top of page
Search

Interoperability: the key to a better world of access control

  • Writer: David Edwin
    David Edwin
  • May 20
  • 8 min read

OSDP, PKOC and Bluetooth technologies are enabling a new access control landscape where increased interoperability brings benefits to everyone


By David Edwin, Senior Director, EMI Integrators & Rodney Thayer, Convergence Engineer, Smithee Solutions


Imagine if you were given a blank page and told to design the perfect access control. What would it look like?


People with permission could enter easily using whatever technology was most convenient – cards or phones. The system would make it impossible for anybody without permission to get in.


Any fault or compromise to the system would be immediately identified. Security updates would be quick and easy to carry out.


The system might also do more than simply control access. You could use it to share information like indoor navigation with users and, potentially, track who goes where in your buildings and how long they stay.


So, here’s the next obvious question: why do so few access control systems in the real world look like this?


The problem isn’t that we don’t have the technology. It’s not due to a lack of imagination on the part of system designers. And it certainly isn’t because customers and users are completely satisfied with the current status quo.


The problem is the siloed nature of the access control industry, and what that means for the key issue of interoperability.


Legacy systems: outdated, insecure, and unfit for purpose


Access to most buildings today is controlled by proprietary card-based systems that haven’t changed much since they first started appearing on walls half a century ago. These systems were built for simpler times, when the mere act of reading data off a card was viewed as a technological marvel.


They still do the job of opening doors for card-carrying employees well enough. But that’s pretty much all they do. In fact, it’s all they really can do technologically.


Then there are all the things they can’t do. Legacy systems:


  • Struggle to provide high levels of security. Traditional access cards don’t have advanced encryption capabilities, meaning they can be cloned or compromised with relative ease.


  • No standardization for smartphones. There is no common secure authentication protocol that works with mobile technology and mobile credentials. So, it’s the cards or nothing. Vendor-specific applications are used, with questionable security.


  • Fail to interact with other onsite technology. Sure, they can open your doors for you. But controlling who uses your printers, factory workstations, or forklifts? Expect questionable workaround solutions if anything. Dream on.


A root cause of many of these problems is that legacy systems tend to be proprietary. Traditional access control vendors opted to build systems that would work using their cards, their readers, their credential management, their encryption – and nobody else’s.

From the vendor’s point of view, it makes a certain commercial sense. Sell a building owner one of your systems, and you are forcing them to remain your customer for years, even decades to come. It’s a sound business model.


But, for the buyer, being ‘locked in’ makes no sense at all. It means:


  • Less supply chain security. There is only one place you can go to for cards, readers, or replacement components. If there are delays in the supply chain, you have no choice but to wait.


  • Less value for money. What do you do if your vendor ups your software bill by 15%? No other provider’s software will work with your system. It’s like-it-or-lump-it time. 


  • Less flexibility. You cannot swap alternative technologies in and out of your system. You either have to soldier on with what you’ve got, or rip everything out and start again.


Bottom line: It’s time for a change from traditional proprietary approaches. Even if this is the way things have always been done in access control before now.


We believe customers, users and even vendors would benefit from a major industry shake-up – one that broke through traditional proprietary models and made interoperability a defining feature of the new access control system world.


A world where interoperability based on an open standard, multi-vendor ecosystem reduces friction across entire security infrastructures worldwide.


Three technologies enabling interoperability in access control


Interoperability in access control is not a pie-in-the-sky ambition. The technology to make it possible already exists – and has done for some time. Here are three key innovations that are now addressing the gaps in legacy access control systems.


#1 OSDP: the basis for a more connected world


Open Supervised Device Protocol (OSDP) is a standard communications protocol for panel-to-reader communications. What does that mean? Well, the panel is basically the circuit board and software that ‘makes the decision’ on whether to let people in or keep them locked out. The reader, meanwhile, processes the encrypted credentials. In other words, it’s the object on the wall that 'reads’ the card or mobile device presented by the person trying to enter. The panel and the reader must be able to talk to each other for the system to work. OSDP makes that communication possible and keeps it secure.


OSDP originated with a group of vendors in the mid 2000s and was established as a formal standard by the Security Industry Association (SIA) in 2008 before being approved as an international standard by the International Electrotechnical Commission in May 2020. It improves on previous protocols in some very important ways. These include:


  • Interoperability


OSDP is an open and standardized protocol. Any manufacturer can adopt it. Any device can use it. This is great news for anyone looking to develop access control solutions. It’s also the basis for a more open and competitive market. So great news for customers as well.

 

  • Security


Most traditional access control systems used a protocol that was unencrypted and therefore easily hackable. OSDP enhances security by providing encrypted communication between readers and panels. This makes it much harder, if not impossible, for bad actors to clone cards or otherwise tamper with the system.

 

  • Two-way communication


OSDP allows information to travel from panel to reader and back again from reader to panel. This massively increases the functionality of the system. Here are just two quick examples. One: configuration updates can now be performed remotely rather than people having to go to every single reader and do it by hand. Two: the panel can now send users real-time feedback, such as a text message telling them their card has been recognized.

 

  • All credentials welcome


Previous protocols allowed only very limited kinds of credentials. Anything over 48 bits has typically been considered too large to process. OSDP is designed to be credential agnostic, meaning it can handle everything from traditional access solutions to the latest cryptographic smart cards. All credentials are compatible.


#2 PKOC: standardizing credential formats


PKOC (pronounced “peacock”) stands for Public Key Open Credential. Written and supported by the Physical Security Interoperability Alliance (PSIA), it represents a highly secure, interoperable credential solution that potentially anyone can use, from global manufacturing giants to teenagers developing apps in their bedrooms.


Before PKOC, vendors all had their own proprietary formats. Limited efforts at a standardized formats fall short on critical issues like credential security. Cards that worked with one system wouldn’t necessarily work with another. PKOC solves that problem by providing a common specification with standardized formats. Conforming to the IT Industry Standard for Public Key Infrastructure (PKI), it is fully compatible with iOS and Android devices as well as Java chip access cards – and is designed to work with whatever new transmission technology becomes the norm in years to come.


As far as interoperable encrypted credentials are concerned, PKOC provides the basis for a wide-open system where any vendor can develop and support access control solutions – and any product can work securely and seamlessly with any other.


#3 Bluetooth: providing universal mobile access


If OSDP and PKOC are opening the doors for a new generation of access control solutions, then Bluetooth is the technology that will most likely be driving them.


Bluetooth’s greatest selling point is its ubiquity. Almost everybody who has a smartphone has Bluetooth. And that makes it a very convenient – and very powerful – tool.


That’s why most future solutions will likely be smartphone-based. No longer will companies have to keep buying, distributing and replacing physical cards. Lanyards are likely to become a distant memory. Credentialed users will simply have to download an app. From there, they will be able to breeze into and around their apartment building or workplace without a second thought.


Real-world benefits of interoperability in access control systems


We’ve seen how OSDP, PKOC and Bluetooth can all work together to create a better world of access control for vendors, buyers and users involved in smart building integration. Now let’s see what some of those improvements might look like in practical terms.


For users: Pain-free access


Consider a company with offices in lots of different cities. Traditionally, each building would have had its own access control system, creating multiple headaches for administrators and users. With standardized solutions built on OSPD and PKOC, a single credential can work across different buildings and systems, even if they belong to different vendors. The same is true within the building itself, allowing users to move seamlessly between different areas where they have access.


For buyers: Flexible access control migration and supply chain resilience


If your current access control system is built around proprietary hardware, you’re likely facing increased risk from supply chain delays to rising software costs.


By adopting interoperable, multi-technology readers and open protocols like PKOC and OSDP, you gain flexibility to:


  • Migrate legacy access control systems without full rip-and-replace


  • Mix components from multiple vendors to secure your physical security infrastructure


  • Avoid pricing lock-in by supporting credential interoperability


  • Ensure long-term availability of parts across your entire access control ecosystem


For vendors: Higher standards for everyone


Some vendors may fear the rise of open standards, as it prevents them from locking customers into proprietary technology. But is that really the most effective business model for the long term? Wouldn’t it be better to offer customers ongoing value that makes them want to stay?


Then there are all the benefits that come from having a more open vendor environment. As the old saying goes, a rising tide lifts all the boats. When multiple vendors implement the same standards:


  • Documentation improves


  • Training becomes widely available


  • Security vulnerabilities get identified and fixed faster


  • The entire community learns from shared experiences


  • Development costs get shared


This isn’t just idealism – it’s how the modern world works. Macs and PCs talk to each other (imagine the trouble we’d be in if they didn’t). Why should access control solutions be any different?


The bottom line: it's about business, not just technology


Interoperability may sound a bit geeky. But it’s far from just a technology issue. Imagine you’re talking to a CFO concerned about budget. Or a security director worried about potential data breaches. Or a procurement officer weighing up what your insurance premiums are going to be. OSDP, PKOC, and Bluetooth-enabled mobile credentials deliver benefits all of them can understand:


  • Lower total cost of ownership


  • Reduced vendor dependency


  • Enhanced security and compliance


  • Future-proofing of the investment


We think the access control industry is finally catching up to something other technology sectors learned many years ago: open standards and interoperability create stronger solutions for everyone.


Bluetooth and Wi-Fi are built on open standards. So are cellular networks like GSM, LTE, and 5G NR. The web runs on HTML. Industrial automation uses OPC UA and Modbus. Banking relies on EMV. Healthcare depends on HL7 and FHIR. That’s just a few examples.


Most critical industries moved to open, interoperable standards years ago.


Access control is still catching up. But it’s time has come.


Ultimately, what matters is not whose name is on the reader. It’s about building systems that work together seamlessly, securely, and reliably. And if we do that, who knows? Maybe we can start getting those ideal access control systems we’ve always dreamed of.


Ready to make your first move towards better access control and start an access control migration that doesn’t disrupt your existing operations?


EMS Integrators (EMSI) can help you develop a fully tailored, turnkey solution, including OSDP- and PKOC-enabled Bluetooth and multi-technology card readers, plus Bluetooth-based smartphone apps. By partnering with EMSI, you can seamlessly transition from legacy systems ensuring a fast, easy, and future-ready adoption. With EMSI’s approach, you’re not locked in – you’re future-ready.


Smithee Solutions Rodney Thayer is a network security practitioner specializing in physical security systems. His 'convergence engineering' practice focuses on evaluation, specification, and successful deployment of network-attached physical security systems. He has a background in software development specializing in network protocols and cryptography. He has written, lectured, hacked, and developed standards around networking, cryptography, and embedded systems. He has decades of experience in the computer business and has a variety of clients including large end users, manufacturers, designers, and integrators.

 
 
bottom of page