Some doors are not ordinary doors. A substation room. A data centre suite. A rail signalling cabinet. A pharmaceutical storage area. A telecom exchange. A water treatment control room.
Behind these doors sits operational continuity. Public safety. Regulatory exposure. In some cases, national resilience. Yet in many environments, access to these locations is still governed by a single person, a single key, a single mobile credential, or a process that depends too much on trust and too little on enforceable control.
That model is no longer good enough.
Key2XS Two-Person Verification brings a stricter operating principle to iLOQ locks: two authorized people, physically present together, before the door opens. The feature is designed for locations where one-person access creates too much operational, security, or compliance risk. The core principle is clear: no single person and no single phone can open a protected door alone. The Key2XS service independently verifies both approvals before it grants a one-time, time-limited key.
The problem: critical doors are still governed like normal doors
Critical infrastructure operators have invested heavily in cyber security, identity governance, privileged access management and monitoring. Logical access to systems is increasingly controlled through IAM, IGA, MFA, approval workflows and audit trails. Physical access has not always kept pace.
Many organizations still rely on fragmented lock administration, standing permissions, offline processes, shared operational routines and after-the-fact reporting. That creates a governance gap. The person who can enter a critical room may not be governed with the same rigor as the person who can access a critical application.
That gap matters. In critical infrastructure, physical access can be the first step in a cyber incident, an operational disruption, sabotage, insider misuse, or unauthorized maintenance action.
For high-risk locations, the rule should be simple: access must require dual control, not individual discretion.
How Key2XS Two-Person Verification works
At the door, the user experience remains simple: one authorized person identifies the door with the phone. The phone detects or involves a second authorized colleague nearby. The second person reviews and approves the access request. Both phones show the same short confirmation code, so the two people can verify that they are approving the same door, the same request and the same access moment. The joint, signed request is then sent to the Key2XS service over an encrypted channel. The service independently re-verifies both approvals and only then grants a one-time, time-limited key.
The video included with publication should make this tangible: two people at the door, two approvals, one independent decision, one short-lived opening.
The important point is not the tap. The important point is the governance behind the tap.
Why this matters in critical infrastructure
Critical infrastructure is not a normal enterprise environment. The impact of unauthorized access is materially higher. A bad access decision can affect energy distribution, rail operations, telecom availability, water safety, data centre uptime, pharmaceutical integrity or emergency response capability.
Two-Person Verification is relevant for locations such as:
|
Environment |
High-risk access point |
|
Energy |
Substation rooms, transformer houses, switching locations, control cabinets |
|
Rail |
Signalling rooms, relay cabinets, trackside infrastructure, control systems |
|
Telecom |
Exchange rooms, mast sites, network hubs, fibre distribution locations |
|
Water |
Pumping stations, treatment facilities, control rooms |
|
Data centres |
High-security cages, meet-me rooms, power rooms, customer suites |
|
Healthcare and pharma |
Controlled storage, lab areas, medicine stores, technical rooms |
|
Government |
Secure rooms, crisis facilities, classified infrastructure areas |
In these environments, the question is not only “who had a key?” The real question is: who approved the access, under which policy, at which door, at which moment, and was the second person really part of the decision? That is exactly the governance layer Key2XS adds.
What makes the model stronger
The feature is built around several control layers.
-
First, there is no useful standing key sitting on the phone. The opener carries no working key until the exact moment access is granted. That reduces the value of a lost, stolen, copied or compromised phone.
-
Second, each phone has a device-bound identity. The phone must prove who it is, using secure hardware, without exposing its private key.
-
Third, the Key2XS service has the final say. The phones do not make the ultimate access decision by themselves. The service independently checks both approvals before granting anything.
-
Fourth, both humans confirm the same thing. The short matching code prevents approval redirection, where a user thinks they are approving one door or one colleague but the request is actually being used somewhere else.
-
Fifth, access is one-time and short-lived. The granted key cannot be reused, shared or stockpiled.
-
Finally, every attempt creates an audit trail. That matters for incident review, internal control, contractor governance, compliance evidence and supervisory reporting.
What it protects against
This feature directly reduces several practical risks. A lost or stolen phone does not carry a usable key for a protected door. A single employee or contractor cannot act alone. A captured wireless signal cannot simply be replayed. An approval cannot easily be redirected to another door or another pair of people. A rooted or tampered phone still does not have standing access, and the independent Key2XS service remains the control point.
That is the correct architecture for critical infrastructure: local usability, central governance, cryptographic assurance and complete accountability.
There is one thing it cannot solve, and that should be stated plainly. Two authorized people can still collude. No access system can read intent. That is why the audit trail is not a secondary feature. It is a core control. When access cannot be prevented by policy alone, it must at least be attributable, reviewable and defensible.
From physical access to governed access
The strategic value is bigger than opening a door with two people.
Two-Person Verification turns physical access into a governed transaction. It connects identity, policy, approval, cryptography, location and audit evidence into one controlled access event.
For critical infrastructure operators, that supports three business outcomes:
-
It reduces operational risk at the most sensitive doors.
-
It improves compliance posture. Especially where organizations must demonstrate stronger control over access to essential assets, operational sites, third-party personnel and privileged physical entry.
-
It aligns physical access with the same governance logic already used in IAM and IGA. Physical access should not be the exception to identity governance. It should be part of it.
Why this is relevant now
Critical infrastructure operators are under pressure to prove resilience, not just claim it. Regulators, boards, insurers and customers increasingly expect evidence that access to essential assets is controlled, monitored and auditable.
A traditional lock can say that a key opened a door.
A governed access platform can say much more: who requested access, who co-approved it, which policy applied, which device was used, which door was opened, when it happened and whether the access event matched the expected procedure.
That is the difference between access control and access governance.
Conclusion
Key2XS Two-Person Verification gives iLOQ locks a higher assurance model for the doors that matter most. The lock remains trusted hardware. Key2XS adds the identity layer, the approval flow, the independent decision, the one-time key and the audit trail.
For critical infrastructure, that is the right direction. Sensitive doors should no longer depend on one person, one phone or one standing credential. They should require controlled collaboration, independent verification and evidence by design.
Two authorized people. One governed decision. One auditable opening.