Login
get in touch

Frequently asked questions

Readerless mobile credential software integration FAQs

Do your mobile credentials work with card access control systems?

Yes, our mobile credentials for readerless NFC mobile access can work with proximity access control systems of all ages.  

Will our customers need to install any new hardware if we integrated your SDK into our system?

No, we sit within your access control system and cloud architecture. The only thing we ask is that your customers mount our Smart Access Tile next to your existing reader and door.

Does your solution integrate with smart locks?

We do have smart lock integrations to enable NFC and QR code access to unlock smart locks. Our mobile credentialing software integrates into the smart lock providers cloud architecture. 

Does your software integrate with third-party building experience applications?

Yes, our SDK allows your customers to enjoy our readerless mobile access within the market leading building experience applications. Benefit from having our mobile credentialing software and time-limited digital visitor passes embedded into your application. Provide your permanent staff or temporary contractors or guests with time automated digital visitor passes through centrally managed cloud-based infrastructure running through tenant or building management platforms.

How easy is it to scale NFC mobile access to more doors?

We provide a software only integration for organizations access control systems, allowing them to add mobile access to more doors without needing to install any reader hardware. This creates the fastest and most cost effective route to scaling mobile access for organizations that want to expand. 

What do you mean by your software being non-proprietary

Our software is interoperable with major access control systems and third-party applications. Therefore, organizations have flexibility and freedom of choice to where and how they would like readerless mobile credentials to work.

Do you need an integrator or dealer to complete the installation and setup?

No, we can remotely login and set up our software to work alongside your access control infrastructure, the only thing required from you to do is to invite and assign a user’s email address with digital keys for the doors that have been brought online for mobile access.

What is readerless mobile access and how does it work?

Our software integration for legacy access control systems turns the user’s smartphone into the active NFC reader therefore no reader hardware upgrades are necessary. For NFC mobile access we use our Smart Access Tile, a passive NFC tag, that applies next to a door without any wiring or batteries. 

Do you use the existing readers that we have already installed?

For PKOC deployments if the reader manufacturer has integrated our SDK, mobile credentials and physical credentials built on PKOC specification can work with the reader hardware. For readerless deployments all that’s required is our Smart Access Tile for NFC mobile access next to your existing reader. Our mobile credentials don’t rely on reader hardware to work.

Do your mobile credentials have wallet-based compatibility?

Currently our non-proprietary mobile credential software works outside of smartphone wallet applications. This allows for seamless interoperability with other access control systems and third party building experience applications. It also allows for fast and cost-effective deployment  

Can your software integrate with multiple disparate systems simultaneously?

Our mobile credential software for is interoperable with a combination of access control systems. This provides the possibility to use a single credential to access select doors controlled by disparate systems. See a list of our PACS integrations to see which systems we can integrate with.

Can your mobile credentials co-exist with legacy physical credentials?

Our readerless mobile NFC credentials work alongside your existing key card or badge systems, therefore you always have the ability to use one or the other depending on what provides the most convenience for your users. 

How does your NFC mobile credentials work if there is no active NFC technology in our old readers?

Our solution uses the active NFC technology in smartphones to read the passive NFC chip within our wireless Smart Access Tile. The users smartphone communicates with the access control system via cloud services bypassing the reader.

How secure is your mobile access credential software?

Our readerless mobile access software follows NIST cybersecurity best practices as we use the user’s smartphone device as the active reader, therefore it is kept up to date with the latest security measures. Our mobile credentials are secured with asymmetric cryptography, and we leverage smartphone multi-factor authentication security. Keycards, fobs and employee badges compromise the building’s security as they easily get lost, cloned or shared. Even if a phone is stolen it is quick and easy to deactivate and requires biometric facial or fingerprint recognition to access the app and unlock doors.

Mass enrollment service for Public Key Open Credential (PKOC) FAQs

What is Public Key Open Credential (PKOC)?

PKOC (Public Key Open Credential) is an open-standard specification for physical and mobile access credentials. It uses asymmetric cryptography — a unique public-private key pair per credential — to provide a secure, interoperable alternative to traditional proprietary credential formats. The private key is stored in the device’s secure hardware element and is never shared.

How is PKOC more secure than traditional access credentials?

Unlike legacy credentials that rely on symmetric encryption and vendor-specific implementations, PKOC uses asymmetric cryptography. Each credential has its own unique key pair, with the private key never leaving the device’s secure hardware element. This architecture significantly reduces the risk of credential cloning or unauthorised duplication.

Is PKOC compatible with my existing access control hardware?

Yes. PKOC is designed to be vendor-agnostic and license-free, meaning it works across multiple platforms, readers, cards, and mobile devices. It supports both NFC and Bluetooth Low Energy (BLE), enabling flexible deployment alongside existing infrastructure without costly hardware replacement.

Does PKOC lock me into a single vendor or ecosystem?

No — avoiding vendor lock-in is one of PKOC’s core advantages. Because it is and license-free organizations can deploy credentials across different hardware and software platforms, giving them freedom of choice over readers, credential providers, and mobile applications.

Can PKOC be deployed at enterprise scale?

Yes. PKOC supports enterprise mass enrollment, allowing organizations to issue and manage PKOC credentials at scale. Sentry Interactive’s SDK enables bulk remote enrollment of PKOC-compliant mobile credentials, turning what was traditionally a manual process into a streamlined, large-scale rollout.

Can you tell me more about how the public key works alongside the reader?

The public key is sent each time. When that happens, the reader side produces what’s called a challenge response. It generates a random block of data and sends it to the credential, asking it to sign that data with its private key.

The signed block of data is then sent back to the reader. The reader validates this, what you might think of as a fingerprint, by checking the signature against the public key that was originally sent. If the data was not signed by the exact corresponding private key, then it indicates a potential clone.

This process verifies that the credential, and therefore the public key, comes from the authentic source it claims to be from. That is the check that PKOC performs.

This all happens very quickly, typically in 200 milliseconds or less, so it is not a heavy or burdensome process. It is also not a certificate validation.

What license is required from C.CURE to enable Sentry Interactive’s enrollment feature?

Regarding licensing, from C.CURE’s perspective, this typically only requires a standard connection licence to Sentry Interactive. As for documentation, there is material available explaining how to set up card formats, and more detailed manuals are available for installation and platform setup.

From Sentry Interactive’s side, PKOC setup is now handled automatically during enrollment. The system checks whether the required configurations exist and creates them if they don’t, Sentry Interactive provides a “one-click” experience where everything just works in the background. In terms of licensing, you would need the licence from C.CURE and the relevant licences from Sentry Interactive nothing additional beyond that.

Can PKOC coexist with other standards such as MIFARE DESFire, LEGIC, LEAF on the same card?

Certainly, yes. The technology is capable of doing this. No matter if the card has LEAF, DESFire, LEGIC or prox. You can have multiple applets loaded and you can certainly have PKOC side by side.

How is the revocation of a PKOC credential managed and how is this information shared with the controllers?

This is another key element of what Public Open Credential is versus what it is not. PKOC when it was the inception, was the creation of what the standard is today – to create a asymmetric credentials and solve the cloning issues, provide a more secure delivery of the credential. But it is not based on a root certificate or certificate authority. Like you would be familiar with like PIV, where it has the revocation engine. Revocation or the management of those enrollments is the same thing as what PKOC cards would be today. That is the responsibility of the PACS; that enrolls and unrolls it but there isn’t a higher authority revocation engine that sits over PKOC today.

Can you share more information on how the less than 200 millisecond PKOC unlock speed has been derived?

We connect readers using OSDP, and one of the things our test environment does is observe the response time when a card is presented. It does this by monitoring the messages exchanged between the reader and the panel. There is, in fact, a 200 millisecond threshold in OSDP beyond which issues can occur.

We track these timings closely, and with PKOC keycards using NFC, the number of message exchanges is very small. As a result, the unlock time typically falls within the 30 to 100 millisecond range, well under 200 milliseconds.

Additionally, from a metrics perspective, we have used apps and cards with built-in diagnostics to measure and track timing directly. This is done alongside the OSDP test tool, so the figures are verified and not just estimates.

What’s the difference and similarity between PKOC and FIDO, and do they complement each other?

FIDO is more focused on the logical (digital authentication) side, whereas PKOC has traditionally focused more on the physical (access control) side. However, the two can coexist well. In fact, it’s possible to have a single credential that supports both FIDO and PKOC.

Both approaches are based on asymmetric cryptography, but they serve different purposes. They are also both industry standards that can be considered together rather than as competing options. In practice, it’s more about how they complement each other than how they differ.

FIDO 2 for enterprise environments relies heavily on public key cryptography and, in some cases, certificates. PKOC also uses similar underlying technologies, though the way messages and protocols are structured differs, especially when compared to traditional access control models.

With modern smart cards or mobile devices, it is entirely reasonable to deploy both technologies together. In fact, this is often what happens in real-world implementations. For example, a single credential can support both FIDO2 and PKOC when used with a multi-technology reader capable of handling both.

In short, coexistence is not only possible but practical, and many deployments could successfully use both technologies side by side.

How are public/private keys provisioned to cards and mobile in a large-scale environment with more than 50,000 users? Also, can an existing CAB be integrated?

First, the issuance or creation of keys is a function of PKI. When you install an applet on a smart card, such as a Java Card or another secure card, or install a mobile app (and in the future, PKOC may support wallets), the credential is created at that stage. As part of this creation process, a public/private key pair is generated.

Once generated, the public key exists, and the derivative we use is the X portion of that key, which is 256 bits. To meet PKOC compliance, the minimum requirement is to use the last 8 bytes (64 bits) of that X portion. This provides sufficient randomness to avoid duplicate credentials, eliminating the need for site codes or facility codes. The system can also support up to the full 256 bits if required.

Provisioning is effectively self-service. After the key is created, the next step is obtaining permission to send the public key to the system that will enroll it. The system extracts the X portion and uses it as the credential representation.

In environments with more than 50,000 users, this process scales efficiently. Invitations can be sent simultaneously to all users, who can then complete enrollment at their own pace through the app. This approach avoids bottlenecks and supports large-scale deployments, particularly in mid-sized to enterprise PACS environments.

PKOC uses the key as a core part of the credential, and there is no third-party signing operation involved. This means there is no need for a certificate authority. Since the keys are generated at the time the application or card is created, there is no requirement for a formal issuance ceremony.

For example, if you purchase 1,000 or 50,000 cards from a manufacturer, they will show up with preloaded with key pairs. These keys are generated within a secure, certified environment on the smart card itself, or via equivalent secure mechanisms on a mobile device.

What portion of the current infrastructure can be repurposed, and how much requires replacement (for example cards, readers, controllers, etc.)?

Starting with the controller side: most modern controllers can already handle a minimum 64-bit card number. From the controller’s perspective, it is simply receiving a long card number from the reader. At this stage, the reader is responsible for passing that value through.

We are working on a second iteration of the specification where the controller performs the authentication, but for now the reader simply sends the long card number. Because of this, it is important to ensure your panels accept at least a 64-bit number. A 128-bit capacity is better, and if possible, 256-bit support is ideal.

In most cases, existing panels can be repurposed.

If you are using OSDP-capable devices, modern systems should be able to use standard mechanisms to perform firmware updates on readers and update credential formats. With sufficiently modern hardware, the intention is that readers can be updated to support PKOC or other new credential types, and also configured to use the correct format.

However, if you have very old readers, such as 20-year-old Wiegand devices, you will not be able to do this. In those cases, you are effectively forced into replacement, which is expected with legacy technology like this during any migration process.

As for credentials, these are new. They are provisioned at the factory with a public key already loaded, or in the case of mobile credentials, the key is generated when you enrol and create the credential on the device.

From a PACS perspective, PKOC is treated as a card format that can range from 64 bits up to 256 bits. Some PACS systems, such as those based on Mercury hardware, may limit this to 200 bits. However, many modern PACS platforms especially those used in government environments, will support at least 200 bits, and often up to 256 bits.

For legacy systems, support may drop down to 64 bits depending on the age of the reader and system capabilities. The key requirement is having readers that are PKOC-compliant and capable of being updated.

How would you recommend migrating to PKOC?

Migration to PKOC can be approached in different ways. One option is to issue multi-technology credentials that support existing technologies, such as proximity, MIFARE, or DESFire, while also including the new public-key credential. As new readers are introduced, the same credential will work across both old and new infrastructure. Over time, you can phase out legacy readers without a full rip-and-replace approach.

Another option is to deploy multi-technology readers that can interpret multiple credential types. This allows you to migrate at a pace that aligns with budget and operational constraints, rather than replacing everything at once.

There are, however, licensing and deployment considerations depending on the existing credential infrastructure, and these must be followed carefully. Engaging with PSIA members or relevant vendors is recommended to ensure the migration approach is correctly designed for your environment.

If Building A has PKOC with Kastle, and Building B has PKOC with CCure, and a user has credentials for both, how can the reader in Building A select Credential A and not Credential B?

First of all, the intention is typically for the user to have the same credential across both systems. Ideally, you wouldn’t need separate PKOCs for A and B. The whole point of planning from the start is to use the same credential and enroll it across the various systems, so this wouldn’t become an issue.

However, if you do have two PKOCs on the same device, the situation isn’t really that different from using physical cards. For example, if I have two prox or MIFARE cards, one from Building A and one from Building B, the reader will recognise both formats, if configured to do so. However, the card from Building B won’t be enrolled in Building A’s system, so it will simply be treated as an unknown card. The same principle applies to PKOC credentials.

As mentioned earlier, there’s generally no need to have multiple PKOCs, because you could take a Kastle PKOC and enroll it in a Johnson Controls C.CURE system, and it would work fine. That’s the whole interoperability concept: any PKOC credential can work with any PKOC-compliant reader. This ideally removes the need for multiple credentials altogether.

That said, if multiple PKOCs are used, the credential intended for a specific system e.g. Johnson Controls would need to be enrolled as a separate credential. In that case, both credentials could work, but it ultimately comes down to how they are enrolled.

Another way to look at it is that, since the credential is open and you can build logic around it, you could intelligently select which credential to use. For example, you could use GPS location or a Bluetooth iBeacon to determine which credential should be active. This gives you more flexibility to design the user journey, you can use a single credential, multiple credentials, or dynamically select the appropriate one based on context.

Additionally, many mobile apps already allow users to select which credential they want to use. This is something people are doing today. For example, in a scenario where there are two different sites belonging to two different customers, and they require separate credentials for compliance reasons, users could still manage both on a single mobile device. Instead of carrying two physical badges, they could simply select the appropriate credential within the app depending on the site.

Are there any special steps needed for PKOC to work with Apple Wallet, which apparently is famously restrictive?

Today PKOC is not in the wallet. For those of you that are following the open standards this February 2026, we saw the launch of Aliro. Aliro is native wallet out of the gun but it creates the ability to support the public key infrastructure, which is certainly the same foundation that public key open credential is based on. With Apple’s and Google’s focus on CSA and Aliro we’ve purposely not had those conversations and are letting Aliro pave the way for this capability, it can certainly be a future discussion for PKOC. But today, it is not Wallet, it is app, and it is card.

Is there a plan to standardise the bit output length so that it's consistent?

The PKOC specification process will advocate three specific formats 64, 128 and 256 bit with the intention that readers in a given deployment will be set up for one of these formats, with the idea that you pick a format that works on all the readers that you’re using. 

 

64 bit is very common, it’s not so common for readers to be able to output to 256 or for PACS vendors to read it, so 64 bit tends to be the dominant one, but the idea is you would configure the devices to read the same format. You wouldn’t have one PKOC card for deployment which is in a system in three different formats. You’d stick with one format.

 

64 bit would be your default but customers are pressing to go higher up to 256 bit to add extra security. However the PKOC working group will continue to advise and encourage people to use the strongest option available. Over time, as products evolve and our legacy hardware is phased out and newer equipment launches, the idea is that we all embrace 256 bit and stay stronger.

Find out more

Why should i choose a readerless upgrade to mobile credentials?

How do readerless mobile credentials work?

What makes a readerless upgrade to mobile credentials different?

How do the digital visitor passes work?

How secure are readerless mobile credentials?

What access control systems can your mobile credentials work with?

Still not found your answer?

Ask your question to a member of our team and we will do the best to answer it. 

Get in touch

Don't just take our word for it. Trust theirs

"Sentry Interactive’s integration with RightCrowd provides a new and differentiated path to mobility for end users and channel partners that are looking to embrace the efficiency and security involved with mobile access credentials without the cost and complexity challenges that have inhibited adoption thus far."
Bart VansevenantCTO of RightCrowd
"Using Sentry’s SDK we are providing customers not only with the extensive feature set that comes with the UnityIS® platform but now they can also benefit from Sentry’s award-winning NFC mobile credential technology solution also in our platform”
Imron HussainPresident & Founder of IMRON
"Deployment of Sentry Interactive’s software to access control OEM platforms and hardware systems will be faster and more seamless than ever. Accelerating the transition to the next generation of mobile access"
Ken LarsonPresident of Z9 Security

William Bainborough

Board of Directors

William is an experienced British entrepreneur, founder, and accomplished board executive and advisor for a number of businesses. He is the CEO and co-founder of Doordeck, the world’s only true cloud-based access control aggregator. He is also the managing director and founder of Group Secure, a leader in providing security, CCTV, and access control solutions, products, and installation for high-net-worth individuals in the UK. 

William established his first business at just seventeen and brings 20-plus years of in-depth experience and industry knowledge. He has a proven track record for building businesses from the ground up—and then leading them to profitability and a successful exit across a myriad of sectors including hospitality, retail, security, telecommunications, and e-commerce. William’s leadership, vision, and experience in creating cutting-edge SaaS-based technology platforms will prove invaluable for Sentry Interactive moving forward.

Denis Hébert

CHAIRMAN & CEO

Hébert began his career at Honeywell International where he held several leadership positions including Managing Director for the Automation and Controls business in France and eventually President of the NexWatch Corporation from 1999-2002. Hébert led HID Global as President & CEO over a transformative 12-year period from 2002-2015, where he provided strategic guidance and grew the business tenfold through a mix of strong organic and acquisitive growth. Most recently, Hébert was President of Feenics Corporation which is a cloud-based access control company that was successfully sold to ACRE LLC at the end of 2021. Hébert also served on the Board of Directors for the Security Industry Association (SIA) from 2009-2020 and was nominated to be Chairman of the Board for SIA from 2016-2018. He is currently Chairman of the Board for Nightingale Security based in Newark, CA.

Stephen Taylor Matthews

Board of Directors
Stephen is a very accomplished attorney, member of the Texas State Bar, licensed commercial real estate broker, and an avid philanthropist. He is an experienced executive board member, serving in leadership positions for more than 20 community councils and corporate boards—ranging from Boy Scouts of America to the ABBA Business Leaders Council, and most recently the American Bank BOD, the Real Estate Council of Austin, and the Marbridge Foundation BOT. With more than 35 years experience, Stephen and his firm, Barrond & Adler, L.L.P. are devoted to eminent domain cases in Texas.

Jon Davis

Board of Directors

Mr. Davis is an Experienced corporate board member, having served on boards of public, private equity-backed, and venture-backed companies. Jon possesses deep industry expertise in dairy, food processing, food technology and manufacturing, and food, beverage, and entertainment services. 

During Jon’s tenure of 25 plus years, he’s led operations, research and development, and mergers and acquisitions. He’s served as CEO and has been the founder and active board member for many successful enterprises—from startups to billion-dollar corporations. While COO and CEO of Davisco Foods International, Jon built a state-of-the-art cheese plant which was awarded the United States Dairy processing plant of the year in 2005 by Dairy Foods magazine. Currently, Jon is active with several non-dairy projects, including investments in local real estate, the Wayzata Brewworks, and his latest venture the new CōV restaurant in Edina’s Galleria.

Joe Caldwell

Founder and Chairman of the Board

Joe is an American entrepreneur, investor, and accomplished executive. He has co-founded, founded, and led many successful businesses, including US Internet, a leading fiber internet service provider, Securence, a leading provider of email filtering software, and Ravon, an industry-leading digital voice communications service. 

It was Joe’s venture, Municipal Parking Services (MPS), that inspired him in 2020 to start Sentry Interactive, an advanced touchless and staffless detection platform.

Caldwell currently serves as CEO and Chairman of the Board for Municipal Parking Services (MPS), a global tech company based in Austin, TX responsible for inventing and patenting technologies that assist in parking and security enforcement.

Joe was named one of Minnesota’s 500 Most Powerful Business Leaders for the past two years—and is a seasoned corporate board member. He’s served on boards of public, private equity-backed, and venture-backed companies—and has deep industry expertise in all aspects of digital technology.

Jason Bohrer

Board of Directors

Jason Bohrer is one of the visionaries behind our mission to bring people back together safely and securely, in any environment, through Sentry’s advanced digital communications and detection platform. With over two decades of senior leadership experience, Jason’s track record of success spans across sales, operations, product innovation, strategy, and technology for domestic and global companies like Bexar Technology Partners, CPI Card Group, HID Global, and Motorola, Inc. Prior to launching Sentry Interactive, Jason was actively involved with several key technology transitions across multiple industries, including the contact and contactless EMV transitions in the U.S. payments industry and the adoption of smart card and mobile technologies in the global access and identity market. Jason was an inaugural member of the University of Chicago Executive Institute and holds a bachelor’s degree in Economics from the University of Texas at Austin. He also serves as the Executive Director for two industry-leading not-for-profit organizations: the Secure Technology Alliance and the U.S. Payments Forum.
Brent Terry

Brent Terry

Chief Operating Officer
Brent Terry leads the operations and solutions organizations at Sentry. This includes all product innovation, development, and operations management. A veteran in the technology space, Brent has more than 30 years of experience across a myriad of industries, like physical security technology and building automation, SAAS, hardware and software product development, internet, digital TV, interactive TV, digital media, telecommunications, and medical products and services. Prior to Sentry, Brent has spun up successful startups and led high-performing teams for some of the biggest global, Fortune 500 companies, including ARRIS, Conerco, Motive Communications, SeaChange International, and IBM. Brent holds a BS in Computer Science from the University of Louisiana. He also is the committee Chairman and Program Director for a non-profit organization responsible for the rollout of smart cards for physicians and first responders.