Embedded Firmware — Access Control Readers

KeyShare Reader Library.

Embedded firmware that turns access control readers into ISO 18013-5 identity verification endpoints — communicating with the panel via OSDP, holding zero PII, and running at the speed of a card tap.

Looking for the business case for identity-based access? Start with the Physical Access hub or Building Access solution. This page is the technical reference for reader manufacturers and OEM engineers.

Apply for KeyShare Ready Program See Building Access Solution
<100ms Response 0 PII Stored 4 Open Standards 1 Integration Surface
0Reader-Edge Response
0PII Stored
0Open Standards
OSDPIntegration Surface
Overview Architecture Standards Requirements Certification Integrators Specs FAQ
Overview

A verifier at the edge. Not a decision-maker.

The Reader Library handles one job: verify that the person tapping their phone holds a valid government-issued digital identity, and pass the result to the Panel Application via OSDP.

What it does
ISO 18013-5 Identity VerificationEstablishes secure sessions, requests configured identity attributes via selective disclosure, verifies cryptographic signature.
NFC CommunicationManages NFC sessions with mobile devices per ISO 18013-5 NFC engagement. BLE transport supported for extended-range.
Selective DisclosureRequests only specific attributes configured for that site — not the full credential.
Cryptographic VerificationFIPS 140-2 validated ops (wolfSSL). Verifies issuer signature, tamper detection, expiration.
OSDP CommunicationReports results to Panel Application over OSDP v2.2 with SCS encryption. Standard RS-485.
Presentation FeedbackDrives LED and audio indicators per OSDP for tap status, processing, success, or failure.
What it does NOT do
Does not store PIINo identity data persisted after session ends. Not by policy — by architecture. No persistent storage for identity data.
Does not make access decisionsReader verifies identity. Panel Application derives UUID. PACS makes the access decision. Reader never decides.
Does not hold site keysSite-specific cryptographic keys live on the Panel Application. Reader cannot derive UUIDs.
Does not cache credentialsCredential manifest lives on Panel Application. No credential cache, no offline validation independent of panel.
Does not require cloud connectivityCommunicates only with Panel Application via OSDP. No network connection, no IP address, no cloud dependency.

If a reader is stolen or tampered with, the attacker gains a firmware image, an NFC antenna, and an OSDP peripheral device. They gain no identity data, site keys, credential manifests, or access decision logic. The reader is replaceable — the intelligence is on the panel.

Architecture

Controller Derivation architecture.

The Reader Library is the edge layer — first point of contact with the employee's identity.

EDGE
Reader (Reader Library)

Authenticate digital ID via ISO 18013-5. Verify signature. Report via OSDP.

Data: Transient only
PANEL
Panel Application

Derive site-specific UUID. Validate against cached manifest. Pass credential to PACS.

Data: Manifest + site keys
CLOUD
KeyShare Connect

Enrollment orchestration. Manifest generation. PKI. Audit logging.

Data: Enrollment + audit
EXISTING
PACS (Unchanged)

Access decision — apply access levels, schedules, rules. No changes required.

Data: Access rules
Reader ↔ Mobile
ProtocolISO 18013-5 NFC engagement
EncryptionPer-session ECDH key exchange
PhysicalNFC (13.56 MHz)
Reader ↔ Panel
ProtocolOSDP v2.2
EncryptionSCS — AES-128
PhysicalRS-485
Standards

Four standards. Zero proprietary protocols.

Every protocol is a published standard with multi-vendor support. No vendor lock-in at the reader layer.

ISO 18013-5
Digital Identity Verification

The international standard for mobile driver's license presentation. NFC engagement, session establishment, selective disclosure, and cryptographic verification. Your reader speaks the same protocol as every mDL-issuing government authority.

OSDP v2.2
Reader-to-Panel Communication

SIA standard for reader-controller communication over RS-485. Same protocol your readers already use with access control panels. No proprietary wiring, no custom protocols, no middleware.

FIPS 140-2
Cryptographic Validation

Uses wolfSSL cryptographic library (FIPS 140-2 validated). Signature verification, key exchange, session encryption — all FIPS-validated implementations. Validation applies to wolfSSL library specifically.

MISRA C:2012
Development Standard

Developed to the automotive and safety-critical firmware coding standard. No undefined behavior, no memory leaks. Same standard as automotive safety systems.

Integration Requirements

What your reader needs.

Designed for resource-constrained embedded environments — the typical ARM-based microcontroller in modern access control readers.

Hardware Requirements
ProcessorARM Cortex-M4 or higher
Flash128 KB minimum
RAM80 KB minimum
NFC FrontendISO 14443 A/B
OSDPv2.2 over RS-485
Secure ElementRecommended (CC EAL5+)
BLEOptional — BLE 5.0
Software Integration
DeliveryStatic library (C99) + headers
BuildARM GCC + Docker env
RTOSBare-metal, FreeRTOS, Zephyr
Binary Size<128 KB target
ConfigJSON configuration file
Firmware UpdatesOTA via Panel Application
ReferenceTI CC26X2R1 dev platform

HAL approach: The Reader Library manages the NFC protocol stack and OSDP framing. Your reader provides the hardware abstraction layer — antenna control, field generation, RS-485 physical layer. Minimal integration effort, maximum hardware flexibility.

Certification

Become KeyShare Ready.

The KeyShare Ready Certification Program validates that your reader, with the Reader Library integrated, meets standards for digital ID verification, OSDP communication, and deployment reliability.

1
Integration

Integrate the Reader Library into your reader hardware. KeyShare provides the library, integration guide, reference implementation, and engineering support.

4–8 Weeks
2
Testing

KeyShare runs the certification test suite: ISO 18013-5 protocol compliance, OSDP communication, NFC performance, SCS encryption, selective disclosure, LED/audio feedback.

2–4 Weeks
3
Certified

Passed readers receive KeyShare Ready certification. Listed in compatibility matrix. Co-marketing materials available.

Upon Passing
KeyShare Ready Badge

For packaging, datasheets, and marketing

Compatibility Matrix

Listed for SI and customer discovery

Co-Marketing

Joint press releases and partner comms

Early Access

Reader Library updates and roadmap previews

For System Integrators

Reader compatibility for your next deployment.

Your Current Readers What You Do Effort
NFC-capable & KeyShare Ready Deploy Reader Library via firmware update through Panel Application. No physical changes. Software update
NFC-capable, not certified Contact us to discuss certification status. Reader may be compatible pending testing. 2–4 week eval
Not NFC-capable Upgrade readers at the edge. Per-door operation — panels, wiring, PACS unchanged. Per-door swap
  • Reader upgrades are the only physical hardware change. Panels, wiring, PACS head-end — all unchanged.
  • Upgrades can be phased — start with priority floors, executive areas, or high-security zones.
  • Reader Library deployed and updated via Panel Application over OSDP — no direct reader management.
  • Each Panel Application supports multiple readers via OSDP — typically up to 4 readers per controller port.
Technical Specifications

Reader Library specifications.

For reader manufacturer engineering leads and Solutions Architects conducting technical evaluation.

Firmware
LanguageC (C99)
Development StdMISRA C:2012
DeliveryStatic library + headers
BuildARM GCC + Docker
Binary Size<128 KB target
Cryptography
LibrarywolfSSL (FIPS 140-2)
SignaturesECDSA P-256 + SHA-256
Key ExchangeECDH P-256 per-session
Mobile EncryptionAES-256-GCM
Panel EncryptionAES-128 (OSDP SCS)
Communication
Panel ProtocolOSDP v2.2 / RS-485
Baud Rates9600–115200
Polling50ms interval
Mobile ProtocolISO 18013-5 NFC
BLE (Optional)BLE 5.0 / ISO 18013-5 Annex A
Performance Targets
Reader-Edge<100ms (p99)
NFC Session<500ms establishment
Attributes1–6 typical per site
Temperature-40°C to +85°C validated
FAQ

Frequently asked questions.

The Reader Library is embedded firmware that runs on NFC-capable access control readers. It handles ISO 18013-5 identity verification — establishing a secure session with the employee's mobile device, verifying the digital ID's cryptographic signature, and reporting the result to the Panel Application over OSDP. It stores no PII and requires no cloud connectivity.

The Reader Library is built entirely on open standards — ISO 18013-5, OSDP v2.2, FIPS 140-2 validated cryptography, and MISRA C:2012. No proprietary wiring, no custom communication protocol, and no vendor lock-in at the reader layer.

The Reader Library requires an NFC-capable reader with an ARM Cortex-M4 or higher processor, 128 KB available flash, and 80 KB RAM. If your reader meets these requirements, it is a candidate for Reader Library integration and KeyShare Ready certification.

None persistently. During an NFC verification session, the Reader Library holds transient session data in memory — ephemeral keys, the selective disclosure response, and the verification result. All session data is cleared when the transaction completes.

Firmware updates are delivered through the Panel Application over OSDP. No direct cloud connection to the reader is required. The reader's only communication path is OSDP to the panel.

The attacker gains a firmware image, an NFC antenna, and an OSDP peripheral device. They do not gain: identity data, site keys, credential manifests, or access decision logic — all stored on the panel, not the reader.

Typical integration takes 4–8 weeks. KeyShare Ready certification testing adds 2–4 weeks. Total: approximately 6–12 weeks from first integration to certified product.

KeyShare Ready is a certification program for reader manufacturers. Certified readers pass testing for ISO 18013-5 compliance, OSDP communication, NFC performance, and security, and are listed in the KeyShare compatibility matrix.

Yes. BLE 5.0 is supported per ISO 18013-5 Annex A for extended-range scenarios. NFC is the primary transport; BLE is optional.
ISO 18013-5 compliant FIPS 140-2 validated MISRA C:2012 OSDP v2.2 native

Build the next generation of access control readers.

Integrate the KeyShare Reader Library into your reader hardware and become KeyShare Ready. We'll provide the library, the integration guide, and engineering support through certification.

Apply for KeyShare Ready Program Explore Enablement Platform
See Building Access Solution → Explore KeyShare Connect →