Resident-Managed Credentials

Expectation. The resident shall be able to manage their own credentials, the credentials of their household members, and the credentials of their guests and service providers — independently, from any location, with immediate effect.

Required.

• The resident can add and remove devices associated with their own credential without staff assistance.
• The resident can change their own PIN or secondary authentication method without staff assistance.
• The resident can request a replacement credential without visiting a management office.
• The resident can create, modify, and revoke credentials for household members and guests without staff assistance.
• Guest and service credentials include an expiration. Expiration is enforced automatically.
• Revocation of any credential issued by the resident takes effect within one minute.
• The resident can view all active credentials associated with their account — their own, household, and guest.

Recommended.

• Guest credentials specify entry points, zones, time windows, and recurrence schedules.
• The resident receives confirmation when a credential they issued is used.
• Delivery credentials are unique per provider and per visit.
• A recurring service provider credential activates only during designated hours and days, restricted to designated zones.
• The resident can view what access data is collected about their own entry activity and can request its deletion.

In practice.

A resident loses their phone. From a household member's device, they remove the lost phone from their credential and add a replacement device. They do not call management. Their credential works on the new device and is inactive on the lost one.

A resident creates a credential for their elderly parent who lives with them: same entry points as the resident, no expiration, active at all hours. The parent enters the building independently, on their own device, with their own credential, without relying on the resident's presence.

A resident traveling abroad creates a credential for a pet sitter: lobby and unit only, weekdays 8 to 9 AM, expiring at month's end. At 9:01 the credential deactivates. At month's end it expires. The resident checks the log: credential used five days that week, each between 8:10 and 8:30.

A resident checks their credential dashboard. They see three active guest credentials — two from last month's dinner party that were never revoked. They revoke both. Forty seconds later, both are inactive at every entry point.

Failure modes.

Revocation delay. The resident revokes a credential. The interface confirms revocation. But a cached session on the guest's device continues to grant entry for a grace period — minutes or hours — before the revocation propagates. The credential appears revoked but still opens doors.

Self-service gap. The resident can manage guest credentials but cannot manage their own. Their device breaks; adding a replacement device requires a visit to the management office during business hours. The resident controls others' access but not their own.

Accumulating ghost credentials. The interface shows active guest credentials but does not surface credentials that were never explicitly revoked and have no expiration. Over months, the resident accumulates dozens of open credentials for past visitors, none visible without scrolling through a history log that is not prominently surfaced.

Test.

1. Remove a device from a resident's credential using only the resident's interface. Confirm: the removed device can no longer open any entry point.
2. Create a guest credential from outside the building. Confirm: functional within the specified time window.
3. Revoke a credential. Present it within one minute. Confirm: entry is denied, including on any device that previously cached the credential.
4. View all active credentials from the resident's interface. Confirm: every credential the resident has issued — including those without expiration — is visible.