Smart access control — one credential, every door.
Physical access control is what a building does with the credential a person already carries. Done well, the same FIDO2 / DESFire credential opens the gate, signs into the laptop, badges into the office, and pays for lunch. Done badly, every door has its own panel running its own protocol on its own database with its own keys in its own firmware.
What we build
Card-as-badge
FIDO2 + ISO 14443 Type A in one ID-1 card. Tap-to-unlock + tap-to-login on the laptop. See OnePass Card.
Reader / panel firmware
SAM-protected reader-side state machine. No issuer keys in panel firmware. Signed firmware updates with anti-rollback.
Issuer / KMS integration
Personalisation flow that pulls from the issuer’s identity-management system. Auditable; standards-aware.
When the door is the second factor
Many enterprises are evolving past “badge in, password at desktop”. With a FIDO2 OnePass Card, the same tap that opens the door logs the user into the workstation — passwordless — and badges them into the elevator system. The credential is physically present, hardware-bound, and never reveals a secret.
For commercial-real-estate deployments — offices, hotels, hospitals, education campuses — the building behind the door has its own automation layer. HVAC, lighting, and BMS retrofit on existing VRV / VRF systems is the domain of our sister team building VRV/VRF retrofit automation: an on-site BACnet/MODBUS server and operator app that brings legacy buildings into a single control plane without ripping out existing equipment. When the access-control credential and the building-automation controllers share a network, the same hardware-rooted identity philosophy applies to both sides.
Migrating from legacy 125 kHz / MIFARE Classic?
The hardest part is the issuance flow, not the readers. We have done the migration twice over — happy to share the playbook.