Hotel Access Control Explained

By: Brian Rhodes, Published on Aug 17, 2016

Hotel access control seems to work magically. Unlike electronic access control systems used in commercial security, doors in hotels are not typically connected to a central server to confirm access.

*** **** ** **** then? *** *** *** hotel ****** **** ***** are **** ********? ****** this ****, ** *****:

  • ******* ********* *** ******
  • ******* ******** **********
  • ***** **** **** *****
  • *** ***** ***** *** Smart
  • ********** ******* ********** ******
  • ********** ** ***** ****** *******
  • ********** ** ********** *******
  • ***** ****** ******** ********

Keycard ********

** *** *********** ********, 'key ****' ******* *** typically ******** ***** ***** mag ****** **********. * 'system' ** ******** ** individual, ***-********* **** ******/*****, a **** **********, *** encoded ****** *****. *** central ********** ***********, ******* at *** ***** ****, encodes * ******* **** common ****** ****.

***** ******* ****** ***:

  • ********: * ****** **** to ******** *** ******* as * '***** ****', 'Master ***', '************ ****', or ***** **** ** role. '***** *****' ********* open *** ****, ***** a '****** ***' **** may **** **** ***.
  • ***** ****/****: *** **** ****** a **** ** **** to **** * ****. This *** **** ******* a '***** ****' ** calibrate ******* **** ****** time.
  • **** ******: * ****** ** value ******** ** *** lock/room *** **** *****.  This ********* ****** ******* to *** **** *** guest ****.
  • ******** ******: * ****** **** that ********** *** ********** property/floor/wing * **** ** encoded ***.  **** ******** using *** **** *** 'Room ***' ** ******** facilities.

*** **** **** ****** on *** **** ****** to ********* **** ** should ******, ** *** system ****** ** *********** not ********* *** **** lock ** '*******' *** makes ** ****** ******** only **** * **** is *********.  

Keycard ******

******** **** ** ***** for ***** ******* ** make ******** *****.  ****** brass **** ****, ******** must ** ********** ** cheap ****** ** ******* after * ****** ***.

*** **** ****** ***** are **** **** ***** **** cost ****** $*.** - *.** *** card. This ******** **** ******** *.***" x *.***", *** **** size ** * ****** card, *** *** ********* made ** *********** *** plastic.  ** **** *****, the **** ** ***** cards *** ******* ********** as ************* ***** ** marketing ********* ********, ***** restaurants, ** *********** ****** a *****:

Magstripe Encoded *****

* *** ***** ** these ***********: *** **** stripes ** ***** ***** are * '******' ********** ************* ****** ******** ** **** ********* types ** *********** **** contactless **********.

***** **** *** ****** in *** ******** '***************' of ***** ***** ** subjected ** **** **** magnetic *******, **** ********* is ***** ********* ** a ******** *********** ** the **** ** '***** service ****' ** *** issued **********. *** ******** card ******** ****** ******** the ***** ******* ** expiring ***** * ***** time, ***** * *** days.

 
 
Door **** *****
 

***** *** ***** ** door ******** *** **** greatly ********* ** ****** and ******, '*****' ***** can ** ********* *** less **** $*** ***. Some ******* ****** **** in '****** *****' ****** sell *** **** **** $75 ***. ** ********, enterprise-grade ********** ********** ****** control ******* ***** **** upwards ** $**** *** door.

** *******, **** ***** are ******** ** *** only *** **** ******* door ***** ***** *********** or ******* *******. ****** other ***** ** ********** access *******, *********** ******* only **** **** * specific **** ** **** and ****** ** ******* to ******** *****.

Hotel ******** *** *****

*** ******* ****** ********** in ********* ******* '***********' and ********** *** ******* is *** **** ** the **********. 

** * *********** ******, the **** **** ****** an ******* ******* ** open *** ****. * hospitality **** **** *** no ********* ************* ** how ***** * ********** may **, ** **** opens **** *** **** being ********* '***** **' to ****. *** ********** encoding ******** *** ********* and **** ****** ** activate *** ****.  

** ********, ** ********** EAC ****** **** **** the ********** ** ******** a ******* *** ******. The ********** ****** **** not ***** * ******* to **** *** ****, it ****** ********** *** holder ******* ** '********' dataset *** *****. *** networked ******** ** *** reader ****** **** * central ********, *** **** actuates ******** ** ****** entry ***** ** **** database. ******* *** **** reader ** *********, * credential **** *** ** 'turned ***' ** ******** immediately.

Protecting ******* ********** ******

* ****** ******** **** arises **** *********** ******* is "*** **** *** door **** **** ** deny ** ****?" ***** a ****** ***** **/***** out ********, **** ****** is ********** ** *** 'valid **** *****' ** access ******* ** *** card. **** *** ***** out **** ** *******, the ******* **** ** the **** ** **** as '*******' ****** * certain *****. *******, *** dynamic **********, **** ********** early *****-**** ** ******** stays, ******** ***** **** a ***** ****. ** accommodate *** ***** **********, it ** * ****** requirement **** ***** *** the ************ ***** *** 'refreshed' ***** ***, *** the '********' ***** ** a ***** **** **** are ******* ***** **** the ************ ***** ****** their ***** ***** ****** their ******.

************, ******** ***** *** not *********** ** *** same ****** ***** ** guest *****, *** *** be ********** *** ********** access. *******, * ****** feature ** ***** ***** is *** '********** ********' deadbolt **** ******** *** external **** ****** **** thrown. *** ***** *************, it ** ****** ** see * **********, ***** door **** ** *** lever **** ****** ****** in ** *********.

Advantages ** *********** *******

*** ******* ************** ** hotel ******* ******* *** they *** *********** ** purchase, ********, *** *******.  Despite *** ****** '**** tech' ********** ***** ******* give ******, *********** * new **** *** ******* it ** * ***** is **** ****** *** inexperienced ****** ** ******, and ******* ** ***** disposable ****** *** ****** be ****** **** ****** than ******* '*** **********' like *********** *******.

***** ********** *******:

  • ******* ********** ***** ** program
  • **** ** ********** ***** by ************* ****
  • *** ** ********** '****** off' ** ******** ********** deadbolt **** ****** ****
  • ********** ******** **** ***** emergency ****** ** *** times
  • *********, **** ******** **** up ** *** - 500 ****** ******** *** forensic ************** ** ******

Advantages ** ********** *******

*******, *********** ********** ****** has *** ******** *** access ********** *** **** security **** ***** ******* generally ***'*:

  • *********** ************** ** ********* support
  • ******* ** ******* ******** ****** schedules *** ****** *********
  • *********** *** ** *********** revoked ** '***********'
  • ***** *** *********** ** 'locked ****'
  • *********** *** **** ** a ****-********* *****, *** carry ******** ***********
  • ******** ** *** ********* powered ** ******* *****, and ** **** ******** and ******* ** ********
  • **** ********* ** *** events ****** ** ***********

Hotel ******* *** ****** ****** ********

*********** ****** ***************** *** ************ *** *******, ***** bypassing *** *********** ********** channel. **** ******** ***** is ********* *** ******* reasons:

  • ******* *** **** ***, typically ******* *** ****** threshold ** ********** **** pursue.
  • ** *** **** **** of *** ****, *** manufacturer ** **** ** control *******. ***** ******* depend ** *** '***' of *********** ******* ******, and ** * ****** they **** *** **** hardware *** ************ ***** near ****.
  • *********** ****** ********* ***** 'keycard *******' ** '****** items', *** ***** ****** buy *********** ******** (*****, battery *****) **** ********** pricing ******** **** *********** supply ************, ****** **** security ***********.

Hotel ****** ******** ********

******* ****** ********* **** magnified *** ***** ** hotel ****** ******* ******** to ********** ******.  **** this *******, ***** * careless ** ******** ***** encoded ***** ***** **** with * '****** ***' function, *********** ******** * single ***** ** **** every ****:

*** **** ********* ** this ******** *** ** avoided, *** *** ********** mitigated **** ***** ****** systems. **** * ***** networked ********** ****** ******, such ** ***** ***** immediately ** ********* ** made, *** *** **** lock ****** ********** ** simply *** **** ** remain ****** ** ******* users ***** *** ******* is *********.

**********

***** ******** ** ****, hospitality ****** ******* ** not * ****** ******* typically ******** ** *** security **********. ***** ********** certainly *****, *** ******* for **** *** *** limited ****** *********** *** high ******* ********* ***** systems *********. ** *******, the ******** ******** ** traditional '*********' ****** ******* is **** ** '********' and ******* ******** ** the *** ****, ******* built ************ ***** ** the *********** ******.

[****: ** ******* ******* of **** *** ********* in **** *** *** substantially ******* *** ******** in ****.]

Comments (10)

Great article. When I was younger I was fascinated with these systems (especially the cards with all the little Braille-like holes), but no one I knew could explain.

A couple questions:

In a hospitality system, the card read issues an encoded command to open the lock. A hospitality door lock has no networked understanding of how valid a credential may be, it only opens when the card being presented 'tells it' to open. The credential encoding contains all decisions and data needed to activate the lock.

Doesn't the lock still authorize in a sense by checking a black list of cards to deny?

Can a door reader ever rewrite cards?

Doesn't the lock still authorize in a sense by checking a black list of cards to deny?

In general, no. Unless the card itself tells the lock 'I'm valid right now", it just is ignored. Validity is based on date or function, but not a list of cards. There generally is no 'black list' or 'white list', just an open population of valid cards.

Can a door reader ever rewrite cards?

For most systems, no. There may be some systems that can invalidate cards if they are inserted in locks (This is the way Salto Access 'networked cards' work for example), but the vast majority of hotel system locks are 'read-only' units.

Validity is based on date or function, but not a list of cards. There generally is no 'black list' or 'white list', just an open population of valid cards.

So in your example of early checkout, what denies the old card, (or its duplicates), from opening the door of the new guests?

The encoding machine at the front desk is the kingpin here. As soon as the new card is presented to the door lock, the old card is no longer valid.

A lock is typically only able to have one valid guest.

So it is not a 'blacklist', but rather 'active valid cards must have these values'.

I agree with your responses.

My initial question was about

A hospitality door lock has no networked understanding of how valid a credential may be, it only opens when the card being presented 'tells it' to open. The credential encoding contains all decisions and data needed to activate the lock.

IMHO, the credential encoding of a given key has all but one piece of data needed to activate the lock, namely value from the previous open.

The lock needs to maintain the current state of what the last valid key sequence used was, so that it can reject credentials issued earlier and accept those equal or later. If the lock were to lose the power (and that value), for instance, an old or new credential might be accepted.

Thanks for the answers; this is a minor point in any case.

I think 'blacklist' is too strong of a term here. The lock does have a memory of which cards were used to open it, but 'blacklist' meaning active denial is not quite right. Cards are read to be invalid based on expired dates/times or because they've had their function preempted by another valid read.

Those cards housekeeping carry may also be used for quality control too. As in: once guest card 'A' expires, guest card 'B' cannot be used until a 'Housekeeping' function card opens the door, signifying a visit and room cleaning. Rather - new guests can't enter a dirty room.

Now, these rules aren't always put in place, but some hospitality operators use the access system for process/quality control in this way.

Brian, good article. A few years ago a hack of Onity locks was reported at Black Hat using a portable programmer to gain entry. I wonder if there are still vulnerable locks out there, particularly at independently operated hotels.

http://www.forbes.com/sites/andygreenberg/2013/05/15/hotel-lock-hack-still-being-used-in-burglaries-months-after-lock-firms-fix/#2a385bcd5434

Also, every one of the hotels I've stayed in this year have updated to a proximity card solution. Some hotels even use an app on your phone that communicates with the lock when in range. It might be a nice follow up to explore how the same comparisons with these new technologies in the hospitality space.

Thank you for this article,

I was always curious how those systems worked.

You've forgotten to mention the role of an enterprise access system in health and safety / operational health and safety. It'll often be feasible to get an idea in real time how many guests are in their hotel rooms should an emergency happen. Especially if combined with those captive room power enabling switches for the access credential

Hey Brian….nice update on the hospitality market. You are correct it is far too expensive (even for new build let alone retro fit installs) to wire every room door and that is the main reason why each door is basically its’ own controller in the hospitality market.

Another reason why manufactures are so vertically integrated (install directly or through subs) is that hotel access falls in the grey area between traditional security and locksmith markets. Most security guys I know are not fond of installing door hardware and locksets with associated life safety issues and liability. And locksmiths (overall) are not big on programming, initializing, commissioning, maintaining the electronic/software application side of these systems.

Although the gap is closing for sure – imagine what it was like when these card systems first came on the market 30 some years ago.

Finally, hotels demand to know where the buck stops when something is not working not only after a new installation but for the life of the system (>10 yrs)…and to get training and parts (hundreds of part numbers in each system) immediately. Remember this is a perishable product. If they can’t rent a room that night...they lose revenue that cannot be replaced. Many are big brands and/or ownership groups that require the kind of national and sometimes international support that cannot be consistently supported by local or regional contractors. So that is why this market is kind of carved out from the rest.

No question the vast majority of hotel access systems remain “off line”….these are starting to change slowly over time mainly through wireless solutions or some form of hybrid wireless/wired network. As wireless technologies become more ubiquitous for secure communications many of these ‘online’ systems are trickling down from the biggest properties to more modest ones. This trend has already started to impact the traditional access markets. This is worth keeping an eye on by security integrators. (i.e. Education, Multi-Housing, Healthcare markets)

Lastly, RFID cards are becoming more common slowly but surely just as happened in 90s for access control. The main issue here is price/card…. but the hotels are getting over it and touting the higher security, easier/cooler customer experience, and benefiting from reduced maintenance of cleaning/replacing door readers and reprogramming demagnetized cards. Interestingly some manufactures are choosing open card protocols (buy wherever you want) and others are closed (only from mfg). Sound familiar? But that is another discussion!!! Thanks Brian.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Access Control Door Controllers Guide on Oct 22, 2019
Door controllers are at the center of physical access control systems connecting software, readers, and locks. Despite being buried inside...
Securing Access Control Installations Tutorial on Oct 17, 2019
The physical security of access control components is critical to ensuring that a facility is truly secure. Otherwise, the entire system can be...
Access Control Course Fall 2019 - Last Chance on Oct 17, 2019
Register Now - Fall 2019 Access Control Course. Thursday, October 17th is the last day to register. IPVM offers the most comprehensive access...
Pelco CEO Out, New CEO Found on Oct 15, 2019
Just 2 months after Pelco was sold, Pelco's CEO is out, with Pelco bringing in an outside President and searching for a new CEO from the industry,...
HID Fingerprint Reader Tested on Oct 09, 2019
HID has released their first access reader to use Lumidigm optical sensors, that touts it 'works with anyone, anytime, anywhere'. We bought and...
Fail Safe vs. Fail Secure Tutorial on Oct 02, 2019
Few terms carry greater importance in access control than 'fail safe' and 'fail secure'. Access control professionals must know how these...
Access Control Mustering Guide on Sep 30, 2019
In emergencies, determining where employees are located can be critical for knowing whether they are in danger. Access systems can be used for...
Access Control Mantraps Guide on Sep 26, 2019
One of access's primary goals is keeping people out of places they should not be, but slipping through open doors (ie: Tailgating) is often...
Access Control Time & Attendance Guide on Sep 24, 2019
Access control systems can do more than lock doors. With little or no extra equipment, they can be used to track labor hours for employees...
Open Access Controller Guide (Axis, HID, Isonas, Mercury) on Sep 19, 2019
In the access control market, there are many software platforms, but only a few companies that make non-proprietary door controllers. Recently,...

Most Recent Industry Reports

Resideo Stock Plunges 40%, CFO Ousted on Oct 23, 2019
The horrible year for the ADI / Honeywell Home spinout, Resideo, just got worse, with their stock plunging another 40% today. Not even a year...
Access Control Door Controllers Guide on Oct 22, 2019
Door controllers are at the center of physical access control systems connecting software, readers, and locks. Despite being buried inside...
Alarm.com Acquires OpenEye on Oct 21, 2019
Alarm.com is targeting commercial expansion and now they have a commercial cloud VMS with the acquisition of OpenEye. In this note, based on...
Government-Owned Hikvision Wants To Keep Politics Out Of Security on Oct 21, 2019
'Politics' made Hikvision the goliath it is today. It was PRC China 'politics' that created Hikvision, funded it, and blocked its foreign...
Integrated IR Camera Usage Statistics 2019 on Oct 21, 2019
Virtually every IP camera now comes with integrated IR but how many actually make use of IR or choose 'super' low light cameras without IR? In...
Alarm Veteran "Demands A Criminal Investigation" Of UL on Oct 18, 2019
The Interceptor's Project pressure against UL continues to rise. Following Keith Jentoft's allegation that "UL Has Blood On Their Hands", Jentoft...
Camect "Worlds Smartest Camera Hub" Tested on Oct 18, 2019
Camect is a Silicon Valley startup that claims the "Smartest AI Object Detection On The Market", detecting not only people and vehicles, but...
Hikvision Global News Reports Directory on Oct 17, 2019
Hikvision has received the most global news reporting of any video surveillance company, ever, ranging from the WSJ, the Financial Times, Reuters,...
Camera Calculator V3.1 Release Improves User Experience on Oct 17, 2019
IPVM has released a new version of our Camera Calculator, V3.1, with significant user experience improvements, a new development plan, and an...