Written by Catherine Carducci | Product Manager, Aliro | Safetrust
“Aliro sounds compelling, but we’re not going to tear out our entire access control system.”
We hear some version of this almost every week, and the response is always the same: you don’t have to.
The enterprises moving first on Aliro (and there’s meaningful evidence from the last several months to look at) aren’t doing so by decommissioning everything they own. They’re using the Safetrust identity platform to orchestrate a phased transition by deploying dual-technology readers, hybrid credentials, and mobile credentials delivered over the air, without disrupting existing users.
What migration actually looks like
The Safetrust identity platform enables Aliro adoption through three practical entry points that protect your existing investment while unlocking frictionless access.
The first is readers. Dual-technology readers that support both legacy credentials and Aliro simultaneously are available now. Deploying them doesn’t require changing your existing card program. Your current HID® SEOS or MIFARE® DESFire® users keep working without disruption. But you’ve just given yourself the infrastructure to begin issuing Aliro credentials to any user population (new hires, contractors, high-security facilities, mobile-first use cases) without disrupting anyone else. This is how most phased rollouts begin.
The second is hybrid credentials. Safetrust’s Aliro cards are designed to carry Aliro alongside legacy credential technologies (MIAFRE DESFire, HID® iCLASS®, HID SEOS® compatible, and others) on a single card. If your organization needs to support older readers that won’t be refreshed in this cycle, your users can carry a single credential that speaks Aliro-to-Aliro to readers and legacy protocols to legacy readers. The transition becomes invisible to end users, and you can retire legacy technologies at the pace your infrastructure refresh allows.
The third is mobile. At ISC West in March 2026, Safetrust showcased something that had never existed before: an Aliro Enterprise physical badge operating in tandem with Aliro mobile credentials (both running on the same platform, leveraging an organization’s own digital certificates, and managing credentials across multiple access vendors and partner ecosystems simultaneously). That demo mattered not just as a milestone but as a proof point that unified card-and-mobile Aliro deployments are operational today, not on a roadmap.
Aliro’s support for Apple Wallet, Google Wallet, Samsung Wallet, and Safetrust Wallet means your mobile credential program can grow into Aliro without requiring users to install new apps or carry additional hardware. Kastle Systems reinforced this at the same show, becoming the first managed services provider to deploy Aliro 1.0 credentials across all three major wallet platforms at enterprise scale. M.C. Dean launched InfraLink Pass, an Aliro-native mobile-first credential solution built for the enterprise, demonstrating that systems integrators are building Aliro into their core offerings right now. This isn’t theoretical. Your teams and contractors move through doors and sites seamlessly while security maintains complete visibility and control. This is the exact outcome enterprise leaders need.
The three decisions that actually matter
Three platform decisions determine how cleanly Aliro integrates with your existing environment and scales across facilities, partners, and tenants.
The first is your certificate authority model. Aliro’s security is grounded in PKI, which means you need to decide who issues your credentials. Safetrust’s Credential Manager supports three models: customer-managed issuers (your own CA), Safetrust-managed CAs, third-party issuer CAs, and a combination of all three. Organizations with mature enterprise PKI often want to integrate Aliro credential issuance into their existing certificate infrastructure. Organizations without that foundation typically start with managed issuance and migrate later. Both are valid depending on your existing PKI maturity.
The second is your reader provisioning strategy. Manual, on-site certificate management isn’t scalable, especially when you need to respond quickly to a breach, revoke a credential, or update a reader group policy. Connected readers managed through Safetrust’s Credential Manager could handle this automatically, including issuance, rotation, revocation, and policy enforcement. This is one of the places where Aliro implementations can fail if the operational model isn’t thought through, and it’s where having an experienced platform partner matters.
The third is your interoperability scope. Aliro’s federated identity model means that trust between organizations is established through public certificate exchange rather than shared infrastructure or shared private secrets. If you’re a multi-tenant landlord, you add a tenant’s public certificate into your access infrastructure; tenants issue credentials to their own employees and contractors; no re-badging required.
If you’re an enterprise with multiple facilities managed by different teams, the same model applies across internal organizational boundaries. The operational upside (no re-badging, no credential duplication, clear trust boundaries) is significant. Realizing it requires clarity on certificate authority ownership and how trust relationships are governed.
The cost of waiting that doesn’t show up on any spreadsheet
There’s a real cost to staying on proprietary PACS through the current cycle that rarely gets captured in a TCO analysis. It shows up in RFP negotiations where you can’t walk away. It shows up in the gap between your physical security architecture and your Zero Trust posture. It shows up in a credential program that fails an infosec review. It shows up when your cryptographic foundation, built on algorithms that weren’t designed to outlast the current decade, suddenly requires emergency remediation.
Jason Hart put it plainly in a recent industry conversation: organizations moving now have a meaningful window. “Just this last week, we saw two new projects and different vendors exchanging public certificates for that project. I am seeing this going much faster than the alternative.” Kastle, M.C. Dean, and Last Lock have already established what Aliro deployments look like in production. The interoperability is proven. The infrastructure is available. The question for every enterprise now is not whether Aliro is the right long-term direction, but whether your organization will be early enough to benefit from moving intentionally.
Where Safetrust fits
Safetrust serves as the identity orchestration layer for Aliro deployments. We manage certificate lifecycle across credentials and readers, enable mobile credential issuance through native wallets and Safetrust Wallet, support FIDO2 convergence, and broker federated trust for multi-tenant and multi-organization environments, all on a single platform.
The capabilities Aliro requires (certificate management, secure device connectivity, identity orchestration) are things Safetrust was built to provide. They’re new capabilities for most of our competitors, and the difference in deployment confidence between a team that has been doing PKI-based identity for decades and one that is figuring it out on your project is not a detail.
Two places to go deeper this month
If you’re in the planning stages or want to understand how this applies to your specific environment, we have two upcoming opportunities.
On Wednesday, June 10, at 11:00 AM PT / 2:00 PM ET, Jason Hart and Will Holderness are hosting Aliro Decoded: What Enterprise Security and Identity Leaders Need to Know Before 2027, a direct 45-minute briefing on what Aliro is, what commercial deployment actually looks like, and how to think about migration without starting from scratch. You’ll get a clear picture of where Aliro sits relative to MIFARE® DESFire®, HID® iCLASS®, SEOS®, PKOC, and LEAF® Verified, a migration framework, and a straight answer on post-quantum readiness.
[Register for Aliro Decoded →]
On Tuesday, June 17, at 3:45 PM, Jason Hart will be speaking at CSA Unify on “Commercial Aliro: Why Now, What It Unlocks, and What Has to Be Done” alongside Allegion, dormakaba Americas, Last Lock, and The Access Control Collective. This is a practitioner-level conversation about the commercial sector’s hardest credentialing challenges: multi-badge, multi-vendor, multi-tenant environments, and the growing collision between digital and physical identity. As a member of the Connectivity Standards Alliance, Safetrust is one of the voices helping frame where the standard goes next.
The window to move intentionally to Aliro (while protecting your current infrastructure) is now open. It won’t stay open indefinitely.
Catherine Carducci is Product Manager for Aliro at Safetrust. To discuss Aliro adoption strategies, certificate-based identity implementation, or integration with your existing PACS, IAM, and PKI environments, contact us at safetrust.com.
Aliro is a trademark of the Connectivity Standards Alliance (CSA). MIFARE® and DESFire® are registered trademarks of NXP Semiconductors. HID®, iCLASS®, and SEOS® are registered trademarks of HID Global. LEAF® Verified is a trademark of Wavelynx Technologies. All other product names, trademarks, and company names referenced are the property of their respective owners.
