Open door policy – automation and security

7 June 2016



The growing trend towards automating hotel processes, including self check-in and keyless room entry, seeks to streamline the guest experience and simplify operations. Alyssa Waxenburg, vice-president of mobile strategy at Starwood, and Geraldine Calpin, chief marketing officer of Hilton Worldwide, discuss to what extent it also presents security concerns, perceived and real, and how they can be overcome.


When, in November 2014, Starwood announced it was set to roll out keyless room entry in certain hotels, this was just the latest step in a trajectory that had been underway for a while. As the so-called 'digital revolution' in hospitality has gathered momentum, we are not just witnessing better social media engagement, or quicker ways to book online. Rather, we are seeing what amounts to a radical overhaul of the guest experience, with even the less tech-savvy travellers benefitting from the rapid pace of change.

For over a decade, hotels have pursued a growing trend towards automation, with a view to eliminating hassle for guests and staff alike. As early as 2004, Marriott piloted the first self check-in scheme, with 'NCR EasyPoint Xpress Check-In' kiosks introduced to three hotels. Since then, a number of operators have followed suit, with brands such as the tech-heavy citizenM doing away with the front desk altogether. The idea is that guests will be more interested in speeding up their arrival than in interacting with a concierge.

More recently, the process has gone mobile. The Marriott app has contained a check-in and check-out option since 2013, with the likes of Hyatt and Hilton offering a similar service in selected properties. Guests can check in using the app prior to arrival, picking up their keycard from a designated kiosk when they reach the hotel.

One frequently levelled accusation is that keyless entry and self check-in are a poor replacement for personal service.

Starwood has modified this strategy slightly at its aloft brand. Participating Starwood Preferred Guest (SPG) members are posted a keycard based on radio frequency identification (RFID) technology. The day before their arrival, they receive a text message telling them their room number, allowing them to skip the check-in queue and head straight to where they will be staying.

Key to success

For guests already using mobile services, SPG Keyless might seem like the next logical evolutionary phase. A Bluetooth-enabled smartphone app, it enables guests to access their rooms without needing a key: the doors open and shut at a simple tap of their phone.

Initially rolled out at ten hotels across the aloft, Element and W brands, the service has now spread to 141 hotels and counting, redefining the traditional check-in process. To date, 320,000 SPG members from 130 countries have registered.

"Technology is constantly changing the way that people travel and, for that reason, Starwood makes it a priority to be on the forefront of innovation," says Alyssa Waxenburg, vice-president of mobile strategy at Starwood. "SPG Keyless is a perfect example of how we leverage our guests' inherent mobility and use of technology to create effortless travel. We're literally opening doors for our guests."

Hilton too has developed a keyless service, introducing Digital Key in August 2015. As Geraldine Caplin, chief marketing officer at Hilton Worldwide explains, the system allows HHonors members to access their hotel room, fitness centre, pool and any other areas requiring a key.

"After a long day of travel, HHonors members with prior stay history can swiftly bypass the front desk and head straight to their room, using Digital Key to unlock their door," she explains. "They can currently use Digital Key at more than 125 US properties across three brands and we will expand that roll-out to additional brands later in the year."

Those not in favour

As this trend gathers pace, it stands to reason that we are seeing resistance from certain quarters. One frequently levelled accusation is that keyless entry and self check-in are a poor replacement for personal service. In 2014, a Quartz article declared that the disappearance of hotel room keys marks the end of hospitality, opining that hotel guests prefer 'humanity' and 'personalisation' above all.

This argument is likely to rumble on; after all, it's true that the drive towards efficiency and simplicity may sometimes involve less face-to-face attention. However, with ten million digital check-ins at Hilton so far, it seems clear that guest demographics are changing and that many of today's frazzled business travellers seek expediency first and foremost. What's more, in the vast majority of brands, digital services remain a choice - guests are welcome to visit the front desk if they prefer.

As Waxenburg puts it, "Balancing the desire for efficiency with the desire for personal service is an overarching theme of our approach to innovation. We offer our guests choice and control to create the personalised experience that is right for them. For those that want to go right to their room, SPG Keyless enables that experience. For guests wanting to engage with a front desk associate, they can."

Complete hacker-resistance is perhaps an unrealistic holy grail. However, reverse engineering an algorithm is surely harder than picking an old-style lock.

More galling is the idea that keyless entry, and mobile services more broadly, may pose security concerns. With cybercrime on the rise, might digital innovations of this kind make a tempting target for hackers?

It is worth stepping back here to look at the last real step change in hotel entry systems: the plastic keycard. The first hotel keycard was introduced in 1978, following a high-profile and somewhat distressing lawsuit. In Garzilli versus Howard Johnson's Motor Lodges, a woman received a $2.5-million payout after an assailant broke into her motel room. It was determined that the hotel had not exercised 'reasonable care' in guest security and that the door had been 'unsecured from outside without much difficulty' - perhaps unsurprising in a property that had already been burgled four times.

The case shook the hotel industry. Intent upon avoiding a repeat scenario, they became more willing to invest in good security, which at least in high-crime areas meant going beyond a traditional keying system. They turned their attention to VingCard, a recordable keycard invented in 1975. Following the addition of new features, like encryption, this rapidly became the global leader in room security.

The system has worked well throughout the years, with keycards having proven a great asset in helping guests and their belongings stay safe. Through virtue of looking identical to all others, the plastic keycard gives opportunistic criminals a harder time. Lose your metal room key, inscribed with your room number, and you had better hope it winds up in the right hands. Lose your plastic keycard, however, and you don't need to worry about anyone tracing it to your room.

It is only over the past few years that security alarms have been raised, most notably in 2012 when a Mozilla software developer demonstrated vulnerability in Onity's keycard locks. Using a $50 piece of hardware, he was able to digitally pick a type of lock that appears in approximately four million hotel rooms. Later that year, a criminal exploited the very same flaw to execute a break-in.

Repair the damage

While Onity swiftly resolved the bug, cases of this kind have created further impetus for new solutions. Smartphone keys are widely considered to be more secure than a standard swipe card lock, not least because it's far harder to break into somebody's phone than it is to steal their piece of plastic. The key only works on that person's phone, for their particular room, and only for the duration of their booking.

From a technical standpoint, the features have not been widely publicised; however, it is known that SPG Keyless uses AES encryption and cryptographic hash functions. The mobile app and associated locks have undergone 'penetration testing' to minimise their vulnerability to hackers.

Hilton's system was also designed with "every security precaution in mind". As Calpin explains, "All of Hilton Worldwide's proprietary systems undergo rigorous testing and validation. Guest-facing systems have proven to be reliable and secure. Additionally, before new technology is deployed to our hotels, more rigorous internal testing is supplemented with certification by external security experts."

Complete hacker-resistance is perhaps an unrealistic holy grail. However, reverse engineering an algorithm is surely harder than picking an old-style lock. Assuming guests take appropriate precautions, such as ensuring their phones are password protected, it seems these systems are among the most secure on the market today.

As for the other advantages, these speak for themselves. For today's increasingly self-reliant travellers, keyless entry eradicates the 'pain point' of queuing to check in, not to mention the annoyance of lost or demagnetised keycards.

"Our goal with all emerging technology is bringing value to our guests in order to surpass their needs and enhance the way they want to travel," Waxenburg concludes.

Starwood Preferred Guests are posted a keycard with radio frequency identification technology.
Starwood Preferred Guests are posted a keycard with radio frequency identification technology.


Privacy Policy
We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.