A method of controlling user access to a protected area is performed by an access control device. In response to detecting a beacon signal transmitted by a user equipment (UE) via a short-range radio access technology (RAT) the access control device determines whether the UE is within the protected area or in an exterior area that is outside the protected area. In some aspects, the access control device determines whether the UE is within the protected area or in the exterior area based on the received beacon signal. In response to determining that the UE is in the exterior area, the access control device performs a multi-factor authentication procedure. If the access control device determines that the UE is within the protected area, the access control device is configured to deny access to the protected area.