Enterprise Access Control & Mobile Credentialing

The majority of installed access control infrastructure in the United States still uses the Wiegand protocol, a 40-year-old unencrypted communication standard between card readers and access control panels. Wiegand transmissions can be intercepted, replayed, and cloned using devices costing under $50, available commercially. Research presented at DEF CON and Black Hat conferences has repeatedly demonstrated that an attacker with 30 seconds of physical access to a Wiegand reader can install a transparent interception device that captures every credential presented, enabling mass credential cloning.

Beyond the security vulnerability, physical badge programs are operationally expensive. Large enterprises spend $15-25 per badge in production costs, manage replacement cycles for lost/stolen cards (5-15% annual attrition), and maintain badge issuance offices with dedicated staff and equipment. Visitor management adds further complexity: temporary badges must be issued, tracked, and collected, with compliance implications when they are not returned. The total cost of a physical badge program at a 10,000-employee organization typically exceeds $250,000 annually.

Identity lifecycle management compounds the problem. When an employee is terminated, their badge must be physically recovered or their credential manually deactivated in the access control system. In practice, credential deactivation is often delayed or missed entirely, leaving active credentials in circulation for former employees. Integration between HR systems, identity providers, and access control platforms is typically manual or batch-processed, creating windows of vulnerability during onboarding, role changes, and termination.

We design and deploy access control architectures built on OSDP v2 (Open Supervised Device Protocol) readers communicating with panels over RS-485 with AES-128 encrypted channels. OSDP v2 provides bidirectional communication (enabling reader firmware updates, LED/buzzer control, and tamper monitoring from the panel), encrypted credential transmission (preventing Wiegand-style interception attacks), and reader supervision (detecting reader removal or communication loss). We specify readers from HID, STid, and ASSA ABLOY that support OSDP v2 natively, and deploy OSDP-to-Wiegand converters at legacy panels that cannot be immediately replaced.

Mobile credentialing uses BLE (Bluetooth Low Energy) and NFC smartphone credentials issued through HID Mobile Access, ASSA ABLOY Mobile Keys, or Wavelynx mobile wallet integration. Credentials are provisioned automatically when a user's identity is created or updated in the enterprise identity provider (Azure AD, Okta, or on-premise LDAP). When an employee is terminated in HR systems, the credential revocation propagates through the identity provider to the access control platform within minutes, automatically revoking all physical and mobile credentials without requiring badge collection.

The policy engine operates at a layer above the physical access control system, enabling unified access governance across multi-vendor environments. Organizations running Lenel in their headquarters, Genetec at branch offices, and AMAG at data centers can enforce consistent access policies—time-based restrictions, anti-passback, two-person rules, muster reporting—from a single management interface. The policy engine synchronizes identity and access rights to each downstream ACS through vendor-specific API adapters, maintaining the existing panel infrastructure while centralizing governance.

OSDP v2 communication is implemented per the SIA OSDP standard (SIA-OSDP-2.2) over RS-485 half-duplex at 9600-115200 baud. The Secure Channel protocol establishes an AES-128 encrypted session between reader and panel using a PDAC (Panel-Derived Authentication Code) and a pre-shared key provisioned during reader enrollment. All credential data, including card numbers and biometric templates, is encrypted in transit, preventing the interception attacks that plague Wiegand installations. Reader supervision messages (tamper status, communication health) are transmitted every 200ms, enabling the panel to detect reader removal within seconds.

Mobile credential issuance follows the PACS (Physical Access Control System) mobile credential lifecycle defined by the SIA. Credentials are issued as secure containers to the HID Origo or ASSA ABLOY Seos mobile credential platform, stored in the smartphone's secure element or TEE (Trusted Execution Environment). BLE engagement uses the HID iCLASS SE reader protocol with a configurable engagement range (0.5m to 5m) to support both tap-style and hands-free use cases. NFC credentials conform to the ISO/IEC 14443 Type A standard and are compatible with Apple Wallet and Google Wallet credential containers where supported.

Identity synchronization uses SCIM 2.0 (System for Cross-domain Identity Management) as the primary protocol for provisioning and deprovisioning events from the identity provider. The synchronization service maintains a mapping table between IdP user identifiers and ACS cardholder records across all connected platforms. When a SCIM event signals a user status change (disabled, deleted, role change), the service translates the event into vendor-specific API calls: Lenel OnGuard DataConduIT badge-status updates, Genetec Security Center cardholder modifications via the SDK, or AMAG Symmetry REST API badge operations. The entire provisioning pipeline executes within 120 seconds of the IdP event, with dead-letter queuing and automatic retry for transient API failures.