Inside PKOC: The Open Credential Spec Shaping the Future of Access Control

May 1, 2025
A closer look at Physical Security Interoperability Alliance’s (PSIA) open credentialing framework that promises to simplify deployments, enhance security and free integrators from proprietary lock-in.

Cost and Interoperability Advantages

PKOC’s open nature promises broad market impacts. End users are no longer tied to proprietary ecosystems and can avoid the complications of supporting multiple card types in multi-tenant buildings or distributed campuses. For integrators and consultants, PKOC simplifies system design and reduces the complexity of specifying, ordering and supporting secure credentials.

Ouellette noted that PKOC “is self-issuing, meaning it does not need a credential manager or issuance manager.” While it currently does not support centralized credential revocation, a future roadmap includes adding Certificate Authority (CA) functionality for enterprise customers that require it is planned.

The PSIA document also outlines several tools now available to assist in implementations, including the PKOC over OSDP specification, Android reader simulators and USB-based wedge enrollment readers. These resources are intended to reduce setup friction and bring consistency to deployments across different platforms.

Mobile-Centric and Future-Ready

PKOC is also designed to adapt with the times. It supports BLE, NFC and ultra-wideband (UWB) communications, and is compatible with both mobile devices and smart cards.

“PKOC today can support both BLE and NFC utilizing mobile devices for credential use,” Ouellette said. “It will play a significant role in mobile and card-based solutions going forward because of its simplicity and openness, making adoption of the protocol easily possible for vendors.”

With ongoing interest in mobile wallet integration, PKOC’s foundation is said to make it well positioned for future digital wallet support. Although it is not currently supported in Apple Wallet, work is underway by several industry partners to integrate PKOC into major mobile credential platforms. As outlined in the PSIA resource, a specification for mobile apps that generate PKOC credentials is already available and includes open-source tools for developers.

PKOC vs. Aliro

Ouellette was also quick to clarify how PKOC compares to aliro, a forthcoming standard from the Connectivity Standards Alliance. While both are built on public key infrastructure, they serve different use cases.

“If today a certificate authority is required, then aliro would be the better choice,” he said. “But aliro won’t be released until fall this year, and PKOC is available to start implementing today where it addresses the highly secure use of credentials for online requirements.”

That distinction underscores a broader industry shift toward credentialing models that emphasize openness, flexibility and ease of implementation.

“What makes PKOC compelling,” Ouellette said, “is that it delivers strong security through simplicity — without locking customers into a single ecosystem.”

About the Author

Rodney Bosch | Editor-in-Chief/SecurityInfoWatch.com

Rodney Bosch is the Editor-in-Chief of SecurityInfoWatch.com. He has covered the security industry since 2006 for several major security publications. Reach him at [email protected].