Are you available for after-hours lockout calls?

Yes. After-hours lockout calls are routed through our live answering line at (202) 227-6767. An on-call dispatcher triages each request and sends the nearest available technician. Average after-hours arrival time is…

Are your technicians licensed in Maryland and DC?

Yes. All technicians operating in Maryland carry a valid Maryland Security License Board locksmith license. DC operations comply with applicable licensing requirements. Proof of licensure and certificates of general…

Can you rekey a lock instead of replacing it?

Yes, and in most cases rekeying is the right choice. Rekeying changes the internal pin configuration so the old key no longer works, but the lock hardware stays in place. It costs significantly less than a full…

Do you design master key systems for rental properties and offices?

Yes. Master key hierarchy design is one of our core commercial services. We start with a facility walk-through, map every door and its access level, then design and install a hierarchy that gives each user access to…

Do you provide a written estimate before starting work?

Always. Every Unlock and Drive technician carries a rate schedule and provides a written estimate on-site before any work begins. No work proceeds without customer approval, and the final invoice never exceeds the…

How are safe openings documented for insurance?

Photos of drill points, dial orientation, and relocker status accompany invoices so carriers see professional methodology rather than destructive mystery. Post-opening, discuss whether dial service or electronic…

How do I choose between Grade 1 and Grade 2 deadbolts on mixed-use doors?

Grade 1 belongs on exterior and garage-house connectors; Grade 2 may suffice on interior storerooms without public exposure. Strike reinforcement matters as much as cylinder grade—Unlock and Drive should inspect screw…

How do locksmiths avoid participating in illegal lockouts?

Responsible vendors request court or landlord documentation before cores change on occupied dwellings. If paperwork is ambiguous, they decline service rather than risk constructive eviction liability. Photo IDs and…

Access Control Systems: Keypads, Cards, and Biometrics | Unlock and Drive

Why credential technology choice matters more than hardware brand

Access control installations fail most often not because the hardware malfunctioned, but because the credential technology was wrong for the use case. A PIN keypad installed at a high-turnover retail employee entrance becomes a security liability when managers share codes with seasonal workers and never rotate them. A fingerprint scanner installed at a data center is the right tool. A fingerprint scanner installed at an employee break room in a food production facility is an expensive friction point that employees will learn to route around.

This guide covers the three dominant credential types in the commercial and institutional access control market: PIN keypads, card or fob credential readers, and biometric readers. Each has a distinct security profile, failure mode, and total cost of ownership. The decision framework should start with the use case, not the technology.

PIN keypads: low cost, low friction, limited security

Standalone PIN keypads are the most common access control credential in light commercial and residential applications. They have no ongoing credential cost (no cards to issue or replace), no reader-to-reader compatibility concern, and work without a network connection for basic models. Wireless backlit keypads from Schlage, Kwikset, and Alarm.com are common in residential and small commercial contexts.

The security limitation is fundamental: a PIN is a knowledge credential. It can be shared, observed, photographed on a smudged keypad (where worn digits reveal the code), or guessed through pattern attacks. Organizations with high-turnover staff must commit to PIN rotation on every separation — a discipline that is rarely maintained consistently. Keypads are appropriate for low-risk access points, vacation homes, temporary contractor access, and applications where the inconvenience of lost credentials outweighs the security risk of shared codes.

Smudge attacks are a real vulnerability: on a numerical keypad used by a single user with a fixed 4-digit PIN, the four most worn digits reveal the PIN to anyone with a light and five minutes. Mitigations include scramble-pad features (randomized digit position on each use), requiring 6-digit codes, and routine touchpad cleaning. These are real mitigations but not equivalents of a hardware credential.

Card and fob credentials: the commercial standard

Proximity cards and fobs (125 kHz HID Prox, EM4100) and smart cards (13.56 MHz MIFARE, DESFire, iCLASS) are the dominant credential technology in commercial access control. The physical credential contains a unique identifier read by the door reader without contact. The access controller compares the credential ID to an access list and grants or denies entry.

The critical security distinction: legacy 125 kHz proximity cards (HID Prox, EM4100) are cloneable with a $30 reader available online. An attacker standing near a cardholder in an elevator can silently capture and clone the credential. If your building uses HID Prox or similar legacy 125 kHz technology, it should be considered a low-security credential and migrated to a 13.56 MHz smart card platform on the next upgrade cycle.

13.56 MHz smart cards (MIFARE DESFire EV3, HID iCLASS SE, Allegion SEOS) use encrypted communication between card and reader. DESFire EV3 is the current recommended standard for new installations requiring strong credential security. Mobile credentials (Bluetooth and NFC-based access via smartphone) are increasingly common and provide the most flexible provisioning: credentials can be issued and revoked remotely without physical card distribution.

Biometric readers: high assurance, high context-dependence

Biometric readers — fingerprint, hand geometry, iris, and face recognition — verify identity rather than credential possession. They cannot be loaned, shared, or cloned with a $30 device. This makes them appropriate for the highest-assurance access points: server rooms, pharmaceutical storage, evidence vaults, and financial operations areas.

The practical limitations matter: fingerprint readers have a 1 to 5 percent false-reject rate (authorized user denied) under ideal conditions, rising significantly with wet, gloved, or damaged hands. This is an operational problem at high-volume entry points. Face recognition systems are subject to presentation attacks (printed photos) and require liveness detection to be secure. Hand geometry readers are bulky and less common in new installations.

Privacy regulation is an important consideration for biometric deployments in the DMV region. DC, Maryland, and Virginia do not currently have biometric-specific statutes equivalent to Illinois BIPA, but federal agencies and contractors operating under FISMA, HIPAA, and similar frameworks have data classification requirements for biometric templates that must be addressed in the system design. Engage legal counsel before deploying biometric access control in regulated environments.

Multi-factor access control: when one credential is not enough

High-security entry points benefit from two-factor authentication: something you have (card or fob) plus something you know (PIN) or something you are (biometric). Card-plus-PIN readers are standard specification for server rooms, pharmacy dispensaries, and evidence rooms across the DMV region. The combination prevents access with a lost or stolen card alone and prevents access with a shoulder-surfed PIN alone.

Related services

Access control system installation: /services/access-control
Smart card reader upgrade from legacy 125 kHz: /services/access-control
Commercial locksmith services: /services/commercial-locksmith
Electric strike and magnetic lock installation: /services/access-control

Frequently asked questions

How much does a commercial access control system cost?

Entry-level single-door access control with a keypad, electric strike, and standalone controller runs $500 to $1,500 installed. A multi-door networked system with card credential management and audit logging runs $1,500 to $4,000 per door installed, depending on wiring complexity, hardware specification, and software platform. Cloud-managed systems have ongoing monthly licensing fees ($10 to $50 per door per month for most platforms) in exchange for eliminating local server hardware.

Can access control be added to existing doors without replacing the lockset?

Yes, in most cases. Electric strikes replace the existing strike plate and work with the existing lockset's latch. Magnetic locks mount at the top of the door frame with a bracket on the door and do not require lockset modification. Wireless credential cylinders replace only the cylinder core of the existing lockset and communicate wirelessly to an access management system. The appropriate retrofit method depends on the door construction, security requirements, and available power.