you have a balance between the positive aspects of QR codes while no longer worrying about them being shared with people you never invited in. This brings QR codes closer to the use of physical cards without having an awkward manual process involved.

How do we handle QR token numbers to ensure security

  • We generate QR token numbers within a set range, typically a minimum range of 10 million, to ensure each is secure.

  • They are allocated randomly, so there is no way to predict the tokens that will be generated.

  • Once a token number has been allocated and used, the same token number will not be reissued for a period of time to prevent reuse.