Hotel Access Control Explained

Author: Brian Rhodes, Published on Aug 17, 2016

Hotel access control seems to work magically. Unlike electronic access control systems used in commercial security, doors in hotels are not typically connected to a central server to confirm access.

*** **** ** **** ****? *** *** *** ***** ****** that ***** *** **** ********? ****** **** ****, ** *****:

  • ******* ********* *** ******
  • ******* ******** **********
  • ***** **** **** *****
  • *** ***** ***** *** *****
  • ********** ******* ********** ******
  • ********** ** ***** ****** *******
  • ********** ** ********** *******
  • ***** ****** ******** ********

Keycard ********

** *** *********** ********, '*** ****' ******* *** ********* ******** using ***** *** ****** **********. * '******' ** ******** ** individual, ***-********* **** ******/*****, * **** **********, *** ******* ****** cards. *** ******* ********** ***********, ******* ** *** ***** ****, encodes * ******* **** ****** ****** ****.

***** ******* ****** ***:

  • ********: * ****** **** ** ******** *** ******* ** * 'guest ****', '****** ***', '************ ****', ** ***** **** ** role. '***** *****' ********* **** *** ****, ***** * '****** Key' **** *** **** **** ***.
  • ***** ****/****: *** **** ****** * **** ** **** ** **** a ****. **** *** **** ******* * '***** ****' ** calibrate ******* **** ****** ****.
  • **** ******: * ****** ** ***** ******** ** *** ****/**** *** card *****. **** ********* ****** ******* ** *** **** *** guest ****.
  • ******** ******: * ****** **** **** ********** *** ********** ********/*****/**** * card ** ******* ***. **** ******** ***** *** **** *** 'Room ***' ** ******** **********.

*** **** **** ****** ** *** **** ****** ** ********* when ** ****** ******, ** *** ****** ****** ** *********** not ********* *** **** **** ** '*******' *** ***** ** access ******** **** **** * **** ** *********.

Keycard ******

******** **** ** ***** *** ***** ******* ** **** ******** sense. ****** ***** **** ****, ******** **** ** ********** ** cheap ****** ** ******* ***** * ****** ***.

*** **** ****** ***** *** **** **** ***** **** **** around $*.** - *.** *** ****. **** ******** **** ******** 3.375" * *.***", *** **** **** ** * ****** ****, and *** ********* **** ** *********** *** *******. ** **** cases, *** **** ** ***** ***** *** ******* ********** ** advertisement ***** ** ********* ********* ********, ***** ***********, ** *********** nearby * *****:

Magstripe ******* *****

* *** ***** ** ***** ***********: *** **** ******* ** these ***** *** * '******' ********** ************* ************** ** **** ********* ***** ** *********** **** *********** **********.

***** **** *** ****** ** *** ******** '***************' ** ***** cards ** ********* ** **** **** ******** *******, **** ********* is ***** ********* ** * ******** *********** ** *** **** of '***** ******* ****' ** *** ****** **********. *** ******** card ******** ****** ******** *** ***** ******* ** ******** ***** a ***** ****, ***** * *** ****.

Door **** *****

***** *** ***** ** **** ******** *** **** ******* ********* on ****** *** ******, '*****' ***** *** ** ********* *** less **** $*** ***. **** ******* ****** **** ** '****** hotel' ****** **** *** **** **** $** ***. ** ********, enterprise-grade ********** ********** ****** ******* ******* ***** **** ******* ** $1000 *** ****.

** *******, **** ***** *** ******** ** *** **** *** most ******* **** ***** ***** *********** ** ******* *******. ****** other ***** ** ********** ****** *******, *********** ******* **** **** with * ******** **** ** **** *** ****** ** ******* to ******** *****.

Hotel ******** *** *****

*** ******* ****** ********** ** ********* ******* '***********' *** ********** EAC ******* ** *** **** ** *** **********.

** * *********** ******, *** **** **** ****** ** ******* command ** **** *** ****. * *********** **** **** *** no ********* ************* ** *** ***** * ********** *** **, it **** ***** **** *** **** ***** ********* '***** **' to ****. *** ********** ******** ******** *** ********* *** **** needed ** ******** *** ****.

** ********, ** ********** *** ****** **** **** *** ********** to ******** * ******* *** ******. *** ********** ****** **** not ***** * ******* ** **** *** ****, ** ****** identifies *** ****** ******* ** '********' ******* *** *****. *** networked ******** ** *** ****** ****** **** * ******* ********, and **** ******** ******** ** ****** ***** ***** ** **** database. ******* *** **** ****** ** *********, * ********** **** can ** '****** ***' ** ******** ***********.

Protecting ******* ********** ******

* ****** ******** **** ****** **** *********** ******* ** "*** does *** **** **** **** ** **** ** ****?" ***** a ****** ***** **/***** *** ********, **** ****** ** ********** by *** '***** **** *****' ** ****** ******* ** *** card. **** *** ***** *** **** ** *******, *** ******* data ** *** **** ** **** ** '*******' ****** * certain *****. *******, *** ******* **********, **** ********** ***** *****-**** or ******** *****, ******** ***** **** * ***** ****. ** accommodate *** ***** **********, ** ** * ****** *********** **** cards *** *** ************ ***** *** '*********' ***** ***, *** the '********' ***** ** * ***** **** **** *** ******* daily **** *** ************ ***** ****** ***** ***** ***** ****** their ******.

************, ******** ***** *** *** *********** ** *** **** ****** rules ** ***** *****, *** *** ** ********** *** ********** access. *******, * ****** ******* ** ***** ***** ** *** 'mechanical ********' ******** **** ******** *** ******** **** ****** **** thrown. *** ***** *************, ** ** ****** ** *** * mechanical, ***** **** **** ** *** ***** **** ****** ****** in ** *********.

Advantages ** *********** *******

*** ******* ************** ** ***** ******* ******* *** **** *** inexpensive ** ********, ********, *** *******. ******* *** ****** '**** tech' ********** ***** ******* **** ******, *********** * *** **** and ******* ** ** * ***** ** **** ****** *** inexperienced ****** ** ******, *** ******* ** ***** ********** ****** can ****** ** ****** **** ****** **** ******* '*** **********' like *********** *******.

***** ********** *******:

  • ******* ********** ***** ** *******
  • **** ** ********** ***** ** ************* ****
  • *** ** ********** '****** ***' ** ******** ********** ******** **** inside ****
  • ********** ******** **** ***** ********* ****** ** *** *****
  • *********, **** ******** **** ** ** *** - *** ****** allowing *** ******** ************** ** ******

Advantages ** ********** *******

*******, *********** ********** ****** *** *** ******** *** ****** ********** and **** ******** **** ***** ******* ********* ***'*:

  • *********** ************** ** ********* *******
  • ******* ** ******* ******** ****** ********* *** ****** *********
  • *********** *** ** *********** ******* ** '***********'
  • ***** *** *********** ** '****** ****'
  • *********** *** **** ** * ****-********* *****, *** ***** ******** credentials
  • ******** ** *** ********* ******* ** ******* *****, *** ** more ******** *** ******* ** ********
  • **** ********* ** *** ****** ****** ** ***********

Hotel ******* *** ****** ****** ********

*********** ****** ***************** *** ************ *** *******, ***** ********* *** *********** ********** *******. **** business ***** ** ********* *** ******* *******:

  • ******* *** **** ***, ********* ******* *** ****** ********* ** integrator **** ******.
  • ** *** **** **** ** *** ****, *** ************ ** able ** ******* *******. ***** ******* ****** ** *** '***' of *********** ******* ******, *** ** * ****** **** **** the **** ******** *** ************ ***** **** ****.
  • *********** ****** ********* ***** '******* *******' ** '****** *****', *** would ****** *** *********** ******** (*****, ******* *****) **** ********** pricing ******** **** *********** ****** ************, ****** **** ******** ***********.

Hotel ****** ******** ********

******* ****** ********* **** ********* *** ***** ** ***** ****** systems ******** ** ********** ******. **** **** *******, ***** * careless ** ******** ***** ******* ***** ***** **** **** * 'Master ***' ********, *********** ******** * ****** ***** ** **** every ****:

*** **** ********* ** **** ******** *** ** *******, *** not ********** ********* **** ***** ****** *******. **** * ***** networked ********** ****** ******, **** ** ***** ***** *********** ** corrected ** ****, *** *** **** **** ****** ********** ** simply *** **** ** ****** ****** ** ******* ***** ***** the ******* ** *********.

**********

***** ******** ** ****, *********** ****** ******* ** *** * market ******* ********* ******** ** *** ******** **********. ***** ********** certainly *****, *** ******* *** **** *** *** ******* ****** opportunity *** **** ******* ********* ***** ******* *********. ** *******, the ******** ******** ** *********** '*********' ****** ******* ** **** as '********' *** ******* ******** ** *** *** ****, ******* built ************ ***** ** *** *********** ******.

[****: ** ******* ******* ** **** *** ********* ** **** but *** ************* ******* *** ******** ** ****.]

Comments (10)

Great article. When I was younger I was fascinated with these systems (especially the cards with all the little Braille-like holes), but no one I knew could explain.

A couple questions:

In a hospitality system, the card read issues an encoded command to open the lock. A hospitality door lock has no networked understanding of how valid a credential may be, it only opens when the card being presented 'tells it' to open. The credential encoding contains all decisions and data needed to activate the lock.

Doesn't the lock still authorize in a sense by checking a black list of cards to deny?

Can a door reader ever rewrite cards?

Doesn't the lock still authorize in a sense by checking a black list of cards to deny?

In general, no. Unless the card itself tells the lock 'I'm valid right now", it just is ignored. Validity is based on date or function, but not a list of cards. There generally is no 'black list' or 'white list', just an open population of valid cards.

Can a door reader ever rewrite cards?

For most systems, no. There may be some systems that can invalidate cards if they are inserted in locks (This is the way Salto Access 'networked cards' work for example), but the vast majority of hotel system locks are 'read-only' units.

Validity is based on date or function, but not a list of cards. There generally is no 'black list' or 'white list', just an open population of valid cards.

So in your example of early checkout, what denies the old card, (or its duplicates), from opening the door of the new guests?

The encoding machine at the front desk is the kingpin here. As soon as the new card is presented to the door lock, the old card is no longer valid.

A lock is typically only able to have one valid guest.

So it is not a 'blacklist', but rather 'active valid cards must have these values'.

I agree with your responses.

My initial question was about

A hospitality door lock has no networked understanding of how valid a credential may be, it only opens when the card being presented 'tells it' to open. The credential encoding contains all decisions and data needed to activate the lock.

IMHO, the credential encoding of a given key has all but one piece of data needed to activate the lock, namely value from the previous open.

The lock needs to maintain the current state of what the last valid key sequence used was, so that it can reject credentials issued earlier and accept those equal or later. If the lock were to lose the power (and that value), for instance, an old or new credential might be accepted.

Thanks for the answers; this is a minor point in any case.

I think 'blacklist' is too strong of a term here. The lock does have a memory of which cards were used to open it, but 'blacklist' meaning active denial is not quite right. Cards are read to be invalid based on expired dates/times or because they've had their function preempted by another valid read.

Those cards housekeeping carry may also be used for quality control too. As in: once guest card 'A' expires, guest card 'B' cannot be used until a 'Housekeeping' function card opens the door, signifying a visit and room cleaning. Rather - new guests can't enter a dirty room.

Now, these rules aren't always put in place, but some hospitality operators use the access system for process/quality control in this way.

Brian, good article. A few years ago a hack of Onity locks was reported at Black Hat using a portable programmer to gain entry. I wonder if there are still vulnerable locks out there, particularly at independently operated hotels.

http://www.forbes.com/sites/andygreenberg/2013/05/15/hotel-lock-hack-still-being-used-in-burglaries-months-after-lock-firms-fix/#2a385bcd5434

Also, every one of the hotels I've stayed in this year have updated to a proximity card solution. Some hotels even use an app on your phone that communicates with the lock when in range. It might be a nice follow up to explore how the same comparisons with these new technologies in the hospitality space.

Thank you for this article,

I was always curious how those systems worked.

You've forgotten to mention the role of an enterprise access system in health and safety / operational health and safety. It'll often be feasible to get an idea in real time how many guests are in their hotel rooms should an emergency happen. Especially if combined with those captive room power enabling switches for the access credential

Hey Brian….nice update on the hospitality market. You are correct it is far too expensive (even for new build let alone retro fit installs) to wire every room door and that is the main reason why each door is basically its’ own controller in the hospitality market.

Another reason why manufactures are so vertically integrated (install directly or through subs) is that hotel access falls in the grey area between traditional security and locksmith markets. Most security guys I know are not fond of installing door hardware and locksets with associated life safety issues and liability. And locksmiths (overall) are not big on programming, initializing, commissioning, maintaining the electronic/software application side of these systems.

Although the gap is closing for sure – imagine what it was like when these card systems first came on the market 30 some years ago.

Finally, hotels demand to know where the buck stops when something is not working not only after a new installation but for the life of the system (>10 yrs)…and to get training and parts (hundreds of part numbers in each system) immediately. Remember this is a perishable product. If they can’t rent a room that night...they lose revenue that cannot be replaced. Many are big brands and/or ownership groups that require the kind of national and sometimes international support that cannot be consistently supported by local or regional contractors. So that is why this market is kind of carved out from the rest.

No question the vast majority of hotel access systems remain “off line”….these are starting to change slowly over time mainly through wireless solutions or some form of hybrid wireless/wired network. As wireless technologies become more ubiquitous for secure communications many of these ‘online’ systems are trickling down from the biggest properties to more modest ones. This trend has already started to impact the traditional access markets. This is worth keeping an eye on by security integrators. (i.e. Education, Multi-Housing, Healthcare markets)

Lastly, RFID cards are becoming more common slowly but surely just as happened in 90s for access control. The main issue here is price/card…. but the hotels are getting over it and touting the higher security, easier/cooler customer experience, and benefiting from reduced maintenance of cleaning/replacing door readers and reprogramming demagnetized cards. Interestingly some manufactures are choosing open card protocols (buy wherever you want) and others are closed (only from mfg). Sound familiar? But that is another discussion!!! Thanks Brian.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Access Control Records Maintenance Guide on Jan 16, 2019
Weeding out old entries, turning off unused credentials, and updating who carries which credentials is as important as to maintaining security as...
Access Control Cabling Tutorial on Jan 15, 2019
Access Control is only as reliable as its cables. While this aspect lacks the sexiness of other components, it remains a vital part of every...
Avigilon Favorability Results 2019 on Jan 15, 2019
Since IPVM's 2017 Avigilon favorability results, the company was acquired by Motorola and has shifted from being an aggressive startup to a more...
Wavelynx Access Control Manufacturer Profile on Jan 10, 2019
Denver-based WaveLynx is not well known as an access reader manufacturer, but OEMs for big industry brands including Amag, Isonas (Allegion),...
Combating Vaping Epidemic - Halo Smart Sensor Profile on Dec 21, 2018
Youth vaping has become an epidemic, according to the US Surgeon General, while the market leader, Juul, just received a $12.8 billion investment...
ACRE-Acquired Open Options Access Company Profile on Dec 17, 2018
Who is the company ACRE is acquiring? In this note, we examine Open Options line for best customer fit, key features, pricing, and main...
Open Options Acquired By ACRE on Dec 17, 2018
ACRE is doing deals again. A year after they sold Mercury, they are buying another access control company - Open Options. In this note, we...
2019 Access Control Book Released on Dec 12, 2018
This is the best, most comprehensive access control book in the world, based on our unprecedented research and testing has been significantly...
Multi-Factor Access Control Authentication Guide on Dec 10, 2018
Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting...
Top 2019 Trend - AI Video Analytics on Dec 10, 2018
160+ Integrators answered: What do you think the top industry trend will be in 2019? Why? AI / video analytics was the run-away winner with...

Most Recent Industry Reports

2019 Camera Book Released on Jan 22, 2019
This is the best, most comprehensive security camera training in the world, based on our unprecedented testing. Now, all IPVM PRO Members can get...
Milesight Company Profile on Jan 22, 2019
Milesight Technology, a Chinese company building an International branded business, says they are slowly building their presence through a series...
Intersec 2019 Live From Dubai Day 2 on Jan 22, 2019
There’s a massive presence from Chinese or China-focused video surveillance firms, chiefly Hikvision, Dahua, Huawei, and Infinova, at...
Cable Trenching for Surveillance on Jan 21, 2019
Trenching cable for surveillance is surprisingly complex. While using shovels, picks, and hoes is not advanced technology, the proper planning,...
Milestone Favorability Results 2019 on Jan 21, 2019
Milestone's favorability moderately strengthed, in new IPVM integrator statistics over their results from 2016. While the industry has been...
The IP Camera Lock-In Trend: Meraki and Verkada on Jan 18, 2019
Open systems and interoperability have become core features of video surveillance systems, as virtually all professional IP cameras integrate with...
NYPD Refutes False SCMP Hikvision Story on Jan 18, 2019
The NYPD has refuted the SCMP Hikvision story, the Voice of America has reported. On January 11, 2018, the SCMP alleged that the NYPD was using...
Mobile Surveillance Trailers Guide on Jan 17, 2019
Putting cameras in a place for temporary surveillance where power and communications are not readily available can be complicated and expensive....
Exacq Favorability Results 2019 on Jan 17, 2019
Exacq favorability amongst integrators has declined sharply, in new IPVM statistics, compared to 2017 IPVM statistics for Exacq. Now, over 5 since...
Testing Bandwidth Vs. Low Light on Jan 16, 2019
Nighttime bandwidth spikes are a major concern in video surveillance. Many calculate bandwidth as a single 24/7 number, but bit rates vary...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact