Biometrics in commercial access control — when fingerprint and face recognition fail the building owner.

The pitch is always the same. No more lost credentials. No buddy punching. Positive identity, every time. The sales deck has the fingerprint scanner on a gleaming lobby turnstile, the face-recognition terminal at the data center door, and the palm reader at the pharmaceutical vault. It looks clean. It looks secure. And for the specific environments in that pitch, it often is.

The commercial building market, however, is not the data center or the pharmaceutical vault. It’s the mixed-use office tower where 900 employees work rotating schedules across 15 floors, some of whom have dry hands in winter, work in trades that affect fingerprint ridge quality, or wear full-face PPE that confounds most face-recognition cameras. For those buildings, biometrics as the primary credential raises questions the pitch deck doesn’t answer.

False-reject rates in real environments

Biometric systems report two error rates: the False Accept Rate (FAR) — the probability of accepting an unauthorized person — and the False Reject Rate (FRR) — the probability of rejecting an authorized person. Security discussions focus on FAR; operational discussions focus on FRR. In commercial buildings, FRR is the number that matters every morning.

Fingerprint readers in controlled lab conditions achieve FRRs below 0.1%. In commercial field deployments, the numbers are less favorable:

• Dry or damaged skin. Fingerprint quality degrades with age, manual labor (trades workers, cleaners, food handlers), dry winter conditions, and topical skin treatments. A fingerprint reader with a 0.1% lab FRR may run 1–3% FRR in a building population with significant manual labor or older demographics. At 500 transactions per day, 1% FRR is five people per day refused access by their own building.
• Sensor contamination. Fingerprint sensors in public-access environments accumulate oil and debris that degrades read quality. Readers require routine cleaning that most facilities don’t schedule. The FRR creeps upward between cleaning cycles.
• Environmental conditions for face recognition. Face recognition systems are affected by lighting variation, camera angle relative to door swing direction, and changing facial presentation (masks, head coverings, glasses). A face-recognition terminal in a lobby with floor-to-ceiling windows on a south-facing exposure will have materially different performance at 8 AM versus 2 PM due to back-lighting variation.

ADA implications — when biometrics create accessibility barriers

Under the Americans with Disabilities Act (ADA), access control systems used for building entry must be operable without tight grasping, pinching, or twisting of the wrist, and must be reachable from a wheelchair-accessible approach. A fingerprint reader that requires a specific hand orientation and contact-pressure press fails the “operable with one hand without tight grasping” standard in Section 4.13 of the ADA Accessibility Guidelines (ADAAG).

Face recognition readers mounted at standard card-reader height (typically 42–48 inches AFF) address the reach requirement but may not address the activation requirement if the system requires positioning at a specific distance and angle. Palm-vein readers require the user to hover a hand over the sensor — less physically demanding than fingerprint, but still a physical interaction that may be challenging for users with tremors or limited hand mobility.

The practical compliance approach: any primary entry or path-of-travel access point that is required to be accessible under ADA must have a non-biometric alternative that meets ADA requirements. Biometrics can be offered as a convenience option; they cannot be the only option at an accessible entrance. Access control designs for commercial buildings should document ADA compliance explicitly, not assume the biometric terminal meets it.

The legal landscape — BIPA, CCPA, and state-level risk

The Illinois Biometric Information Privacy Act (BIPA) is the most litigated biometric privacy law in the United States. Under BIPA, entities that collect biometric identifiers or biometric information — including fingerprints and facial geometry — must:

• Inform each subject in writing that biometric data is being collected, stating the purpose and term of collection.
• Obtain a written release from each subject.
• Have a publicly available retention and destruction schedule for biometric data.
• Not profit from, sell, or disclose biometric data.

BIPA has generated hundreds of class-action lawsuits against Illinois employers for fingerprint-based timekeeping systems. The statute provides a private right of action with liquidated damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation, per person, per instance. A building with 500 employees using a biometric access control system in Illinois without compliant consent procedures faces significant statutory exposure — potentially millions of dollars — independent of any actual data breach or misuse.

Illinois is the most plaintiff-friendly jurisdiction, but Texas (CUBI), Washington state (HB 1493), and New York City’s biometric privacy ordinance each have their own collection notice and consent requirements. For buildings in these jurisdictions, deploying cloud-based access control platforms that store biometric templates in the cloud introduces data residency questions on top of consent requirements. The legal review of a biometric access control deployment belongs at the front of the project — not after equipment is installed.

Where biometrics earn their keep

The cases where biometrics in commercial access control are genuinely the right answer:

Data centers and server rooms with strict anti-tailgate requirements. Biometrics can verify that only the enrolled person is opening the door — not a proxy presenting someone else’s badge. Combined with an optical turnstile or mantrap that allows only one person per authentication, biometrics close a real tailgating risk that card-only systems can’t address.

DEA-regulated storage areas. Schedule II controlled substance storage in healthcare facilities requires positive identification of every access. Biometrics combined with a second factor (PIN or card) satisfies the two-factor standard and creates a non-repudiable audit trail that a card-only system can’t provide if cards are shared.

R&D and intellectual property protection zones. Pharmaceutical, biotech, and defense contractor facilities with employee populations who have reason to avoid credential-sharing have genuine use cases for biometric confirmation at high-value zones.

High-throughput, anti-tailgate applications where card enrollment is impractical. Stadium and convention center operations with thousands of temporary access events per day, where issuing and collecting credentials is operationally impractical, sometimes use face recognition for speed and anti-duplication. The scale changes the economics.

The common thread: biometrics earn their place when positive identity — not just credential presentation — is the actual security requirement. For most commercial office, retail, and light industrial buildings, card-based access with OSDP Secure Channel provides the credential security the application actually needs without the operational overhead of biometric administration.

Bottom line

Biometrics in commercial access control aren’t inherently wrong — they’re frequently deployed in the wrong context. The cases where biometrics add genuine security value are narrow: high-security zones, regulatory mandates for positive identity, and anti-tailgate applications at scale. For general building access, the combination of FRR operational overhead, ADA compliance requirements, and state biometric privacy law risk creates a burden that most building owners haven’t fully priced. The questions to ask before specifying a biometric terminal are: what’s the false-reject SLA, what’s the ADA alternative, and what’s the legal exposure in this jurisdiction — before the system is ordered.