Hotel Access Control Explained

Author: Brian Rhodes, Published on Aug 17, 2016

Hotel access control seems to work magically. Unlike electronic access control systems used in commercial security, doors in hotels are not typically connected to a central server to confirm access.

*** **** ** **** ****? *** *** *** ***** ****** that ***** *** **** ********? ****** **** ****, ** *****:

  • ******* ********* *** ******
  • ******* ******** **********
  • ***** **** **** *****
  • *** ***** ***** *** *****
  • ********** ******* ********** ******
  • ********** ** ***** ****** *******
  • ********** ** ********** *******
  • ***** ****** ******** ********

Keycard ********

** *** *********** ********, '*** ****' ******* *** ********* ******** using ***** *** ****** **********. * '******' ** ******** ** individual, ***-********* **** ******/*****, * **** **********, *** ******* ****** cards. *** ******* ********** ***********, ******* ** *** ***** ****, encodes * ******* **** ****** ****** ****.

***** ******* ****** ***:

  • ********: * ****** **** ** ******** *** ******* ** * 'guest ****', '****** ***', '************ ****', ** ***** **** ** role. '***** *****' ********* **** *** ****, ***** * '****** Key' **** *** **** **** ***.
  • ***** ****/****: *** **** ****** * **** ** **** ** **** a ****. **** *** **** ******* * '***** ****' ** calibrate ******* **** ****** ****.
  • **** ******: * ****** ** ***** ******** ** *** ****/**** *** card *****.  **** ********* ****** ******* ** *** **** *** guest ****.
  • ******** ******: * ****** **** **** ********** *** ********** ********/*****/**** * card ** ******* ***.  **** ******** ***** *** **** *** 'Room ***' ** ******** **********.

*** **** **** ****** ** *** **** ****** ** ********* when ** ****** ******, ** *** ****** ****** ** *********** not ********* *** **** **** ** '*******' *** ***** ** access ******** **** **** * **** ** *********.  

Keycard ******

******** **** ** ***** *** ***** ******* ** **** ******** sense.  ****** ***** **** ****, ******** **** ** ********** ** cheap ****** ** ******* ***** * ****** ***.

*** **** ****** ***** *** **** **** ***** **** **** ****** $0.20 - *.** *** ****. **** ******** **** ******** *.***" * *.***", *** **** size ** * ****** ****, *** *** ********* **** ** inexpensive *** *******.  ** **** *****, *** **** ** ***** cards *** ******* ********** ** ************* ***** ** ********* ********* programs, ***** ***********, ** *********** ****** * *****:

Magstripe Encoded *****

* *** ***** ** ***** ***********: *** **** ******* ** these ***** *** * '******' ********** ************* ****** ******** ** **** ********* ***** ** *********** **** *********** **********.

***** **** *** ****** ** *** ******** '***************' ** ***** cards ** ********* ** **** **** ******** *******, **** ********* is ***** ********* ** * ******** *********** ** *** **** of '***** ******* ****' ** *** ****** **********. *** ******** card ******** ****** ******** *** ***** ******* ** ******** ***** a ***** ****, ***** * *** ****.

 
 
Door **** *****
 

***** *** ***** ** **** ******** *** **** ******* ********* on ****** *** ******, '*****' ***** *** ** ********* *** less **** $*** ***. **** ******* ****** **** ** '****** hotel' ****** **** *** **** **** $** ***. ** ********, enterprise-grade ********** ********** ****** ******* ******* ***** **** ******* ** $1000 *** ****.

** *******, **** ***** *** ******** ** *** **** *** most ******* **** ***** ***** *********** ** ******* *******. ****** other ***** ** ********** ****** *******, *********** ******* **** **** with * ******** **** ** **** *** ****** ** ******* to ******** *****.

Hotel ******** *** *****

*** ******* ****** ********** ** ********* ******* '***********' *** ********** EAC ******* ** *** **** ** *** **********. 

** * *********** ******, *** **** **** ****** ** ******* command ** **** *** ****. * *********** **** **** *** no ********* ************* ** *** ***** * ********** *** **, it **** ***** **** *** **** ***** ********* '***** **' to ****. *** ********** ******** ******** *** ********* *** **** needed ** ******** *** ****.  

** ********, ** ********** *** ****** **** **** *** ********** to ******** * ******* *** ******. *** ********** ****** **** not ***** * ******* ** **** *** ****, ** ****** identifies *** ****** ******* ** '********' ******* *** *****. *** networked ******** ** *** ****** ****** **** * ******* ********, and **** ******** ******** ** ****** ***** ***** ** **** database. ******* *** **** ****** ** *********, * ********** **** can ** '****** ***' ** ******** ***********.

Protecting ******* ********** ******

* ****** ******** **** ****** **** *********** ******* ** "*** does *** **** **** **** ** **** ** ****?" ***** a ****** ***** **/***** *** ********, **** ****** ** ********** by *** '***** **** *****' ** ****** ******* ** *** card. **** *** ***** *** **** ** *******, *** ******* data ** *** **** ** **** ** '*******' ****** * certain *****. *******, *** ******* **********, **** ********** ***** *****-**** or ******** *****, ******** ***** **** * ***** ****. ** accommodate *** ***** **********, ** ** * ****** *********** **** cards *** *** ************ ***** *** '*********' ***** ***, *** the '********' ***** ** * ***** **** **** *** ******* daily **** *** ************ ***** ****** ***** ***** ***** ****** their ******.

************, ******** ***** *** *** *********** ** *** **** ****** rules ** ***** *****, *** *** ** ********** *** ********** access. *******, * ****** ******* ** ***** ***** ** *** 'mechanical ********' ******** **** ******** *** ******** **** ****** **** thrown. *** ***** *************, ** ** ****** ** *** * mechanical, ***** **** **** ** *** ***** **** ****** ****** in ** *********.

Advantages ** *********** *******

*** ******* ************** ** ***** ******* ******* *** **** *** inexpensive ** ********, ********, *** *******.  ******* *** ****** '**** tech' ********** ***** ******* **** ******, *********** * *** **** and ******* ** ** * ***** ** **** ****** *** inexperienced ****** ** ******, *** ******* ** ***** ********** ****** can ****** ** ****** **** ****** **** ******* '*** **********' like *********** *******.

***** ********** *******:

  • ******* ********** ***** ** *******
  • **** ** ********** ***** ** ************* ****
  • *** ** ********** '****** ***' ** ******** ********** ******** **** inside ****
  • ********** ******** **** ***** ********* ****** ** *** *****
  • *********, **** ******** **** ** ** *** - *** ****** allowing *** ******** ************** ** ******

Advantages ** ********** *******

*******, *********** ********** ****** *** *** ******** *** ****** ********** and **** ******** **** ***** ******* ********* ***'*:

  • *********** ************** ** ********* *******
  • ******* ** ******* ******** ****** ********* *** ****** *********
  • *********** *** ** *********** ******* ** '***********'
  • ***** *** *********** ** '****** ****'
  • *********** *** **** ** * ****-********* *****, *** ***** ******** credentials
  • ******** ** *** ********* ******* ** ******* *****, *** ** more ******** *** ******* ** ********
  • **** ********* ** *** ****** ****** ** ***********

Hotel ******* *** ****** ****** ********

*********** ****** ***************** *** ************ *** *******, ***** ********* *** *********** ********** *******. **** business ***** ** ********* *** ******* *******:

  • ******* *** **** ***, ********* ******* *** ****** ********* ** integrator **** ******.
  • ** *** **** **** ** *** ****, *** ************ ** able ** ******* *******. ***** ******* ****** ** *** '***' of *********** ******* ******, *** ** * ****** **** **** the **** ******** *** ************ ***** **** ****.
  • *********** ****** ********* ***** '******* *******' ** '****** *****', *** would ****** *** *********** ******** (*****, ******* *****) **** ********** pricing ******** **** *********** ****** ************, ****** **** ******** ***********.

Hotel ****** ******** ********

******* ****** ********* **** ********* *** ***** ** ***** ****** systems ******** ** ********** ******.  **** **** *******, ***** * careless ** ******** ***** ******* ***** ***** **** **** * 'Master ***' ********, *********** ******** * ****** ***** ** **** every ****:

*** **** ********* ** **** ******** *** ** *******, *** not ********** ********* **** ***** ****** *******. **** * ***** networked ********** ****** ******, **** ** ***** ***** *********** ** corrected ** ****, *** *** **** **** ****** ********** ** simply *** **** ** ****** ****** ** ******* ***** ***** the ******* ** *********.

**********

***** ******** ** ****, *********** ****** ******* ** *** * market ******* ********* ******** ** *** ******** **********. ***** ********** certainly *****, *** ******* *** **** *** *** ******* ****** opportunity *** **** ******* ********* ***** ******* *********. ** *******, the ******** ******** ** *********** '*********' ****** ******* ** **** as '********' *** ******* ******** ** *** *** ****, ******* built ************ ***** ** *** *********** ******.

[****: ** ******* ******* ** **** *** ********* ** **** but *** ************* ******* *** ******** ** ****.]

Comments (10)

Great article. When I was younger I was fascinated with these systems (especially the cards with all the little Braille-like holes), but no one I knew could explain.

A couple questions:

In a hospitality system, the card read issues an encoded command to open the lock. A hospitality door lock has no networked understanding of how valid a credential may be, it only opens when the card being presented 'tells it' to open. The credential encoding contains all decisions and data needed to activate the lock.

Doesn't the lock still authorize in a sense by checking a black list of cards to deny?

Can a door reader ever rewrite cards?

Doesn't the lock still authorize in a sense by checking a black list of cards to deny?

In general, no. Unless the card itself tells the lock 'I'm valid right now", it just is ignored. Validity is based on date or function, but not a list of cards. There generally is no 'black list' or 'white list', just an open population of valid cards.

Can a door reader ever rewrite cards?

For most systems, no. There may be some systems that can invalidate cards if they are inserted in locks (This is the way Salto Access 'networked cards' work for example), but the vast majority of hotel system locks are 'read-only' units.

Validity is based on date or function, but not a list of cards. There generally is no 'black list' or 'white list', just an open population of valid cards.

So in your example of early checkout, what denies the old card, (or its duplicates), from opening the door of the new guests?

The encoding machine at the front desk is the kingpin here. As soon as the new card is presented to the door lock, the old card is no longer valid.

A lock is typically only able to have one valid guest.

So it is not a 'blacklist', but rather 'active valid cards must have these values'.

I agree with your responses.

My initial question was about

A hospitality door lock has no networked understanding of how valid a credential may be, it only opens when the card being presented 'tells it' to open. The credential encoding contains all decisions and data needed to activate the lock.

IMHO, the credential encoding of a given key has all but one piece of data needed to activate the lock, namely value from the previous open.

The lock needs to maintain the current state of what the last valid key sequence used was, so that it can reject credentials issued earlier and accept those equal or later. If the lock were to lose the power (and that value), for instance, an old or new credential might be accepted.

Thanks for the answers; this is a minor point in any case.

I think 'blacklist' is too strong of a term here. The lock does have a memory of which cards were used to open it, but 'blacklist' meaning active denial is not quite right. Cards are read to be invalid based on expired dates/times or because they've had their function preempted by another valid read.

Those cards housekeeping carry may also be used for quality control too. As in: once guest card 'A' expires, guest card 'B' cannot be used until a 'Housekeeping' function card opens the door, signifying a visit and room cleaning. Rather - new guests can't enter a dirty room.

Now, these rules aren't always put in place, but some hospitality operators use the access system for process/quality control in this way.

Brian, good article. A few years ago a hack of Onity locks was reported at Black Hat using a portable programmer to gain entry. I wonder if there are still vulnerable locks out there, particularly at independently operated hotels.

http://www.forbes.com/sites/andygreenberg/2013/05/15/hotel-lock-hack-still-being-used-in-burglaries-months-after-lock-firms-fix/#2a385bcd5434

Also, every one of the hotels I've stayed in this year have updated to a proximity card solution. Some hotels even use an app on your phone that communicates with the lock when in range. It might be a nice follow up to explore how the same comparisons with these new technologies in the hospitality space.

Thank you for this article,

I was always curious how those systems worked.

You've forgotten to mention the role of an enterprise access system in health and safety / operational health and safety. It'll often be feasible to get an idea in real time how many guests are in their hotel rooms should an emergency happen. Especially if combined with those captive room power enabling switches for the access credential

Hey Brian….nice update on the hospitality market. You are correct it is far too expensive (even for new build let alone retro fit installs) to wire every room door and that is the main reason why each door is basically its’ own controller in the hospitality market.

Another reason why manufactures are so vertically integrated (install directly or through subs) is that hotel access falls in the grey area between traditional security and locksmith markets. Most security guys I know are not fond of installing door hardware and locksets with associated life safety issues and liability. And locksmiths (overall) are not big on programming, initializing, commissioning, maintaining the electronic/software application side of these systems.

Although the gap is closing for sure – imagine what it was like when these card systems first came on the market 30 some years ago.

Finally, hotels demand to know where the buck stops when something is not working not only after a new installation but for the life of the system (>10 yrs)…and to get training and parts (hundreds of part numbers in each system) immediately. Remember this is a perishable product. If they can’t rent a room that night...they lose revenue that cannot be replaced. Many are big brands and/or ownership groups that require the kind of national and sometimes international support that cannot be consistently supported by local or regional contractors. So that is why this market is kind of carved out from the rest.

No question the vast majority of hotel access systems remain “off line”….these are starting to change slowly over time mainly through wireless solutions or some form of hybrid wireless/wired network. As wireless technologies become more ubiquitous for secure communications many of these ‘online’ systems are trickling down from the biggest properties to more modest ones. This trend has already started to impact the traditional access markets. This is worth keeping an eye on by security integrators. (i.e. Education, Multi-Housing, Healthcare markets)

Lastly, RFID cards are becoming more common slowly but surely just as happened in 90s for access control. The main issue here is price/card…. but the hotels are getting over it and touting the higher security, easier/cooler customer experience, and benefiting from reduced maintenance of cleaning/replacing door readers and reprogramming demagnetized cards. Interestingly some manufactures are choosing open card protocols (buy wherever you want) and others are closed (only from mfg). Sound familiar? But that is another discussion!!! Thanks Brian.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Openpath Access Control Tested on Nov 20, 2018
Big investment in access startups is uncommon, but Openpath has recently attracted $20 million doing just that. The company has limited security...
Arcules Cloud VMS Tested on Nov 19, 2018
Arcules is a big bet, or as they describe themselves a 'bold company', spun out and backed by Milestone and Canon.  But how good is Arcules cloud...
Directory of Video Intercoms on Nov 13, 2018
Video Intercoms, also known as Video Door-Phones or Video Entry Systems, have been growing in the past decade as more and more IP camera...
Beware Amazon Go Store Hype (Tested) on Nov 13, 2018
IPVM's trip to and testing of Amazon Go's San Francisco store shows a number of significant operational and economic issues that undermine the...
Axis 2N Intercom Tested on Nov 08, 2018
Axis expanded its video intercom business buying Czech-based 2N in 2016. Despite competing against owner Axis' intercoms, 2N recently registered as...
Haven Targets School Security with Lockdown Lineup on Nov 08, 2018
Haven, a US startup founded in 2014 as a residential-focused company, has now raised funding and is offering a lineup of commercial grade locks for...
Directory Of Video Doorbells on Nov 06, 2018
Video doorbells are one of the fastest growing categories in video surveillance, especially among residences. The optimal placement of these...
HID: Stop Selling Cracked 125 kHz Credentials on Nov 05, 2018
HID should stop selling cracked 125 kHz access control credentials, that have been long cracked and can easily be copied by cheap cloners sold on...
Worst Products on Nov 03, 2018
Security integrators periodically report on their favorite and worst products to IPVM. These are known integrators who IPVM pays to answer surveys....
Solar-Powered, Smart-Phone-Based Access Kit (VIZPin) Examined on Nov 02, 2018
Cloud-based access control company VIZPin is releasing a solar-powered and smart phone based access control system for gates and other remote...

Most Recent Industry Reports

Ideal SecuriTest IP Vs Unbranded IP Camera Install Tools on Nov 21, 2018
In our recent IP camera installation tool shootout, multiple members questioned the Ideal SecuriTest IP's features compared to low-cost unbranded...
Intel Neural Compute Stick 2 / Movidius AI Test on Nov 21, 2018
AI is a major trend in video surveillance with manufacturers paying significant attention to Intel's Movidius Myriad chips. Indeed, Avigilon has...
Openpath Access Control Tested on Nov 20, 2018
Big investment in access startups is uncommon, but Openpath has recently attracted $20 million doing just that. The company has limited security...
No GDPR Penalties For UK Swann 'Spying Hack' on Nov 20, 2018
The UK’s data protection agency has closed its investigation into Infinova-owned Swann Security UK, the ICO confirmed to IPVM, deciding to take “no...
Milestone Disrupts Milestone With Arcules on Nov 19, 2018
Milestone is now competing against... Milestone's own spinout Arcules. New IPVM testing shows that Arcules has incorporated a substantial amount...
Pressure Mounts Against Dahua and Hikvision Xinjiang Business on Nov 19, 2018
Pressure is mounting against Hikvision, Dahua, and other companies operating in Xinjiang as an international outcry brews against the Chinese...
Arcules Cloud VMS Tested on Nov 19, 2018
Arcules is a big bet, or as they describe themselves a 'bold company', spun out and backed by Milestone and Canon.  But how good is Arcules cloud...
'Sticker' Surveillance Camera Developed (CSEM Witness) on Nov 16, 2018
The Swiss Center for Electronics and Microtechnology (CSEM) has announced what it calls the: world’s first fully autonomous camera that can be...
ISC East 2018 Mini-Show Final Report on Nov 16, 2018
This is our second (updated) and final show report from ISC East. ISC East, by its own admission, is not a national or international show, billed...
Facial Detection Tested on Nov 16, 2018
Facial detection and recognition are increasingly offered by video surveillance manufacturers. Facial detection detects faces in an image/video...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact