Hotel Access Control Explained

Author: Brian Rhodes, Published on Aug 17, 2016

Hotel access control seems to work magically. Unlike electronic access control systems used in commercial security, doors in hotels are not typically connected to a central server to confirm access.

*** **** ** **** ****? *** *** *** ***** ****** that ***** *** **** ********? ****** **** ****, ** *****:

  • ******* ********* *** ******
  • ******* ******** **********
  • ***** **** **** *****
  • *** ***** ***** *** *****
  • ********** ******* ********** ******
  • ********** ** ***** ****** *******
  • ********** ** ********** *******
  • ***** ****** ******** ********

Keycard ********

** *** *********** ********, '*** ****' ******* *** ********* ******** using ***** *** ****** **********. * '******' ** ******** ** individual, ***-********* **** ******/*****, * **** **********, *** ******* ****** cards. *** ******* ********** ***********, ******* ** *** ***** ****, encodes * ******* **** ****** ****** ****.

***** ******* ****** ***:

  • ********: * ****** **** ** ******** *** ******* ** * 'guest ****', '****** ***', '************ ****', ** ***** **** ** role. '***** *****' ********* **** *** ****, ***** * '****** Key' **** *** **** **** ***.
  • ***** ****/****: *** **** ****** * **** ** **** ** **** a ****. **** *** **** ******* * '***** ****' ** calibrate ******* **** ****** ****.
  • **** ******: * ****** ** ***** ******** ** *** ****/**** *** card *****.  **** ********* ****** ******* ** *** **** *** guest ****.
  • ******** ******: * ****** **** **** ********** *** ********** ********/*****/**** * card ** ******* ***.  **** ******** ***** *** **** *** 'Room ***' ** ******** **********.

*** **** **** ****** ** *** **** ****** ** ********* when ** ****** ******, ** *** ****** ****** ** *********** not ********* *** **** **** ** '*******' *** ***** ** access ******** **** **** * **** ** *********.  

Keycard ******

******** **** ** ***** *** ***** ******* ** **** ******** sense.  ****** ***** **** ****, ******** **** ** ********** ** cheap ****** ** ******* ***** * ****** ***.

*** **** ****** ***** *** **** **** ***** **** **** ****** $0.20 - *.** *** ****. **** ******** **** ******** *.***" * *.***", *** **** size ** * ****** ****, *** *** ********* **** ** inexpensive *** *******.  ** **** *****, *** **** ** ***** cards *** ******* ********** ** ************* ***** ** ********* ********* programs, ***** ***********, ** *********** ****** * *****:

Magstripe Encoded *****

* *** ***** ** ***** ***********: *** **** ******* ** these ***** *** * '******' ********** ************* ****** ******** ** **** ********* ***** ** *********** **** *********** **********.

***** **** *** ****** ** *** ******** '***************' ** ***** cards ** ********* ** **** **** ******** *******, **** ********* is ***** ********* ** * ******** *********** ** *** **** of '***** ******* ****' ** *** ****** **********. *** ******** card ******** ****** ******** *** ***** ******* ** ******** ***** a ***** ****, ***** * *** ****.

 
 
Door **** *****
 

***** *** ***** ** **** ******** *** **** ******* ********* on ****** *** ******, '*****' ***** *** ** ********* *** less **** $*** ***. **** ******* ****** **** ** '****** hotel' ****** **** *** **** **** $** ***. ** ********, enterprise-grade ********** ********** ****** ******* ******* ***** **** ******* ** $1000 *** ****.

** *******, **** ***** *** ******** ** *** **** *** most ******* **** ***** ***** *********** ** ******* *******. ****** other ***** ** ********** ****** *******, *********** ******* **** **** with * ******** **** ** **** *** ****** ** ******* to ******** *****.

Hotel ******** *** *****

*** ******* ****** ********** ** ********* ******* '***********' *** ********** EAC ******* ** *** **** ** *** **********. 

** * *********** ******, *** **** **** ****** ** ******* command ** **** *** ****. * *********** **** **** *** no ********* ************* ** *** ***** * ********** *** **, it **** ***** **** *** **** ***** ********* '***** **' to ****. *** ********** ******** ******** *** ********* *** **** needed ** ******** *** ****.  

** ********, ** ********** *** ****** **** **** *** ********** to ******** * ******* *** ******. *** ********** ****** **** not ***** * ******* ** **** *** ****, ** ****** identifies *** ****** ******* ** '********' ******* *** *****. *** networked ******** ** *** ****** ****** **** * ******* ********, and **** ******** ******** ** ****** ***** ***** ** **** database. ******* *** **** ****** ** *********, * ********** **** can ** '****** ***' ** ******** ***********.

Protecting ******* ********** ******

* ****** ******** **** ****** **** *********** ******* ** "*** does *** **** **** **** ** **** ** ****?" ***** a ****** ***** **/***** *** ********, **** ****** ** ********** by *** '***** **** *****' ** ****** ******* ** *** card. **** *** ***** *** **** ** *******, *** ******* data ** *** **** ** **** ** '*******' ****** * certain *****. *******, *** ******* **********, **** ********** ***** *****-**** or ******** *****, ******** ***** **** * ***** ****. ** accommodate *** ***** **********, ** ** * ****** *********** **** cards *** *** ************ ***** *** '*********' ***** ***, *** the '********' ***** ** * ***** **** **** *** ******* daily **** *** ************ ***** ****** ***** ***** ***** ****** their ******.

************, ******** ***** *** *** *********** ** *** **** ****** rules ** ***** *****, *** *** ** ********** *** ********** access. *******, * ****** ******* ** ***** ***** ** *** 'mechanical ********' ******** **** ******** *** ******** **** ****** **** thrown. *** ***** *************, ** ** ****** ** *** * mechanical, ***** **** **** ** *** ***** **** ****** ****** in ** *********.

Advantages ** *********** *******

*** ******* ************** ** ***** ******* ******* *** **** *** inexpensive ** ********, ********, *** *******.  ******* *** ****** '**** tech' ********** ***** ******* **** ******, *********** * *** **** and ******* ** ** * ***** ** **** ****** *** inexperienced ****** ** ******, *** ******* ** ***** ********** ****** can ****** ** ****** **** ****** **** ******* '*** **********' like *********** *******.

***** ********** *******:

  • ******* ********** ***** ** *******
  • **** ** ********** ***** ** ************* ****
  • *** ** ********** '****** ***' ** ******** ********** ******** **** inside ****
  • ********** ******** **** ***** ********* ****** ** *** *****
  • *********, **** ******** **** ** ** *** - *** ****** allowing *** ******** ************** ** ******

Advantages ** ********** *******

*******, *********** ********** ****** *** *** ******** *** ****** ********** and **** ******** **** ***** ******* ********* ***'*:

  • *********** ************** ** ********* *******
  • ******* ** ******* ******** ****** ********* *** ****** *********
  • *********** *** ** *********** ******* ** '***********'
  • ***** *** *********** ** '****** ****'
  • *********** *** **** ** * ****-********* *****, *** ***** ******** credentials
  • ******** ** *** ********* ******* ** ******* *****, *** ** more ******** *** ******* ** ********
  • **** ********* ** *** ****** ****** ** ***********

Hotel ******* *** ****** ****** ********

*********** ****** ***************** *** ************ *** *******, ***** ********* *** *********** ********** *******. **** business ***** ** ********* *** ******* *******:

  • ******* *** **** ***, ********* ******* *** ****** ********* ** integrator **** ******.
  • ** *** **** **** ** *** ****, *** ************ ** able ** ******* *******. ***** ******* ****** ** *** '***' of *********** ******* ******, *** ** * ****** **** **** the **** ******** *** ************ ***** **** ****.
  • *********** ****** ********* ***** '******* *******' ** '****** *****', *** would ****** *** *********** ******** (*****, ******* *****) **** ********** pricing ******** **** *********** ****** ************, ****** **** ******** ***********.

Hotel ****** ******** ********

******* ****** ********* **** ********* *** ***** ** ***** ****** systems ******** ** ********** ******.  **** **** *******, ***** * careless ** ******** ***** ******* ***** ***** **** **** * 'Master ***' ********, *********** ******** * ****** ***** ** **** every ****:

*** **** ********* ** **** ******** *** ** *******, *** not ********** ********* **** ***** ****** *******. **** * ***** networked ********** ****** ******, **** ** ***** ***** *********** ** corrected ** ****, *** *** **** **** ****** ********** ** simply *** **** ** ****** ****** ** ******* ***** ***** the ******* ** *********.

**********

***** ******** ** ****, *********** ****** ******* ** *** * market ******* ********* ******** ** *** ******** **********. ***** ********** certainly *****, *** ******* *** **** *** *** ******* ****** opportunity *** **** ******* ********* ***** ******* *********. ** *******, the ******** ******** ** *********** '*********' ****** ******* ** **** as '********' *** ******* ******** ** *** *** ****, ******* built ************ ***** ** *** *********** ******.

[****: ** ******* ******* ** **** *** ********* ** **** but *** ************* ******* *** ******** ** ****.]

Comments (10)

Great article. When I was younger I was fascinated with these systems (especially the cards with all the little Braille-like holes), but no one I knew could explain.

A couple questions:

In a hospitality system, the card read issues an encoded command to open the lock. A hospitality door lock has no networked understanding of how valid a credential may be, it only opens when the card being presented 'tells it' to open. The credential encoding contains all decisions and data needed to activate the lock.

Doesn't the lock still authorize in a sense by checking a black list of cards to deny?

Can a door reader ever rewrite cards?

Doesn't the lock still authorize in a sense by checking a black list of cards to deny?

In general, no. Unless the card itself tells the lock 'I'm valid right now", it just is ignored. Validity is based on date or function, but not a list of cards. There generally is no 'black list' or 'white list', just an open population of valid cards.

Can a door reader ever rewrite cards?

For most systems, no. There may be some systems that can invalidate cards if they are inserted in locks (This is the way Salto Access 'networked cards' work for example), but the vast majority of hotel system locks are 'read-only' units.

Validity is based on date or function, but not a list of cards. There generally is no 'black list' or 'white list', just an open population of valid cards.

So in your example of early checkout, what denies the old card, (or its duplicates), from opening the door of the new guests?

The encoding machine at the front desk is the kingpin here. As soon as the new card is presented to the door lock, the old card is no longer valid.

A lock is typically only able to have one valid guest.

So it is not a 'blacklist', but rather 'active valid cards must have these values'.

I agree with your responses.

My initial question was about

A hospitality door lock has no networked understanding of how valid a credential may be, it only opens when the card being presented 'tells it' to open. The credential encoding contains all decisions and data needed to activate the lock.

IMHO, the credential encoding of a given key has all but one piece of data needed to activate the lock, namely value from the previous open.

The lock needs to maintain the current state of what the last valid key sequence used was, so that it can reject credentials issued earlier and accept those equal or later. If the lock were to lose the power (and that value), for instance, an old or new credential might be accepted.

Thanks for the answers; this is a minor point in any case.

I think 'blacklist' is too strong of a term here. The lock does have a memory of which cards were used to open it, but 'blacklist' meaning active denial is not quite right. Cards are read to be invalid based on expired dates/times or because they've had their function preempted by another valid read.

Those cards housekeeping carry may also be used for quality control too. As in: once guest card 'A' expires, guest card 'B' cannot be used until a 'Housekeeping' function card opens the door, signifying a visit and room cleaning. Rather - new guests can't enter a dirty room.

Now, these rules aren't always put in place, but some hospitality operators use the access system for process/quality control in this way.

Brian, good article. A few years ago a hack of Onity locks was reported at Black Hat using a portable programmer to gain entry. I wonder if there are still vulnerable locks out there, particularly at independently operated hotels.

http://www.forbes.com/sites/andygreenberg/2013/05/15/hotel-lock-hack-still-being-used-in-burglaries-months-after-lock-firms-fix/#2a385bcd5434

Also, every one of the hotels I've stayed in this year have updated to a proximity card solution. Some hotels even use an app on your phone that communicates with the lock when in range. It might be a nice follow up to explore how the same comparisons with these new technologies in the hospitality space.

Thank you for this article,

I was always curious how those systems worked.

You've forgotten to mention the role of an enterprise access system in health and safety / operational health and safety. It'll often be feasible to get an idea in real time how many guests are in their hotel rooms should an emergency happen. Especially if combined with those captive room power enabling switches for the access credential

Hey Brian….nice update on the hospitality market. You are correct it is far too expensive (even for new build let alone retro fit installs) to wire every room door and that is the main reason why each door is basically its’ own controller in the hospitality market.

Another reason why manufactures are so vertically integrated (install directly or through subs) is that hotel access falls in the grey area between traditional security and locksmith markets. Most security guys I know are not fond of installing door hardware and locksets with associated life safety issues and liability. And locksmiths (overall) are not big on programming, initializing, commissioning, maintaining the electronic/software application side of these systems.

Although the gap is closing for sure – imagine what it was like when these card systems first came on the market 30 some years ago.

Finally, hotels demand to know where the buck stops when something is not working not only after a new installation but for the life of the system (>10 yrs)…and to get training and parts (hundreds of part numbers in each system) immediately. Remember this is a perishable product. If they can’t rent a room that night...they lose revenue that cannot be replaced. Many are big brands and/or ownership groups that require the kind of national and sometimes international support that cannot be consistently supported by local or regional contractors. So that is why this market is kind of carved out from the rest.

No question the vast majority of hotel access systems remain “off line”….these are starting to change slowly over time mainly through wireless solutions or some form of hybrid wireless/wired network. As wireless technologies become more ubiquitous for secure communications many of these ‘online’ systems are trickling down from the biggest properties to more modest ones. This trend has already started to impact the traditional access markets. This is worth keeping an eye on by security integrators. (i.e. Education, Multi-Housing, Healthcare markets)

Lastly, RFID cards are becoming more common slowly but surely just as happened in 90s for access control. The main issue here is price/card…. but the hotels are getting over it and touting the higher security, easier/cooler customer experience, and benefiting from reduced maintenance of cleaning/replacing door readers and reprogramming demagnetized cards. Interestingly some manufactures are choosing open card protocols (buy wherever you want) and others are closed (only from mfg). Sound familiar? But that is another discussion!!! Thanks Brian.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

UTC, Owner of Lenel, Acquires S2 on Sep 20, 2018
UTC now owns two of the biggest access control providers, one of integrator's most hated access control platforms, Lenel, and one of their...
Favorite Request-to-Exit (RTE) Manufacturers 2018 on Sep 19, 2018
Request To Exit devices like motion sensors and lock releasing push-buttons are a part of almost every access install, but who makes the equipment...
Door Fundamentals For Access Control Guide on Sep 12, 2018
Assuming every door can be secured with either a maglock or an electric strike can be a painful assumption in the field. While those items can be...
Access Control Course Fall 2018 on Sep 06, 2018
Registration IS CLOSED ends this Thursday. Register now. If you are looking to strengthen your ability to design and deploy access systems or...
Drain Wire For Access Control Reader Tutorial on Sep 04, 2018
An easy-to-miss cabling specification plays a key role in access control, yet it is commonly ignored. The drain wire offers protection for readers...
Directory Of 110+ Video Management Software (VMS) Suppliers on Aug 30, 2018
This directory provides a list of Video Management Software providers to help you see and research what options are available. Listing...
Exit Devices For Access Control Tutorial on Aug 28, 2018
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety codes the world over, and become integral parts of electronic access...
Assa Aperio Wireless Access Reader R100 Tested on Aug 23, 2018
Wireless access control is frequently promoted by manufacturers as a way to cut installation costs. Perhaps the biggest proponent of this is mega...
Synology Surveillance Station VMS Tested on Aug 22, 2018
With so many low-cost NVRs and enterprise VMSes, is there any place in the market for NAS-based VMSes? Recently, IPVM bought a Synology NAS for...
Backup Power For Maglocks Guide on Aug 20, 2018
When the main power fails, many believe maglocks must leave doors unlocked. However, battery backed up maglocks are allowed according to IBC /...

Most Recent Industry Reports

BluePoint Aims To Bring Life-Safety Mind-Set To Police Pull Stations on Sep 20, 2018
Fire alarm pull stations are commonplace but police ones are not. A self-funded startup, BluePoint Alert Solutions is aiming to make police pull...
SIA Plays Dumb On OEMs And Hikua Ban on Sep 20, 2018
OEMs widely pretend to be 'manufacturers', deceiving their customers and putting them at risk for cybersecurity attacks and, soon, violation of US...
Axis Vs. Hikvision IR PTZ Shootout on Sep 20, 2018
Hikvision has their high-end dual-sensor DarkfighterX. Axis has their high-end concealed IR Q6125-LE. Which is better? We bought both and tested...
Avigilon Announces AI-Powered H5 Camera Development on Sep 19, 2018
Avigilon will be showcasing "next-generation AI" at next week's ASIS GSX. In an atypical move, the company is not actually releasing these...
Favorite Request-to-Exit (RTE) Manufacturers 2018 on Sep 19, 2018
Request To Exit devices like motion sensors and lock releasing push-buttons are a part of almost every access install, but who makes the equipment...
25% China Tariffs Finalized For 2019, 10% Start Now, Includes Select Video Surveillance on Sep 18, 2018
A surprise move: In July, when the most recent tariff round was first announced, the tariffs were only scheduled for 10%. However, now, the US...
Central Stations Face Off Against NFPA On Fire Monitoring on Sep 18, 2018
Central stations are facing off against the NFPA over what they call anti-competitive language in NFPA 72, the standard that covers fire alarms....
Hikvision USA Starts Layoffs on Sep 18, 2018
Hikvision USA has started layoffs, just weeks after the US government ban was passed into law. Inside this note, we examine: The important...
Chinese Government Praises Hikvision For Following Xi Jinping on Sep 17, 2018
The Chinese government council responsible for managing China's state-owned companies praised Hikvision’s obedience to China’s authoritarian leader...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact