Aliro vs. PKOC: Two Standards, One Direction

Aliro was one of the most talked-about technologies at ISC West 2026 – visible in nearly every access control booth and driving conversations on and off the show floor.

The Aliro 1.0 standard was published in February 2026 as a new communication protocol and credential standard governing how users interact with access points. A few early adopters were already releasing Aliro-enabled readers and credentials at the show.

So what is Aliro? It is a standardized way to access digital wallets across brands and platforms. It was created by the Connectivity Standards Alliance (CSA), a global collective of more than 220 member companies that includes Apple, Google, and Samsung – the same organization behind the Matter smart home connectivity protocol.

What makes Aliro noteworthy is that it was driven largely from outside the security industry, with the security industry holding seats at the table. That matters. It signals that outside industries recognize the capabilities of physical security – and that without that outside influence, those capabilities might never reach a broader market.

Jim Cooper – former CTO for two major integration firms and founder of Physec Systems, a consultancy focused on the intersection of physical security and cybersecurity – frames it well: "Aliro aims to do for access control what standardized mobile wallets did for payments."

What Problem Does it Solve?

Today, a user might open one app or credential wallet to access the office and a completely different one at the gym, at home, or anywhere else – each location running its own credential system. That fragmented experience, created by the absence of a common mobile-to-reader protocol, has been a significant barrier to mobile credential adoption and has forced proprietary lock-in at the reader level.

Aliro removes that barrier. An Aliro-enabled reader can read credentials across mobile wallets. A user taps their phone at the office in the morning and again at their front door that evening – same device, different credentials, one seamless experience.

How it Works Technically

In the Open Systems Interconnection (OSI) model, Aliro operates at the Transport Layer, which allows application-layer technologies to ride on top of it. Think of it as a secured pipe through which credentials travel. It still relies on secure connectivity – best practice is to deploy it over Open Supervised Device Protocol (OSDP) infrastructure.

Aliro is an open standard built on a device-bound cryptographic key stored in a Secure Element. It uses asymmetric cryptography – a public/private key system – and supports Bluetooth LE, Near-Field Communication (NFC), and Ultra-Wideband (UWB). The encryption is FIPS 185-6 and NIST 800-3D compliant. In plain terms: a secure, manufacturer-agnostic communication between a mobile device or wearable and the reader.

Here's how the transaction works: the mobile device holds a private key. When presented to an Aliro-enabled reader, the reader checks it against a public key. If they match, the door opens. Once the device has the key, the system can operate offline, verifying credentials cryptographically without a network connection.

How Does it Compare to PKOC?

If you read Paul Benne's Tech Trends column in the May 2026 issue (securityinfowatch.com/55373336), you may be wondering whether Aliro and PKOC are doing the same thing.

The short answer: similarly, but not identically. PKOC is platform agnostic – the credential can live on a physical card, a mobile device, or other secure hardware. Aliro is focused specifically on enabling interoperability between mobile devices, wearables, and access control readers. Different scope, complementary direction.

Two important limitations are worth understanding. First, Aliro does not govern the credential itself. As a secure transport, it acknowledges that a key signed a certificate and that a certificate authority vouched for it, but credential governance remains an unresolved challenge that the CSA and credential providers will need to address.

Second, proprietary lock-in has not been eliminated – it has simply moved. Aliro-enabled readers will pass Aliro-enabled credentials, but those credentials still come from specific manufacturers with their own private/public key pairs. The selection of a credential provider will remain a consequential decision.

Why it Matters to Integrators

Mobile credentials dominate access control conversations right now, particularly in multi-family residential, commercial, and higher education – yet actual adoption has lagged. Aliro may be what finally moves the needle.

Integrators have historically chosen credential technology based on familiarity or distributor availability. That approach worked in a simpler market. It won't be sufficient going forward. Specifying OSDP-enabled and Aliro-enabled readers for clients with future-ready deployments in mind is quickly becoming the baseline expectation.

When the three largest mobile wallet providers in the world are helping drive an access control standard, that standard is likely to be part of the future. Integrators who understand it now will be better positioned to lead that conversation with clients.