Hotel Access Control Explained

Author: Brian Rhodes, Published on Aug 17, 2016

Hotel access control seems to work magically. Unlike electronic access control systems used in commercial security, doors in hotels are not typically connected to a central server to confirm access.

*** **** ** **** then? *** *** *** hotel ****** **** ***** are **** ********? ****** this ****, ** *****:

  • ******* ********* *** ******
  • ******* ******** **********
  • ***** **** **** *****
  • *** ***** ***** *** Smart
  • ********** ******* ********** ******
  • ********** ** ***** ****** Systems
  • ********** ** ********** *******
  • ***** ****** ******** ********

Keycard ********

** *** *********** ********, 'key ****' ******* *** typically ******** ***** ***** mag ****** **********. * 'system' ** ******** ** individual, ***-********* **** ******/*****, a **** **********, *** encoded ****** *****. *** central ********** ***********, ******* at *** ***** ****, encodes * ******* **** common ****** ****.

***** ******* ****** ***:

  • ********: * ****** **** to ******** *** ******* as * '***** ****', 'Master ***', '************ ****', or ***** **** ** role. '***** *****' ********* open *** ****, ***** a '****** ***' **** may **** **** ***.
  • ***** ****/****: *** **** ****** a **** ** **** to **** * ****. This *** **** ******* a '***** ****' ** calibrate ******* **** ****** time.
  • **** ******: * ****** ** value ******** ** *** lock/room *** **** *****. This ********* ****** ******* to *** **** *** guest ****.
  • ******** ******: * ****** **** that ********** *** ********** property/floor/wing * **** ** encoded ***. **** ******** using *** **** *** 'Room ***' ** ******** facilities.

*** **** **** ****** on *** **** ****** to ********* **** ** should ******, ** *** system ****** ** *********** not ********* *** **** lock ** '*******' *** makes ** ****** ******** only **** * **** is *********.

Keycard ******

******** **** ** ***** for ***** ******* ** make ******** *****. ****** brass **** ****, ******** must ** ********** ** cheap ****** ** ******* after * ****** ***.

*** **** ****** ***** are **** **** ***** that **** ****** $*.** - *.** *** ****. This ******** **** ******** 3.375" * *.***", *** same **** ** * credit ****, *** *** typically **** ** *********** PVC *******. ** **** cases, *** **** ** these ***** *** ******* subsidized ** ************* ***** by ********* ********* ********, local ***********, ** *********** nearby * *****:

Magstripe ******* *****

* *** ***** ** these ***********: *** **** stripes ** ***** ***** are * '******' ********** ************* ************** ** **** ********* types ** *********** **** contactless **********.

***** **** *** ****** in *** ******** '***************' of ***** ***** ** subjected ** **** **** magnetic *******, **** ********* is ***** ********* ** a ******** *********** ** the **** ** '***** service ****' ** *** issued **********. *** ******** card ******** ****** ******** the ***** ******* ** expiring ***** * ***** time, ***** * *** days.

Door **** *****

***** *** ***** ** door ******** *** **** greatly ********* ** ****** and ******, '*****' ***** can ** ********* *** less **** $*** ***. Some ******* ****** **** in '****** *****' ****** sell *** **** **** $75 ***. ** ********, enterprise-grade ********** ********** ****** control ******* ***** **** upwards ** $**** *** door.

** *******, **** ***** are ******** ** *** only *** **** ******* door ***** ***** *********** or ******* *******. ****** other ***** ** ********** access *******, *********** ******* only **** **** * specific **** ** **** and ****** ** ******* to ******** *****.

Hotel ******** *** *****

*** ******* ****** ********** in ********* ******* '***********' and ********** *** ******* is *** **** ** the **********.

** * *********** ******, the **** **** ****** an ******* ******* ** open *** ****. * hospitality **** **** *** no ********* ************* ** how ***** * ********** may **, ** **** opens **** *** **** being ********* '***** **' to ****. *** ********** encoding ******** *** ********* and **** ****** ** activate *** ****.

** ********, ** ********** EAC ****** **** **** the ********** ** ******** a ******* *** ******. The ********** ****** **** not ***** * ******* to **** *** ****, it ****** ********** *** holder ******* ** '********' dataset *** *****. *** networked ******** ** *** reader ****** **** * central ********, *** **** actuates ******** ** ****** entry ***** ** **** database. ******* *** **** reader ** *********, * credential **** *** ** 'turned ***' ** ******** immediately.

Protecting ******* ********** ******

* ****** ******** **** arises **** *********** ******* is "*** **** *** door **** **** ** deny ** ****?" ***** a ****** ***** **/***** out ********, **** ****** is ********** ** *** 'valid **** *****' ** access ******* ** *** card. **** *** ***** out **** ** *******, the ******* **** ** the **** ** **** as '*******' ****** * certain *****. *******, *** dynamic **********, **** ********** early *****-**** ** ******** stays, ******** ***** **** a ***** ****. ** accommodate *** ***** **********, it ** * ****** requirement **** ***** *** the ************ ***** *** 'refreshed' ***** ***, *** the '********' ***** ** a ***** **** **** are ******* ***** **** the ************ ***** ****** their ***** ***** ****** their ******.

************, ******** ***** *** not *********** ** *** same ****** ***** ** guest *****, *** *** be ********** *** ********** access. *******, * ****** feature ** ***** ***** is *** '********** ********' deadbolt **** ******** *** external **** ****** **** thrown. *** ***** *************, it ** ****** ** see * **********, ***** door **** ** *** lever **** ****** ****** in ** *********.

Advantages ** *********** *******

*** ******* ************** ** hotel ******* ******* *** they *** *********** ** purchase, ********, *** *******. Despite *** ****** '**** tech' ********** ***** ******* give ******, *********** * new **** *** ******* it ** * ***** is **** ****** *** inexperienced ****** ** ******, and ******* ** ***** disposable ****** *** ****** be ****** **** ****** than ******* '*** **********' like *********** *******.

***** ********** *******:

  • ******* ********** ***** ** program
  • **** ** ********** ***** by ************* ****
  • *** ** ********** '****** off' ** ******** ********** deadbolt **** ****** ****
  • ********** ******** **** ***** emergency ****** ** *** times
  • *********, **** ******** **** up ** *** - 500 ****** ******** *** forensic ************** ** ******

Advantages ** ********** *******

*******, *********** ********** ****** has *** ******** *** access ********** *** **** security **** ***** ******* generally ***'*:

  • *********** ************** ** ********* support
  • ******* ** ******* ******** access ********* *** ****** locations
  • *********** *** ** *********** revoked ** '***********'
  • ***** *** *********** ** 'locked ****'
  • *********** *** **** ** a ****-********* *****, *** carry ******** ***********
  • ******** ** *** ********* powered ** ******* *****, and ** **** ******** and ******* ** ********
  • **** ********* ** *** events ****** ** ***********

Hotel ******* *** ****** ****** ********

*********** ****** ***************** *** ************ *** *******, ***** bypassing *** *********** ********** channel. **** ******** ***** is ********* *** ******* reasons:

  • ******* *** **** ***, typically ******* *** ****** threshold ** ********** **** pursue.
  • ** *** **** **** of *** ****, *** manufacturer ** **** ** control *******. ***** ******* depend ** *** '***' of *********** ******* ******, and ** * ****** they **** *** **** hardware *** ************ ***** near ****.
  • *********** ****** ********* ***** 'keycard *******' ** '****** items', *** ***** ****** buy *********** ******** (*****, battery *****) **** ********** pricing ******** **** *********** supply ************, ****** **** security ***********.

Hotel ****** ******** ********

******* ****** ********* **** magnified *** ***** ** hotel ****** ******* ******** to ********** ******. **** this *******, ***** * careless ** ******** ***** encoded ***** ***** **** with * '****** ***' function, *********** ******** * single ***** ** **** every ****:

*** **** ********* ** this ******** *** ** avoided, *** *** ********** mitigated **** ***** ****** systems. **** * ***** networked ********** ****** ******, such ** ***** ***** immediately ** ********* ** made, *** *** **** lock ****** ********** ** simply *** **** ** remain ****** ** ******* users ***** *** ******* is *********.

**********

***** ******** ** ****, hospitality ****** ******* ** not * ****** ******* typically ******** ** *** security **********. ***** ********** certainly *****, *** ******* for **** *** *** limited ****** *********** *** high ******* ********* ***** systems *********. ** *******, the ******** ******** ** traditional '*********' ****** ******* is **** ** '********' and ******* ******** ** the *** ****, ******* built ************ ***** ** the *********** ******.

[****: ** ******* ******* of **** *** ********* in **** *** *** substantially ******* *** ******** in ****.]

Comments (10)

Great article. When I was younger I was fascinated with these systems (especially the cards with all the little Braille-like holes), but no one I knew could explain.

A couple questions:

In a hospitality system, the card read issues an encoded command to open the lock. A hospitality door lock has no networked understanding of how valid a credential may be, it only opens when the card being presented 'tells it' to open. The credential encoding contains all decisions and data needed to activate the lock.

Doesn't the lock still authorize in a sense by checking a black list of cards to deny?

Can a door reader ever rewrite cards?

Doesn't the lock still authorize in a sense by checking a black list of cards to deny?

In general, no. Unless the card itself tells the lock 'I'm valid right now", it just is ignored. Validity is based on date or function, but not a list of cards. There generally is no 'black list' or 'white list', just an open population of valid cards.

Can a door reader ever rewrite cards?

For most systems, no. There may be some systems that can invalidate cards if they are inserted in locks (This is the way Salto Access 'networked cards' work for example), but the vast majority of hotel system locks are 'read-only' units.

Validity is based on date or function, but not a list of cards. There generally is no 'black list' or 'white list', just an open population of valid cards.

So in your example of early checkout, what denies the old card, (or its duplicates), from opening the door of the new guests?

The encoding machine at the front desk is the kingpin here. As soon as the new card is presented to the door lock, the old card is no longer valid.

A lock is typically only able to have one valid guest.

So it is not a 'blacklist', but rather 'active valid cards must have these values'.

I agree with your responses.

My initial question was about

A hospitality door lock has no networked understanding of how valid a credential may be, it only opens when the card being presented 'tells it' to open. The credential encoding contains all decisions and data needed to activate the lock.

IMHO, the credential encoding of a given key has all but one piece of data needed to activate the lock, namely value from the previous open.

The lock needs to maintain the current state of what the last valid key sequence used was, so that it can reject credentials issued earlier and accept those equal or later. If the lock were to lose the power (and that value), for instance, an old or new credential might be accepted.

Thanks for the answers; this is a minor point in any case.

I think 'blacklist' is too strong of a term here. The lock does have a memory of which cards were used to open it, but 'blacklist' meaning active denial is not quite right. Cards are read to be invalid based on expired dates/times or because they've had their function preempted by another valid read.

Those cards housekeeping carry may also be used for quality control too. As in: once guest card 'A' expires, guest card 'B' cannot be used until a 'Housekeeping' function card opens the door, signifying a visit and room cleaning. Rather - new guests can't enter a dirty room.

Now, these rules aren't always put in place, but some hospitality operators use the access system for process/quality control in this way.

Brian, good article. A few years ago a hack of Onity locks was reported at Black Hat using a portable programmer to gain entry. I wonder if there are still vulnerable locks out there, particularly at independently operated hotels.

http://www.forbes.com/sites/andygreenberg/2013/05/15/hotel-lock-hack-still-being-used-in-burglaries-months-after-lock-firms-fix/#2a385bcd5434

Also, every one of the hotels I've stayed in this year have updated to a proximity card solution. Some hotels even use an app on your phone that communicates with the lock when in range. It might be a nice follow up to explore how the same comparisons with these new technologies in the hospitality space.

Thank you for this article,

I was always curious how those systems worked.

You've forgotten to mention the role of an enterprise access system in health and safety / operational health and safety. It'll often be feasible to get an idea in real time how many guests are in their hotel rooms should an emergency happen. Especially if combined with those captive room power enabling switches for the access credential

Hey Brian….nice update on the hospitality market. You are correct it is far too expensive (even for new build let alone retro fit installs) to wire every room door and that is the main reason why each door is basically its’ own controller in the hospitality market.

Another reason why manufactures are so vertically integrated (install directly or through subs) is that hotel access falls in the grey area between traditional security and locksmith markets. Most security guys I know are not fond of installing door hardware and locksets with associated life safety issues and liability. And locksmiths (overall) are not big on programming, initializing, commissioning, maintaining the electronic/software application side of these systems.

Although the gap is closing for sure – imagine what it was like when these card systems first came on the market 30 some years ago.

Finally, hotels demand to know where the buck stops when something is not working not only after a new installation but for the life of the system (>10 yrs)…and to get training and parts (hundreds of part numbers in each system) immediately. Remember this is a perishable product. If they can’t rent a room that night...they lose revenue that cannot be replaced. Many are big brands and/or ownership groups that require the kind of national and sometimes international support that cannot be consistently supported by local or regional contractors. So that is why this market is kind of carved out from the rest.

No question the vast majority of hotel access systems remain “off line”….these are starting to change slowly over time mainly through wireless solutions or some form of hybrid wireless/wired network. As wireless technologies become more ubiquitous for secure communications many of these ‘online’ systems are trickling down from the biggest properties to more modest ones. This trend has already started to impact the traditional access markets. This is worth keeping an eye on by security integrators. (i.e. Education, Multi-Housing, Healthcare markets)

Lastly, RFID cards are becoming more common slowly but surely just as happened in 90s for access control. The main issue here is price/card…. but the hotels are getting over it and touting the higher security, easier/cooler customer experience, and benefiting from reduced maintenance of cleaning/replacing door readers and reprogramming demagnetized cards. Interestingly some manufactures are choosing open card protocols (buy wherever you want) and others are closed (only from mfg). Sound familiar? But that is another discussion!!! Thanks Brian.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Access Control Course Spring 2019 - Last Chance on Apr 19, 2019
This is the last chance to register for the Spring Access Control Course. IPVM offers the most comprehensive access control course in the...
Door Operators Access Control Tutorial on Apr 17, 2019
Doors equipped with door operators, specialty devices that automate opening and closing, tend to be quite complex. The mechanisms needed to...
Alarm.com Favorability Results 2019 on Apr 15, 2019
The once dot com startup has evolved to become a core provider for home security and is now expanding into commercial. In their first entry in...
ISC West 2019 Report on Apr 12, 2019
The IPVM team has finished at the Sands looking at what companies are offering and how they are changing their positioning. See below for 50+...
Spring 2019 50+ New Products Directory on Apr 08, 2019
We are compiling a list of new products for Spring 2019 and have over 50 already. Contrast to Fall 2018 New Products Directory and Spring 2018...
Startup GateKeeper Aims For Unified Physical / Logical Access Token on Apr 04, 2019
This startup's product claims to 'Kill the Password' you use to keep your computers safe.  They have already released their Gatekeeper Halberd...
Airship VMS Profile on Apr 03, 2019
Airship has been developing VMS software for over 10 years, however, with no outside investment, and minimal marketing, the company is not well...
Silicon Valley Access Startup Proxy Raises $13.6 Million on Mar 28, 2019
This mobile-credential based access startup just raised $13.6 million in funding.  Further, they claim that their technology can free businesses...
Casino Security Consultant Carl Lindgren Interview on Mar 26, 2019
For more than 20 years, Carl Lindgren worked as a casino surveillance pro, while being active (and sometimes outspoken) on various online video...
Lenel Favorability Results 2019 on Mar 26, 2019
The positive news for Lenel is that integrators do not dislike them as much as they used to.  The negative news for Lenel is that integrators...

Most Recent Industry Reports

Access Control Course Spring 2019 - Last Chance on Apr 19, 2019
This is the last chance to register for the Spring Access Control Course. IPVM offers the most comprehensive access control course in the...
Riser vs Plenum Cabling Explained on Apr 18, 2019
You could be spending twice as much for cable as you need. The difference between 'plenum' rated cable and 'riser' rated cable is subtle, but the...
Verint Victimized By Ransomware on Apr 18, 2019
Verint, which is best known in the physical security industry for video surveillance but has built a sizeable cybersecurity business as well, was...
Milestone Drops IFSEC on Apr 18, 2019
Milestone has dropped out of Europe's largest annual security trade show (IFSEC 2019), telling IPVM that they "have found that IFSEC in EMEA no...
The Fastest Growing Video Surveillance Sales Organization Ever - Verkada on Apr 17, 2019
Verkada has the fastest growing video surveillance sales organization ever. In less than 2 years, they already have more salespeople in the US...
Door Operators Access Control Tutorial on Apr 17, 2019
Doors equipped with door operators, specialty devices that automate opening and closing, tend to be quite complex. The mechanisms needed to...
Securadyne CEO: IPVM 'Entertaining For An Ignorant Few' on Apr 16, 2019
Securadyne's CEO Carey Boethel is unhappy with IPVM's report - Failed Integrator Rollup, Securadyne Sells to Guard Giant Allied. Indeed, he...
Dahua Repositionable IR Multi-Imager Camera Tested on Apr 16, 2019
Dahua has released their first repositionable multi-imager camera, the Multi-Flex 4x2MP, claiming integrated IR, true WDR, and flexible...
Strong ISC West 2019 For Manufacturers But Concerns For 2020 March Move on Apr 16, 2019
ISC West 2019 was strong for manufacturers, according to new IPVM survey results of 100+ manufacturers, consistent with 2018 results. However,...
Axis Supports HD Analog on Apr 15, 2019
In 2017, Axis declared 'Everything is IP': Now, in 2019, Axis has released support for HD analog, with their new encoders.  Why the change?...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact