The Badge Problem
Physical access control has worked the same way for decades: issue a badge, program it with access levels, hand it to the employee. When the employee leaves, collect the badge.
This model has three fundamental problems:
- Badges are expensive. A single HID iCLASS SE card costs $4–$7. A SEOS card costs $8–$17. Multiply by thousands of employees, add replacement cards for losses, and badge costs become a significant line item.
- Badges are insecure. A lost badge is a security credential in unknown hands. Badge sharing is endemic in every large organization. And cloning attacks against legacy 125kHz and iCLASS cards are trivial.
- Badges prove nothing about identity. A badge proves that someone has a piece of plastic. It doesn’t prove they are who they claim to be. The gap between “has a badge” and “is authorized” is where security failures live.
What Identity-Based Access Means
Identity-based access control inverts the model. Instead of issuing a physical token (badge) and granting access based on token possession, the system verifies the person’s identity directly — using their government-issued digital ID or organizationally-issued digital credential.
The employee taps their phone on an NFC reader at the door. The reader verifies their digital identity cryptographically — checking the credential’s signature against the issuing authority. If the identity is valid and authorized for that door, the door opens.
No badge. No card. No token to lose, share, or clone.
How It Works with Existing Infrastructure
The critical question for any security director: does this require replacing my access control system?
No. The KeyShare Connect platform integrates with existing PACS (Physical Access Control Systems) — LenelS2, Genetec, Acre, RS2 — through the Mercury panel. The panel derives a site-specific UUID from the verified identity and passes a standard credential number to the PACS. The PACS doesn’t know or care that the credential originated from a digital ID — it processes it like any other credential.
Existing access levels, schedules, anti-passback rules, and area restrictions all work unchanged. The PACS administrator manages digital identity credentials using the same tools they use for badge credentials.
The Security Upgrade
Identity-based access provides security properties that badges cannot:
- Cryptographic verification. Every door opening verifies the credential’s digital signature — not just a card number that can be cloned.
- Biometric binding. The digital ID is bound to the device through the phone’s biometric authentication (Face ID, fingerprint). Access requires both the credential and the person.
- Zero PII at the edge. The reader processes identity data in transient memory only. After verification, the reader holds zero personally identifiable information. If a reader is compromised, there’s nothing to extract.
The Cost Math
For a 5,000-employee enterprise: badge costs run $40,000–$85,000 annually (initial issuance plus replacements). Add administrative time for badge issuance, replacement processing, and deactivation — typically 15–30 minutes per event.
Identity-based access eliminates the badge supply chain entirely. No cards to order, program, print, issue, replace, or deactivate. The credential is the person’s identity — already on their phone.
