Aliro, PKOC, LEAF… What Do They All Mean?

Card and reader selection might seem like a simple decision, but it is one of the most important choices in the long-term success, security and sustainability of an access control program.

In many deployments, the credential technology gets chosen almost by accident. Integrators often default to whatever they are comfortable with, or whatever happens to be sitting on the shelf at ADI or Anixter. It is a relatively small and inexpensive part of the overall system, so it rarely gets the design attention it deserves. Unfortunately, that small decision can lock an organization into a technology path for the next decade or more.

Before diving into the newer options, I am going to skip right over proximity cards. We all know they are insecure, easy to clone or emulate and long overdue for retirement.

Modern secure credentials are more complicated to navigate, especially if you are trying to avoid proprietary vendor ecosystems. Most of the secure credentials deployed today rely on symmetric encryption, where both the card and the reader share the same secret key. Sometimes this key is unique to a customer deployment, but in many cases it is a generic manufacturer key used across thousands of installations.

The risk with symmetric encryption is simple: if that shared key is ever compromised, every card that uses it becomes suspect. An attacker could potentially create credentials at will, forcing the organization to question the authenticity of every card in circulation. Using a customer-specific key helps reduce the blast radius because the attacker must specifically target that deployment, but the fundamental risk remains.

Newer credential technologies are moving toward asymmetric encryption, where the private key is never exposed. This significantly improves security and reduces the attack surface. Asymmetric cryptography is the same approach used to secure websites and digitally sign email. The public key is meant to be widely distributed, while the private key remains protected. Without the private key, the public key is useless for impersonation or credential creation.

If you want a quick refresher on how asymmetric cryptography works, search online for “Alice and Bob.” They are the fictional characters commonly used to explain encryption concepts. But back to cards and readers.

Aliro

The Aliro specification, released by the Connectivity Standards Alliance in February 2026, is the first interoperable mobile credential specification designed specifically for use with digital wallets and access control systems.

Aliro defines how mobile devices communicate securely with readers using modern cryptography and device-level protections. The specification focuses primarily on the communication and trust architecture rather than the credential data structures traditionally used in physical access systems.

The working group behind Aliro includes many major access control manufacturers as well as technology companies like Apple, Google and Samsung. The goal is to enable mobile credentials that work across multiple vendors and ecosystems without proprietary lock-in.

In short: Aliro aims to do for access control what standardized mobile wallets did for payments.

PKOC

Public Key Open Credential (PKOC) is another open approach based on asymmetric cryptography. PKOC is platform agnostic, meaning the credential can exist on a physical card, a mobile device, or other secure hardware.

Each credential generates its own key pair and uses a self-signed certificate. The certificate fingerprint becomes the “card number” presented to the access control system. Ideally this identifier is 256 bits long, though it can be truncated for systems that cannot accept numbers that large.

Because the private key never leaves the credential device, it cannot be cloned. Even if one credential were compromised, no other credentials would be affected because each one has a unique key pair.

PKOC is an open specification maintained by the Physical Security Interoperability Alliance and is available for anyone to implement.

LEAF

The LEAF Community is a collaboration between manufacturers, integrators and end users focused on open credential interoperability and reducing vendor lock-in.

LEAF includes several credential approaches that can be confusing at first glance.

The LEAF Framework defines how credentials can be structured on MIFARE DESFire cards using symmetric encryption. It provides interoperability at the application layer but does not define how encryption keys are distributed.

LEAF Universal builds on the framework by allowing participating vendors to share common keys, enabling interoperable credentials across different manufacturers. While this simplifies deployment, it still carries some of the risks associated with symmetric encryption.

LEAF Enterprise addresses that risk by allowing the end user to control and distribute their own keys.

The newest addition, LEAF Verified, moves to asymmetric cryptography. Credentials are generated with unique keys during chip manufacturing, and the system validates the credential using public-key encryption. A protected, shorter identifier, is what gets presented to the access control system for compatibility.

Why This Matters

Open standards like Aliro, PKOC, and LEAF give organizations greater control over their credential ecosystems and reduce dependence on proprietary technologies. Asymmetric cryptography further improves security by eliminating shared secrets and reducing the impact of a compromised credential.

Cards and readers might seem like a small part of the system, but they define the foundation of trust for the entire access control deployment.

Now we just need to finish the job and get rid of Wiegand, too.

The views and opinions expressed in guest posts and/or profiles are those of the authors or sources and do not necessarily reflect the official policy or position of the Security Industry Association.

This article originally appeared in RISE Together, SIA RISE’s newsletter for young security professionals.