Inside PKOC: The Open Credential Spec Shaping the Future of Access Control
The Skinny
-
PKOC eliminates shared secrets by using asymmetric encryption, boosting security and removing the need for licensing or proprietary infrastructure.
-
It’s fully open and vendor-neutral, allowing any manufacturer to implement it without fees or lock-in.
-
Supports gradual migration, making it practical for organizations to transition from legacy systems using hybrid credentials and multi-tech readers.
A recently published document from the Physical Security Interoperability Alliance (PSIA) is drawing attention to what many consider a landmark advancement in access control: Public Key Open Credential (PKOC).
Co-authored by Jason Ouellette, chairman of PSIA, and the late Ed Chandler, founder of Security by Design, the “What Is PKOC?” document offers a comprehensive overview of the open specification aimed at improving credentialing through greater security, simplicity and interoperability.
The document describes how PKOC uses public key cryptography to authenticate credentials such as smart cards and mobile devices, following x.509 standards. One of its core advantages, Ouellette explained to SecurityInfoWatch, is that it eliminates the need for shared secrets and proprietary licensing — two of the most common limitations in traditional access control credentials.
Unlike traditional access control credentials that rely on symmetric encryption methods — many of which have known vulnerabilities — PKOC harnesses asymmetric cryptography. Each credential has a unique private/public key pair, eliminating the need for a shared secret.
“This is PK without the ‘I,’ meaning PKOC does not require or utilize a certificate authority,” said Ouellette, who serves as corporate vice president of innovation & technical partnerships for Elatec GmbH. “That keeps the solution very simple while enabling interoperability and vendor-neutral compatibility, while reducing fraud and unauthorized access.”
Simplicity Without Sacrificing Security
First introduced by PSIA in 2021, PKOC has steadily evolved as an open, vendor-neutral alternative to proprietary credentialing systems. At its core, the specification is designed for ease of deployment. There are no facility codes, site codes or complex card numbering systems to manage. Enrollment, however, remains one of the key challenges, particularly in environments migrating from legacy credentials.
“The main challenges of any organization going to PKOC are the enrollment of a PKOC credential and the migration away from legacy credential types,” Ouellette said. He recommends USB PKOC readers or enrollment services, along with multi-technology readers and hybrid credentials, to ease this transition.
According to the “What Is PKOC?” document, the enrollment process can require some creativity, especially for access control systems that were designed around 50-bit formats. For example, wedge readers may need to split 128-bit credentials into multiple fields using tabbed inputs to fit into legacy access control system screens. That complexity is expected to diminish as more systems build native support for larger PKOC keys.
Crucially, as Ouellette emphasizes, PKOC is fully open: there are no licensing fees, royalties or membership requirements. Any manufacturer or integrator can create PKOC-compliant readers and credentials, leveling the competitive playing field and enabling cost reduction for end users.
Explore the Full PKOC Specification From PSIA
For a deeper look at Public Key Open Credential’s design, benefits, implementation strategies and future roadmap, visit the PSIA Secure Credentials resource page where you can also download the full “What Is PKOC?” document.
Cost and Interoperability Advantages
PKOC’s open nature promises broad market impacts. End users are no longer tied to proprietary ecosystems and can avoid the complications of supporting multiple card types in multi-tenant buildings or distributed campuses. For integrators and consultants, PKOC simplifies system design and reduces the complexity of specifying, ordering and supporting secure credentials.
Ouellette noted that PKOC “is self-issuing, meaning it does not need a credential manager or issuance manager.” While it currently does not support centralized credential revocation, a future roadmap includes adding Certificate Authority (CA) functionality for enterprise customers that require it is planned.
The PSIA document also outlines several tools now available to assist in implementations, including the PKOC over OSDP specification, Android reader simulators and USB-based wedge enrollment readers. These resources are intended to reduce setup friction and bring consistency to deployments across different platforms.
Mobile-Centric and Future-Ready
PKOC is also designed to adapt with the times. It supports BLE, NFC and ultra-wideband (UWB) communications, and is compatible with both mobile devices and smart cards.
“PKOC today can support both BLE and NFC utilizing mobile devices for credential use,” Ouellette said. “It will play a significant role in mobile and card-based solutions going forward because of its simplicity and openness, making adoption of the protocol easily possible for vendors.”
With ongoing interest in mobile wallet integration, PKOC’s foundation is said to make it well positioned for future digital wallet support. Although it is not currently supported in Apple Wallet, work is underway by several industry partners to integrate PKOC into major mobile credential platforms. As outlined in the PSIA resource, a specification for mobile apps that generate PKOC credentials is already available and includes open-source tools for developers.
PKOC vs. Aliro
Ouellette was also quick to clarify how PKOC compares to aliro, a forthcoming standard from the Connectivity Standards Alliance. While both are built on public key infrastructure, they serve different use cases.
“If today a certificate authority is required, then aliro would be the better choice,” he said. “But aliro won’t be released until fall this year, and PKOC is available to start implementing today where it addresses the highly secure use of credentials for online requirements.”
That distinction underscores a broader industry shift toward credentialing models that emphasize openness, flexibility and ease of implementation.
“What makes PKOC compelling,” Ouellette said, “is that it delivers strong security through simplicity — without locking customers into a single ecosystem.”
About the Author
Rodney Bosch
Editor-in-Chief/SecurityInfoWatch.com
Rodney Bosch is the Editor-in-Chief of SecurityInfoWatch.com. He has covered the security industry since 2006 for multiple major security publications. Reach him at [email protected].