Identity-Based Physical Access

Authorize People, Not Tokens.

Your employees already have a government-issued digital identity. Use it for building access — and eliminate per-user credential costs entirely. No rip-and-replace. No new tokens. No per-user fees.

Request a Custom TCO Analysis Calculate Your Savings
Building Access Visitor Management
$0 Per-user credential fees
0 Panels replaced
5 sec Tap-to-provision
0 Biometric retention
The Problem Solutions Value ROI Calculator Integration How It Works Trust FAQ

The industry is stuck between insecure plastic and economically unviable digital.

$4–$17

Per-user, per-year mobile credential cost — at scale, a Fortune 500 projected $170K annually for just 10,000 users.

Lost & shared

Plastic cards are lost, shared, cloned, and never deactivated. The alternative is just as broken.

Growing worse

The credentialing crisis scales with your workforce. More employees = more cost, more risk, more admin burden.

KeyShare eliminates the credentialing line item entirely. Employees use their own government-issued digital identity for access. No vendor-issued token. No per-user fee. No new credential to manage.

Two Solutions, One Platform

Choose your starting point.

Building Access Control

Eliminate credential costs and authorize people, not tokens. Built for your existing Mercury panels and PACS software. No rip-and-replace. KeyShare is a software add-on that runs on the infrastructure you already own.

Explore Building Access

Visitor Management

Every visitor verified. Every visit logged. Every credential provisioned. Identity-verified check-in at reception or an unattended self-service kiosk. Cryptographic verification, face matching with zero biometric retention, and credential provisioning in a single tap.

Explore Visitor Management
Why KeyShare

Three outcomes. One platform.

Massive TCO Reduction

Eliminate the $4–$17/user/year credential tax. KeyShare uses the one credential you don't have to pay for or manage — your employees' own verified identity. Site-based subscription pricing, not per-user licensing.

Superior Security

Authorize a cryptographically verified person, not a transferable token. Lost, shared, or cloned credentials stop being a security risk when the credential is a verified identity that can't be separated from its owner.

Modern Experience

Employees tap their phone at any door. Visitors tap once at reception — or check themselves in at a self-service kiosk — and receive a real credential. No proprietary apps to download, no invitation emails to track.

ROI Calculator

Calculate your credential cost savings.

500 5,000 users 100,000
15%
$40K Annual credential cost
$40K Annual savings
$120K 3-year savings
Admin cost saved
Request a Custom TCO Analysis

Estimates based on industry credential cost ranges. KeyShare pricing is a site-based subscription — contact us for pricing based on your deployment scope.

Integration

Built for the infrastructure you already run.

Category Supported
Panel Hardware Mercury Security — LP and MP controller series
PACS Software LenelS2, Genetec, Acre, RS2, Access It (via Mercury controllers)
Communication Protocol OSDP v2.2 over RS-485
Identity Standard ISO 18013-5 (mobile driver's license)
Cryptographic Foundation FIPS 140-2 validated (wolfSSL)
Reader Protocol KeyShare Reader Library — OSDP-compliant, NFC-capable
Additional Platforms Additional controller platforms targeting 2026 — contact us to discuss your specific infrastructure

Zero changes to your panels and PACS software. If your existing readers support NFC for ISO 18013-5 presentation, they can run the KeyShare Reader Library. If not, a reader upgrade to KeyShare Ready hardware is the only potential change — at the reader edge, not the controller or head-end.

Schedule an Architecture Review
How It Works

Your infrastructure. Our intelligence layer.

On-premise access decisions

The Panel Application caches a cryptographically signed manifest on the Mercury controller. Access decisions are made locally — no cloud round-trip, no cloud dependency for any door opening.

Zero PACS integration required

The Panel Application outputs a standard credential number through the panel's native interface. The PACS sees a standard credential — no proprietary integration, no API changes, no middleware.

Controller Derivation architecture

Intelligence lives on the panel, not in the cloud or at the reader. The reader authenticates the digital ID; the panel derives a site-specific UUID and validates it against the manifest. No PII stored at the reader edge.

Building Access — 4-Step Operational Flow

1
Enroll

Admin enrolls employee via KeyShare Connect or by verifying a physical identity document. A site-specific UUID is generated and pushed to the panel manifest.

2
Tap

Employee taps phone at a KeyShare Ready reader. Reader authenticates the digital ID via ISO 18013-5.

3
Authorize

Panel Application derives the UUID and validates against the cached manifest. Sub-150ms panel-level authorization. Standard credential number passed to the PACS.

4
Access

PACS grants or denies access using its existing rules. Door opens. The PACS didn't change. The rules didn't change. The credential did.

Offboarding: Admin revokes the user in the PACS or in KeyShare Connect. UUID is removed from the manifest at the next sync cycle (configurable; default 60 minutes). For immediate revocation, a forced manifest sync can be triggered.

Visitor Management — 5-Step Flow

1
Pre-register

Host pre-registers visitor, or calendar integration detects the visit automatically.

2
Arrive

Visitor arrives at reception or self-service kiosk. Puck shows "Ready."

3
Verify

Identity is cryptographically verified. NIST-evaluated face matching with liveness detection. Zero biometric retention.

4
Comply

NDA signed electronically on the Puck touchscreen, if required. Signature linked to verified identity.

5
Credential

Visitor receives a credential: mobile wallet pass, encoded badge, or direct access. Host notified. Visit logged.

Trust & Standards

Built on standards. Validated by the industry.

ISO 18013-5 Identity verification
OSDP v2.2 Reader-controller comm
FIPS 140-2 Validated crypto (wolfSSL)
MISRA C:2012 Reader Library firmware

KeyShare Ready™ Certification Program launching for reader manufacturers.

See our Security & Trust Center →
For System Integrators

Built for your channel. Built on your hardware.

KeyShare is a channel-first company. System integrators are the primary sales, deployment, and support channel — not a bypass target. KeyShare is designed to be deployed and supported by the SIs who already own the Mercury relationship.

Apply to the Certified Partner Program
Recurring revenue Add subscription revenue to existing Mercury project-based deployments.
Built on your hardware Panel Application runs on Mercury controllers. Reader Library runs on OSDP-capable readers.
Software-only deployment Load the Panel Application onto existing controllers. Same-day deployment.
Demo mode included Run live demos in any prospect's conference room with simulated data.
Certification & deal protection Deal registration, priority support, co-marketing, and MDF eligibility.
Your support model SI provides Tier 1. KeyShare provides Tier 2/3 with dedicated resources.
FAQ

Frequently Asked Questions

No. KeyShare is a software add-on to your existing infrastructure. The Panel Application runs on your Mercury controllers. The KeyShare Add-On appears as a new tab inside your existing PACS management console (LenelS2, Genetec, Acre, RS2, Access It). Zero panel replacement. Zero PACS migration. We don't replace your access control — we eliminate the most expensive line item in it.

KeyShare is not a mobile credential provider. Proprietary mobile credentials are vendor-issued tokens with per-user fees — $4 to $17 per user, per year. KeyShare leverages government-issued verifiable digital identity (mobile driver's licenses). We are in the identity verification business, not the mobile credential business. There is no per-user fee because there is no vendor-issued credential to pay for.

At launch, KeyShare supports Mercury Security LP and MP controller series. PACS platforms supported via Mercury: LenelS2, Genetec, Acre, RS2, and Access It. Communication protocol: OSDP v2.2 over RS-485. Additional controller platforms are targeting 2026 — contact us to discuss your specific infrastructure.

Doors keep opening. The Panel Application caches a cryptographically signed manifest locally on the Mercury controller. All access decisions happen on-premise with zero cloud dependency. The cloud syncs manifests on a configurable interval (default: 60 minutes) — it is not in the critical path of any door opening.

Data minimization is an architectural property. The Reader Library requests only the specific PII fields configured for that site — selective disclosure per ISO 18013-5. No PII is stored at the reader. The Panel Application derives a non-reversible, site-specific UUID. For visitor management, face matching data is processed in memory only and immediately discarded — zero retention. For detailed security controls, see the Security & Trust Center.

KeyShare supports a hybrid transition model. Employees with mDLs use identity-based access immediately. Employees without mDLs continue using their existing credentials through the existing PACS, which is unchanged. KeyShare Connect manages both populations from a single enrollment console. Additionally, an authorized administrator can enroll a user by verifying their physical identity document — extending identity-based access to employees who don't yet hold a digital ID. There is no "switch-over day."

KeyShare's on-premise architecture — no PII transmitted to the cloud for access decisions, FIPS 140-2 validated cryptography, full audit logging, non-reversible identity binding — aligns with the security controls required by ITAR, HIPAA physical access controls, SOX, and similar frameworks. For visitor management, biometric face matching is designed for compliance with BIPA, GDPR, and similar biometric privacy regulations. We describe the architectural properties that map to regulatory requirements. For detailed control mappings, see the Security & Trust Center.

The KeyShare Puck serves as the identity verification terminal at reception — or as an unattended self-service kiosk. A visitor taps their phone (mDL) or scans a physical ID on the Puck. Identity is cryptographically verified and face matching confirms the person matches the document — biometric data is processed in memory and immediately discarded. Based on site configuration, the visitor receives a temporary credential in their native mobile wallet, a physical badge is encoded, or direct access is authorized. Every visit is logged with verified identity for compliance audit. Learn more about Visitor Management →

Ready to eliminate credential costs?

Request a custom TCO analysis — a personalized savings report based on your headcount, current credentialing method, and infrastructure. Designed to take to your CFO.

Request a Custom TCO Analysis
Calculate Your Savings Request the Solution Brief See Visitor Management

System integrator? Apply to the Certified Partner Program →