Enterprise access.
One credential. Doors, laptops, applications, cafeteria. Phishing-resistant, hardware-bound, and quietly the same secure-element ecosystem that powers transit.
What changes when the door is also the second factor
The classic enterprise rolled out a 125 kHz badge for doors, an LDAP password for the workstation, an OTP token for VPN, and accepted that ten percent of help-desk volume would be password resets. With FIDO2 + DESFire-class cards, all four become the same tap. Issuance happens once; revocation happens once.
Some enterprise deployments — large offices, multi-floor headquarters, hotel and hospitality groups, hospital systems, education campuses — also touch the operational side of the building: HVAC, lighting, and BMS controllers that an operator logs into to tune comfort and energy. That layer is run by the facility-automation team within the Ambimat group, which retrofits existing VRV / VRF systems with a BACnet/MODBUS on-site server and operator app. The same hardware-rooted credential that opens the door and logs the user into the workstation can authenticate the building operator into that control plane.
Pilot 100 cards across one office.
The fastest way to find out if your IdP and badge system will play nicely is to actually run the pilot. Six to eight weeks.