Universities which use the popular and inexpensive Onity (nee TESA) lock systems, despite their overall problems, gain a bit of security from this problem in that the track used by the locks is written at a nonstandard high bitrate that throws off inexpensive reader/writers. This actually helps prevent duplication, although it's only a measure against people without the resources to obtain the Onity equipment.<p>Outside of physical tricks like this (and various physical anti-deduplication tricks that are surprisingly limited), duplication is really not something you can ever control. So you need to train people to maintain physical custody of the credential and make it as difficult as possible to guess at a valid credential.<p>When cards are used for security identification purposes, the easiest thing to do (and this goes for NFC, RFID, etc) is to generate a long, non-sequential, random card value that is related to the identity of the person only by some database you control. That is, write your 9-digit student ID number to the card for convenience, but when checking identity read out a 16-byte random value that you put on the card just for this purpose. This at least requires that an imposter gain access to the card at some point (to skim it).<p>Ultimately, the best thing you can do in the context of identification cards is to verify the user photograph online. This is done actively by some police departments and guards in high-security installations by looking up the ID in an online system to retrieve the details and photograph of the cardholder for verification. This is also done passively in some high-security installations, for example by placing a monitor above an entry door that displays the photograph of each person unlocking the door, for casual verification by anyone nearby (particularly any guard nearby).<p>Physical access control is my favorite research area.