A smart access-control system is only as secure as the practices around it. The hardware provides strong primitives — encryption, on-device authorisation, granular revocable permissions — but how you configure and operate the system determines whether you realise that security. This guide collects the best practices that keep a deployment genuinely secure.

Principle 1: least privilege

Grant each user the minimum access they need, for the shortest time necessary.

  • Give a cleaner access only to the units and hours they service.
  • Issue guest codes that expire at check-out, not "sometime next week".
  • Restrict service contractors to a specific window, then revoke.

The smaller and shorter-lived every credential is, the smaller the blast radius if it is ever compromised.

Principle 2: revocation is a feature, not an afterthought

The single biggest security advantage of smart access over keys is instant revocation. Build revocation into your workflows:

  • Revoke credentials immediately when a staff member leaves or a guest checks out — do not batch it.
  • Treat a lost phone or card as a revoke-now event, not a "we'll get to it" event.
  • Audit for stale credentials monthly; expired-but-not-removed codes are a common finding.

Principle 3: protect the administrator

Compromise of an administrator account compromises the whole deployment.

  • Use a strong, unique password and enable two-factor authentication where available.
  • Limit the number of administrators; not every manager needs full rights.
  • Never share administrator credentials — assign per-person admin accounts.

Principle 4: secure the network

A gateway bridges your locks to the internet, so the network it sits on matters.

  • Put gateways on a dedicated Wi-Fi network or VLAN, separate from guest networks.
  • Keep the gateway firmware current to pick up security patches.
  • Restrict outbound access to only what the platform requires.

Principle 5: monitor and audit

Security is not a state, it is a practice. Use the data your system already generates:

  • Review unlock logs for anomalies — entries at unusual hours, repeated failed attempts.
  • Act on alerts: a forced-entry or tamper notification should trigger a response, not be ignored.
  • Periodically review who has access to what, and prune.

Principle 6: defence in depth

Do not rely on any single layer.

  • Keep a mechanical key failsafe — but store keys securely, not on the premises in an obvious place.
  • Pair locks with door sensors so an open door is detected even if a credential was used.
  • For sensitive doors, use an access controller with an electromagnetic lock that resists forced entry.

Principle 7: physical and environmental hardening

Digital security fails if the physical installation is weak.

  • Ensure the strike and latch are correctly aligned so the bolt fully engages — a half-thrown bolt is a pry target.
  • Use weather-rated hardware on exposed doors.
  • Keep batteries fresh; a dead lock forces workarounds that undermine security.

Principle 8: plan for failure

Design for the day something goes wrong:

  • Document administrator credentials and recovery procedures (securely).
  • Know your failsafe options (mechanical key, emergency power) before you need them.
  • Have a revocation plan for a compromised administrator account.

A security checklist

  • Least-privilege credentials, time-limited wherever possible
  • Immediate revocation on departure or loss
  • Strong, unique admin passwords + 2FA
  • Gateways on a separate network/VLAN, firmware current
  • Regular review of access lists and logs
  • Door sensors on sensitive entrances
  • Correct strike alignment and mechanical integrity
  • Documented recovery and revocation procedures

Further reading

For the technology that underpins these practices, read how smart locks work. For the hardware that supports a hardened deployment, browse the product range. If you would like a security review of a specific deployment, contact our team.


← Back to all articles