Inside the Push to Converge Physical and Digital Access
Key Highlights
- Mobile credentials are becoming central to enterprise identity strategies as hybrid work reshapes access expectations and security requirements.
- Standards such as FIDO2 and OSDP are helping unify physical and logical access while supporting passwordless authentication initiatives.
- Integrators and end users must prepare for hybrid environments that combine mobile and physical credentials while improving credential lifecycle management.
The badge on a lanyard is not going away anytime soon. But it is no longer the center of the access control conversation, and for a lot of security leaders, that transition is happening faster than their infrastructure is ready to handle.
Mobile credentials, passwordless authentication and the long-overdue convergence of physical and logical access have moved from conference-session talking points to operational priorities. The pressure is coming from multiple directions at once: hybrid workforces that need seamless access across buildings, networks and cloud applications; IT and physical security teams that have historically operated in separate silos; and a threat landscape where stolen passwords and cloned cards remain embarrassingly reliable attack vectors.
In this executive Q&A, Ramesh Songukrishnasamy, senior vice president and CTO at HID, walks through where enterprises actually are in that transition — not where the marketing materials say they should be. He addresses the architectural requirements behind mobile credential deployments, why passwordless rollouts keep stalling despite broad consensus on their value, and what standards like FIDO2, Open Supervised Device Protocol (OSDP) and the newly released Aliro 1.0 specification mean for organizations trying to build systems that don't lock them into a single vendor. He also speaks to what integrators and channel partners need to understand as the business shifts from hardware installation toward identity advisory work.
The mobile credential moment
Mobile identity has become a defining theme in enterprise security. How are mobility and hybrid work environments changing the way organizations think about access control and identity management?
Mobile identity is taking on a larger role in enterprise security because mobility and hybrid work have changed how employees interact with facilities. An employee may need access to a corporate office one day, a shared workspace the next and a secure application from home that evening. That makes identity harder to manage through static badges and disconnected systems. Organizations are turning to mobile identity because it brings together encrypted credentials and real-time remote management in a way that meets the demands of modern, distributed operations.
User expectations are also driving adoption. People already use their phones to pay for coffee, board flights and handle daily work tasks, and they want the same familiar tap when they unlock a door or sign into a secure application on a workstation or printer, for example. Mobile credentials meet employees on the device they already rely on throughout the day. Beyond meeting employee expectations, mobile identity gives enterprises operational flexibility. Credentials can be issued and revoked remotely across large, distributed workforces, with all credential provisioning and lifecycle management handled centrally. A single mobile credential can span building entry, workstation login and secure printing, consolidating use cases that previously required separate systems. This flexibility is reshaping how organizations think about access and identity management, moving the conversation away from simply issuing credentials and toward managing identity across the enterprise.
That said, physical cards remain a meaningful part of the ecosystem. Most enterprises are managing this transition through hybrid deployments that support mobile credentials alongside traditional cards, accommodating diverse user groups and use cases. The practical goal is to modernize without forcing a single form factor on every user or every site. For most enterprises, this means managing mobile credentials and physical cards from the same identity framework while gradually expanding the use cases that mobile can support.
The case against passwords
Passwordless authentication is gaining significant traction, particularly through the FIDO2 standard. What’s driving this shift, and what are the key challenges organizations face when implementing passwordless strategies at scale?
Passwords are increasingly a weakening link in enterprise security. AI-powered threats and phishing attacks have made them an unacceptable risk, while the growing convergence of physical and logical access means organizations need authentication that works seamlessly across buildings, networks and cloud applications. The FIDO2 standard has emerged as the leading framework for passwordless authentication because it enables phishing-resistant, hardware-bound authentication that is both highly secure and frictionless for the end user. HID's 2026 State of Security and Identity Report, which surveyed more than 1,500 end users and industry partners, found that security improvements now rank as the top driver of modern credential adoption at 50%, surpassing user convenience, a clear sign the market has moved beyond treating passwordless as optional.
Adopting passwordless authentication at scale is less a technology problem than an organizational one. Most enterprises are managing a patchwork of legacy systems, and the same report found that 52% cite the complexity of integrating multiple identity platforms as their primary barrier. Cost sensitivity has also intensified, with implementation concerns nearly doubling year over year. Add in a shortage of in-house expertise and the reality is that most organizations still need to support a mix of physical and logical credentials for different user groups. It is clear that a phased, platform-based approach is the only practical path forward.
Organizations succeed when they treat passwordless authentication as an architecture decision, not a feature rollout. With weak or stolen passwords behind the majority of basic web application breaches and major platform providers expanding FIDO2 support across their ecosystems, the question for most enterprises is no longer whether to move away from passwords, but how to sequence the transition.
Building the infrastructure behind mobile access
From a security architecture perspective, what needs to be in place to ensure that using smartphones for access remains both secure and convenient?
According to the HID Report, mobile credentials have crossed from emerging technology into expected baseline capability, with 74% of organizations having already deployed or actively planning deployment. But scale creates new responsibilities. The security of a smartphone-based credential depends entirely on the infrastructure behind it: encrypted communication and mutual authentication between the device and the reader that ties the credential to a specific person rather than just a device. When those layers are in place, mobile access is not just more convenient than a physical card, it is demonstrably more secure.
The architectural requirements go beyond the device itself. Organizations need credential lifecycle management that supports issuing, updating and revoking access in real time. When an employee changes roles or locations, their access permissions should update that day, not the next quarter. That level of control is especially important in environments with contractors, temporary staff, shift workers or frequent role changes, where credential status can change faster than a traditional card office can respond. Infrastructure must also be able to support a hybrid environment, since 84% of organizations still use a mix of mobile and physical credentials across different user groups and use cases.
Mobile access deployments succeed when they are built around the range of use cases and users an organization actually has. Security teams should confirm how credentials are provisioned, where encryption is applied and how the system handles authentication and revocation. But there is no single right approach to mobile access. With as many use cases as users, feature choice, flexibility and phased deployment matter as much as the architecture itself.
Hardware that has to keep up
Portable and multi-technology readers are becoming essential tools for the mobile workforce. What are the primary factors end users and integrators should consider when evaluating or deploying these devices?
Portable credential readers for a distributed workforce need to deliver both strong security and practical usability. The most important capability is support for passwordless authentication, including passkeys and multi-factor authentication (MFA) methods built to the FIDO2 standard, which blocks phishing and credential theft. Broad credential compatibility matters just as much: a reader should handle high-frequency credentials like Seos or MIFARE DESFire alongside NFC-based mobile credentials and mobile wallet options. This lets organizations modernize authentication without ripping out existing infrastructure.
Beyond security, buyers should consider where friction enters the workflow. The reader has to work reliably in the field, connect easily to existing systems and support current and future credentials. A device that requires workarounds, special handling or separate administrative processes will create resistance, no matter how strong the specifications look on paper. The best portable reader is one that disappears into the workflow rather than adding friction to it.
Speaking the same language
How are standards like FIDO2, OSDP or others helping to create a more unified access experience across systems and platforms?
FIDO2 and OSDP exist so vendors can build to a common set of rules, with the assurance that compliant products will work together. OSDP handles secure communication between readers and controllers on the physical side, while FIDO2 gives organizations the framework for replacing passwords with cryptographic authentication on the logical side. Together they remove the dependency on proprietary protocols and create a shared identity layer that physical and logical systems can both trust, which is the foundation of any unified access experience.
The market appetite for this kind of unification is clear. According to HID's Report, 75% of organizations have already deployed or are actively evaluating converged identity solutions, with the goal of enabling one credential to access buildings, networks, cloud applications and sensitive data. FIDO2 has become a key enabler of this vision because it gives organizations a framework for phishing-resistant authentication that works consistently across devices and platforms. Adoption has accelerated as a result. Google, Microsoft and Apple have integrated the standard into their operating systems, and Gartner projects that by 2027, over 90% of MFA transactions using a token will be based on FIDO authentication protocols.
On the physical access side, standards like OSDP are doing similar work at the hardware layer, allowing readers and access controllers from different manufacturers to communicate securely. This gives organizations more freedom to choose and mix technologies without being locked into a single vendor's ecosystem. A new addition to this landscape is the Connectivity Standards Alliance’s Aliro 1.0 specification. Released in February, its goal is to set a common protocol for how mobile devices and readers communicate. This alignment with Apple, Google and Samsung wallets addresses possible fragmentation that has tied mobile credentials to specific reader brands.
The 2026 security trends data makes it clear that standards alone are not enough to close the physical and logical convergence gap: 37% of organizations cite implementation complexity as a top barrier to convergence, and 52% report difficulty managing multiple identity systems at the same time. These figures reflect a market that understands where it wants to go but still needs architectural guidance and trusted partners to get there. Standards provide the blueprint to make convergence possible, but organizations planning for a truly unified access experience need to align physical security and IT around a shared roadmap and choose platforms designed to evolve with both domains rather than serve one and adapt to the other.
Friction is not a security strategy
Balancing usability with strong authentication is a recurring challenge for enterprises. How can security teams deliver frictionless access for users without compromising the integrity of identity verification?
Security teams no longer have to accept friction as the price of stronger authentication. Passkeys, mobile credentials and biometric verification can reduce the number of steps a user takes while improving resistance to phishing, credential theft and credential reuse. The user experience may feel simple, but the security model is strong as authentication is tied to cryptographic keys, trusted devices and verified users rather than memorized passwords.
The key is to design authentication around normal user behavior instead of forcing users through extra steps they may try to bypass. A mobile credential or a device-bound passkey can support stronger identity verification with less user effort. The harder part is migration: deciding which systems move first, how legacy credentials remain supported during the transition and how IT and physical security teams manage policy from a common view.
The advisor opportunity
From an integrator or channel partner standpoint, what opportunities are emerging around mobile identity solutions, and how can they position themselves to support customers transitioning to passwordless ecosystems?
For integrators and channel partners, mobile identity creates an opportunity to move from installation work into advisory work. Most customers know they want to move toward mobile, but few have a clear picture of what their mobile migration actually looks like inside their environment, and that is the gap a good partner can fill. The access control business is also evolving from a hardware-centric model to a software and subscription model, opening recurring revenue opportunities for partners who build that expertise.
Passwordless creates a similar opening. FIDO-based authentication reshapes how an organization manages identity day to day, and partners who understand the operational effects will be better positioned than those treating it as another product offering. The winning conversation is less about selling a credential and more about helping customers rethink identity risk across their entire access environment.
What future-ready actually looks like
How do you see mobile identity, credential management and access readers evolving over the next three to five years? What does “future-ready” access control look like?
Over the next three to five years, access control will continue moving toward identity management, with the reader, the credential and the management platform all functioning as part of a connected identity chain that links physical access, logical access and operational systems. That trend is reflected in HID's Report, where 75% of organizations have already deployed converged identity solutions or are actively evaluating options, signaling that organizations are actively unifying physical and logical access.
That trajectory points to a sustained hybrid reality on the credential side. The same report shows 80% of organizations expect a mostly mobile or balanced mix environment within five years, while only 12% expect mostly physical credentials. Physical cards will continue to serve visitors, contractors, regulated environments and users who need visible identification, while mobile credentials handle the bulk of day-to-day access.
The practical work for organizations is managing both form factors from a unified platform that issues, updates and revokes access in real time as roles change, with readers carrying more of that load at the edge by supporting multiple credential technologies, stronger encryption and integration with broader identity and building systems.
About the Author
Rodney Bosch
Editor-in-Chief/SecurityInfoWatch.com
Rodney Bosch is the Editor-in-Chief of SecurityInfoWatch.com. He has covered the security industry since 2006 for multiple major security publications. Reach him at [email protected].