Decentralised Identity and Digital Keys: How Self-Sovereign Credentials Are Reshaping Building Access

Decentralised identity and digital keys are poised to transform how people access buildings, replacing the collection of keycards, fobs, and PINs that most workers and residents carry today with a single set of digital credentials stored securely on their smartphone. Unlike traditional access credentials that are owned and controlled by the building operator, decentralised identity puts the individual in control of their own credentials — a concept known as self-sovereign identity — while maintaining the security guarantees that building owners and managers require.

For commercial property owners, tenants, and security professionals across New Zealand, this shift promises to solve long-standing pain points in access management: the cost and logistics of issuing physical credentials, the security risks of lost or stolen cards, and the friction of managing access across multiple buildings and systems. The technology is moving from concept to deployment, with early implementations already operational in forward-thinking commercial environments.

The Problem with Physical Access Credentials

The access credentials most people use today — plastic keycards, key fobs, and PIN codes — are decades-old technology that carries inherent limitations and security weaknesses.

Management Overhead

Every new employee, tenant, or visitor requires a physical credential to be programmed, issued, and eventually deactivated. For organisations with high staff turnover, multiple sites, or frequent visitors, this administrative burden is substantial. Lost cards must be deactivated and replaced. Former employees’ credentials must be promptly revoked. Each of these tasks requires administrator access to the access control system — and missed revocations create security gaps.

Security Vulnerabilities

Physical credentials can be lost, stolen, cloned, or shared. A keycard left in a gym changing room gives anyone who picks it up access to the building until the card is reported missing and deactivated. Cloning a standard proximity card takes seconds with inexpensive hardware. PIN codes are easily shared, observed, or guessed. These fundamental vulnerabilities mean that a physical credential’s presence at a door reader does not reliably prove the identity of the person presenting it.

Multi-Building Friction

Professionals who access multiple buildings — consultants, contractors, property managers, delivery drivers — accumulate collections of credentials. Each building issues its own card or fob, each with its own system and format. There is no interoperability between buildings, even those using identical access control hardware from the same manufacturer. The result is a wallet full of cards and a frustrating experience that does not match how people actually work and move between spaces.

How Decentralised Digital Identity Works

Decentralised identity replaces physical credentials with cryptographic digital credentials stored in a secure wallet application on the individual’s smartphone. These credentials are issued by trusted entities — employers, building managers, identity verification services — but are controlled by the individual who holds them.

The Trust Triangle

Decentralised identity operates through a trust relationship between three parties:

• Issuer: The organisation that issues the credential — an employer issuing an employee credential, a property manager issuing a tenant credential, or an identity service verifying a government-issued ID
• Holder: The individual who receives the credential and stores it in their digital wallet. The holder controls when and how their credentials are presented
• Verifier: The access control system at the building door that verifies the credential is valid, unrevoked, and meets the access requirements for the specific door and time

The blockchain (or distributed ledger) serves as the trust anchor. It does not store the credentials themselves — those live only in the holder’s wallet. Instead, the blockchain stores the cryptographic proofs that allow any verifier to confirm that a credential was genuinely issued by the claimed issuer and has not been tampered with or revoked.

How It Works at the Door

When a credential holder approaches a building entrance, the process is remarkably simple from their perspective. They hold their smartphone near the door reader (using NFC or Bluetooth). The reader communicates with the wallet app, which presents the relevant credential. The reader verifies the credential against the blockchain — confirming it is genuine, current, and carries the necessary access permissions — and unlocks the door. The entire process takes one to two seconds.

For the credential holder, the experience is similar to using a contactless payment card. For the building, the security guarantee is dramatically stronger than a physical keycard because the credential is cryptographically bound to the holder’s device and protected by biometric authentication (fingerprint or face recognition) on the smartphone itself.

Self-Sovereign Identity: The Individual Takes Control

The “self-sovereign” aspect of decentralised identity is a paradigm shift in access management. Today, your employer controls your access credential — they issue it, they can revoke it, and they hold all the data about where and when you used it. With self-sovereign identity, you hold your own credentials in your personal wallet and choose when to present them.

This does not mean the building loses control over access policies. The building still defines who is allowed to enter, at what times, and through which doors. What changes is the mechanism: instead of the building maintaining a database of cardholders, it defines access policies in terms of credential types and attributes. “Employees of Company X with a valid employment credential may access floors 3 through 7 during business hours.” Anyone who presents a matching credential gets access. The building does not need to issue, manage, or revoke individual credentials — the employer handles that through their own credential issuance process.

Organisations like The Security Company, who deliver professional security solutions across New Zealand, are exploring how decentralised identity integrates with existing access control infrastructure, recognising that early engagement with this technology positions forward-thinking security providers to lead the transition when adoption reaches critical mass.

Practical Benefits for New Zealand Commercial Properties

The practical advantages of decentralised digital keys over physical credentials address real pain points that New Zealand building operators experience daily.

Instant credential issuance and revocation: A new employee receives their access credential digitally on their first day, issued remotely before they even arrive at the building. When they leave the organisation, the employer revokes the credential instantly — no need to collect a physical card, and no risk of a former employee retaining access.

Cross-building portability: A consultant who works across five different client buildings carries a single set of credentials that work everywhere, provided each building’s access policy accepts their credential type. No more juggling multiple cards or remembering which card goes with which building.

Enhanced security: Credentials cannot be cloned because they are cryptographically secured. They cannot be shared because they are protected by the holder’s biometric authentication. They cannot be used if lost, because the holder can remotely disable their wallet. Every vulnerability of physical credentials is addressed.

Privacy preservation: Decentralised identity supports selective disclosure. A building can verify that you are an authorised employee of a tenant company without learning your name, employee number, or any other personal information beyond what is necessary for the access decision. This aligns well with Privacy Act 2020 principles of collecting only the minimum information necessary.

Transitioning from Physical to Digital

The transition from physical credentials to decentralised digital keys will be gradual for most New Zealand buildings. The practical path involves several stages that allow building operators to adopt the technology at a pace that matches their readiness and their tenants’ capability.

Decentralised identity does not just digitise the keycard — it fundamentally reimagines the relationship between buildings and the people who access them, putting individuals in control of their own credentials while strengthening rather than weakening the security of the access control system.

Phase 1: Mobile credentials on existing systems. Many current access control platforms already support mobile credentials via smartphone apps. This provides the convenience of phone-based access without requiring blockchain infrastructure. It serves as a stepping stone toward full decentralised identity.

Phase 2: Hybrid physical and digital. Buildings support both traditional keycards and digital credentials simultaneously. Early adopters use their phones while those who prefer physical cards continue as before. The access control system accepts both credential types at the same readers.

Phase 3: Decentralised identity integration. As standards mature and wallet applications become widespread, buildings begin accepting verifiable credentials from decentralised identity wallets, enabling cross-building portability and self-sovereign credential management.

The timeline for widespread adoption in New Zealand depends on several factors — standards development, wallet application maturity, reader hardware availability, and tenant readiness. But the direction is clear, and the benefits are compelling enough that early movers in the commercial property sector will gain competitive advantages in tenant attraction, operational efficiency, and security effectiveness that late adopters will struggle to match.