One Credential, Every Door

Expectation. A credential that is active at one entry point shall be active at every entry point the person is authorized to use. A credential change shall take effect at every entry point simultaneously.

Required.

• A single credential grants access to every entry point the person is authorized to use. The resident does not carry or manage multiple credentials for different zones.
• A credential change — creation, modification, revocation, expiration — takes effect at every affected entry point.
• No entry point operates on an independent credential state that can diverge from the rest of the building.

Recommended.

• One interface manages all credential operations across all entry points.
• The resident is not aware of, and does not need to interact with, the number of underlying subsystems.
• A resident does not encounter a credential discrepancy caused by subsystem synchronization failure.

In practice.

A new resident receives one credential. On move-in day, it opens the lobby, calls the elevator to their floor, opens the unit, opens the parking gate, grants access to the bicycle storage, and opens the gym. Management entered the resident's information once.

A resident moves out. Management revokes the credential in one action. Within seconds, every entry point in the building rejects it. No orphaned access persists anywhere — not in the lobby, not in the parking system, not in the amenity reader installed six months after the original system.

A building adds a new co-working space with its own reader. The reader connects to the existing credential system. Residents access it with the same credential they already use. No new enrollment.

Failure modes.

Late-addition orphan. A new amenity space is added to the building after the original access system was configured. It runs on a reader that connects to the system but is not included in the default credential template. New residents receive access; residents who moved in before the addition do not, and are denied at the new entry point with no explanation.

Batch-sync revocation. One subsystem processes credential revocations in real time. Another processes them in overnight batches. A credential is revoked at 10 AM. By noon it is rejected at every entry point except the parking gate, which will not process the revocation until 2 AM. For sixteen hours, the revoked credential still opens the garage.

Selective enrollment. A resident received their credential before the building connected its elevator dispatch system. Their credential opens the lobby and the unit door, but does not trigger elevator dispatch. A newer resident's credential does. Both residents hold valid credentials, but one requires pressing a floor button manually. Neither was informed of the difference.

Test.

1. Issue a credential. Present it at every designated entry point in sequence. Confirm: recognized at every point, including entry points added after the original system configuration.
2. Revoke a credential. Present it at every designated entry point within five minutes. Confirm: rejected at every point.
3. Issue a credential while one subsystem is temporarily offline. Restore the subsystem. Present the credential at the entry point controlled by that subsystem. Confirm: recognized without manual re-entry.