Your phone IS the key.
Stop buying RFID cards. Stop paying for separate access systems. Frontelio Access turns every staff phone into a credential — for doors, rooms, lifts, lockers, anywhere. Built into the platform you already use.
Access control isn't a separate problem.
You already run scheduling, payroll, HR, and checklists on Frontelio One. Doors should be on the same audit trail.
No more lost cards
RFID cards cost AED 20–180 each to replace and pull a manager off the floor every time someone loses one. Phones never get lost the same way — and when they do, you revoke in one click.
Instant on / off
Terminate access in 1 second when an employee leaves. One toggle in /admin/access kills every credential they hold across every door, room, and lift — no ‘we’ll collect the card on their last day’ gap.
Built into payroll & HR
Fire someone in the HR module and their access auto-revokes — we cascade through your linked Zones the same minute. The audit log lives next to their payroll record. One system, one trail.
From zero to a working door in under 5 minutes.
- 1
Manager creates a Zone & grants access (≈45 sec)
In /admin/access, draw the door / room / lift as a Zone, pick a worker, and click Grant. Optional: tie the grant to a shift, a date window, or a role group.
- 2
Worker opens ‘My Access’ on phone
Daily 24-hour credential mints automatically on app open. No setup wizard. No QR pairing. The credential is signed JWT and never leaves the device unencrypted.
- 3
Worker taps phone or scans the QR
Android phones tap the reader (NFC HCE). iPhones scan the reader’s QR — Apple gates third-party NFC HCE, but QR works perfectly. Both paths take under 1 second.
- 4
Reader calls /access/verify — GRANT or DENY in <100 ms
The reader hits Frontelio, we validate signature + Zone + shift window + revoke list, and respond. Every attempt — pass or fail — lands in the same audit log as your payroll and checklists.
Works with the readers you already have.
Already have readers? We integrate. Don't have any yet? We offer a reference reader bridge for cafés deploying for the first time.
Reader brand names are property of their respective owners. Listed for compatibility identification only.
Why operators are switching from Kisi & Brivo.
| Capability | Frontelio Access | Kisi | Brivo |
|---|---|---|---|
| Per-door cost | Free (GROWTH plan +AED 299/outlet) | $30–49/door/mo | $25–45/door/mo |
| HR-tied revoke (auto on termination) | Yes — cascades from HR module | Manual | Manual |
| Mobile credential | NFC (Android HCE) + QR (iOS) | BLE | BLE |
| Audit log | Same one as payroll, checklists & shifts | Separate (Kisi dashboard) | Separate (Brivo Onair) |
| Schedule-aware (only during shift) | Built-in — tie grant to shift window | Not natively | Limited (time schedules) |
| Multi-tenant (group → company → outlet) | Yes | Single tenant | Enterprise plan only |
| GCC / Arabic UI | Full RTL on every screen | English only | English only |
One price. Unlimited everything.
Included on the GROWTH plan and up. AED 299/outlet/month covers unlimited zones, unlimited grants, unlimited credentials, and every reader integration we ship.
Questions every operator asks.
Does this work on iPhone too?
Yes — via QR. Apple gates third-party NFC HCE (only Apple Wallet can broadcast NFC credentials on iOS), so iPhone users scan the reader’s QR code instead. Same speed, same audit trail, same security model.
What if our outlet doesn't have NFC readers yet?
Two options. (1) Use QR mode — print a QR sticker on each door, point the camera, done. Zero hardware spend. (2) We offer a reference reader bridge for cafés deploying for the first time (Raspberry Pi + ESP32 design we share with implementation partners).
Can I revoke instantly?
Yes. One click in /admin/access pulls the grant. The daily-minted credential auto-expires within 24h regardless, and our revoke list takes effect the next /access/verify call — so even a phone left in someone’s hand stops opening doors immediately.
Are credentials secure?
24-hour JWT signed per-tenant. On Android we set requireDeviceUnlock=true so a locked phone won’t broadcast. Credentials are regenerated daily and never leave the device in plaintext. The /access/verify endpoint validates signature, Zone permission, shift window, and revoke list on every tap.
What if the worker loses their phone?
Locked phone won’t broadcast — requireDeviceUnlock is on by default. The manager revokes the grant via /admin/access (1 second). And because credentials roll over every 24 hours, even an unrevoked stale credential disappears on its own within a day.
Switch from Kisi or Brivo in a weekend.
Or start fresh — your call. Either way, you're on one platform with one audit log and one bill.