Choosing an access-control reader comes down to three decisions made in order: the communication protocol the reader speaks to your controller, the credential type your people will carry, and the assurance level the door actually requires. Get those right and the hardware almost picks itself. For most commercial and federal sites today, that means an OSDP-capable reader, a credential strategy that pairs smart cards with mobile, and biometrics reserved for the handful of openings that genuinely warrant a second or third factor. This guide walks the decisions in the sequence an integrator would follow on a real project — and flags the pitfalls that turn a clean spec into a rip-and-replace later.
Start With the Protocol, Not the Brand
The single most consequential choice you'll make is how the reader talks to the panel. The legacy standard, Wiegand, has been around for decades, but it sends credential data in the clear over an unencrypted, unidirectional wire. Anyone who can reach the cabling between the reader and the controller can capture a badge number or replay it. There's no supervision, so you also won't know if a reader is cut, shorted, or swapped.
OSDP (Open Supervised Device Protocol) is the modern answer. It's a two-way, supervised serial protocol, and its Secure Channel mode encrypts the link between reader and controller. That gives you three things Wiegand can't: confidentiality of the credential data, tamper and line supervision, and the ability to push configuration and firmware down the same wire instead of sending a technician to every door.
The practical rule for any new access control reader purchase: specify OSDP with Secure Channel enabled. Buying Wiegand-only hardware in 2026 is buying a known weakness and a future migration project. If you're modernizing an existing site, OSDP runs over the same two-conductor cabling you likely already have, which makes phased cutovers realistic rather than a full re-pull.
Pitfall: OSDP-capable is not the same as OSDP-enabled. Many readers ship in Wiegand mode out of the box and require explicit configuration to turn on Secure Channel with installation keys. Confirm it during commissioning, not after.
Match the Credential to the Threat, Not the Trend
Once the protocol is settled, decide what your people will present. The credential is where most legacy risk hides.
- 125 kHz proximity cards are cheap, universal, and trivially cloneable with hardware available online for the price of lunch. Treat them as deprecated for anything you actually care about.
- 13.56 MHz smart cards using modern, mutually authenticated schemes are the current baseline for cards. They store credential data in an encrypted, challenge-response sector rather than broadcasting a static number.
- Mobile credentials live in a phone's secure element or a managed wallet and ride over NFC or Bluetooth. They're convenient to issue and revoke remotely, hard to clone, and they leverage the biometric or PIN lock already on the device.
- Biometrics — fingerprint, iris, face, or hand geometry — bind access to the person rather than a token they could lose or lend.
A defensible enterprise pattern is smart card plus mobile as the everyday credential, with proximity phased out on a schedule. Reserve biometrics for the doors where the consequence of a shared or stolen credential is unacceptable.
Decide Where Biometrics Actually Belong
Biometric readers are powerful and frequently over-specified. They shine at high-assurance openings — data center white space, pharmacy and controlled-substance rooms, weapons storage, cash handling, and any area where you must prove a specific individual entered, not just a valid credential.
They come with real trade-offs. Throughput is slower than a tap, so they're a poor fit for a 7:50 a.m. lobby rush. Environmental conditions matter: gloves, dust, bright sun, and cold defeat some sensor types. And biometric templates are sensitive personal data, which pulls in privacy obligations and, in some jurisdictions, specific consent and retention laws. Architect so that what's stored is a non-reversible template, not a raw image, and confirm where that template lives — on a card, on the device, or in a server.
The strongest designs use biometrics as a second or third factor at the few doors that need it (card or mobile plus fingerprint), not as a single-factor replacement everywhere.
Run the Selection as a Sequence
Here's the order an integrator follows so each decision constrains the next:
- Classify every opening by assurance level. Tag each door as standard, sensitive, or high-assurance. This single step prevents both under-protecting a server room and wasting a biometric reader on a supply closet.
- Lock the protocol. Standardize on OSDP with Secure Channel across the site so readers, controllers, and credentials interoperate and stay supervised.
- Set the credential strategy. Choose your baseline (smart card and/or mobile), define a sunset date for proximity, and decide which doors step up to multifactor.
- Specify form factor and environment. Mullion vs. single-gang, indoor vs. outdoor, vandal and weather ratings, keypad for PIN-on-reader, and reach for power and distance limits.
- Confirm compliance at the SKU. Verify country of origin and that no covered-entity components sit in the bill of materials. For federal and many SLED buyers, NDAA Section 889 and TAA country-of-origin rules can disqualify a reader regardless of how good it is technically. Check this before you fall in love with a product.
- Validate the back end. Make sure your access-control platform and controllers support the reader's OSDP profile, mobile-credential ecosystem, and biometric template handling. A great reader on an incompatible head-end is shelfware.
- Plan the lifecycle. Decide how firmware updates, credential issuance and revocation, and end-of-life replacement will be handled before go-live, not after the first incident.
Pitfall to avoid: buying readers before confirming controller and software compatibility. The reader is the visible part, but the panel, the credential management system, and the protocol profile are what determine whether your investment lasts.
Keep It Vendor-Neutral and Compliant
Because we don't sell a single manufacturer's line, the recommendation follows the mission rather than a catalog quota. For a federal facility that means readers whose origin and components clear Section 889 and TAA. For a multi-site enterprise it usually means OSDP plus a mobile-first credential rollout with biometrics surgically placed. For a regulated environment it means PACS that align with the relevant identity and assurance standards. The right answer changes by site — and the discipline is matching hardware to requirements across the full lifecycle, from specification through commissioning, credential management, and eventual replacement.
The wrong reader isn't just a security gap; it's a procurement and audit problem you'll inherit at every door. Choosing well the first time is cheaper than a rip-and-replace.
Ready to map your openings to compliant, future-proof readers? Explore our access-control modernization solutions to see how we sequence protocol, credential, and assurance decisions across a full deployment.