A smart access-control system is only as secure as the practices around it. The hardware provides strong primitives — encryption, on-device authorisation, granular revocable permissions — but how you configure and operate the system determines whether you realise that security. This guide collects the best practices that keep a deployment genuinely secure.
Principle 1: least privilege
Grant each user the minimum access they need, for the shortest time necessary.
- Give a cleaner access only to the units and hours they service.
- Issue guest codes that expire at check-out, not "sometime next week".
- Restrict service contractors to a specific window, then revoke.
The smaller and shorter-lived every credential is, the smaller the blast radius if it is ever compromised.
Principle 2: revocation is a feature, not an afterthought
The single biggest security advantage of smart access over keys is instant revocation. Build revocation into your workflows:
- Revoke credentials immediately when a staff member leaves or a guest checks out — do not batch it.
- Treat a lost phone or card as a revoke-now event, not a "we'll get to it" event.
- Audit for stale credentials monthly; expired-but-not-removed codes are a common finding.
Principle 3: protect the administrator
Compromise of an administrator account compromises the whole deployment.
- Use a strong, unique password and enable two-factor authentication where available.
- Limit the number of administrators; not every manager needs full rights.
- Never share administrator credentials — assign per-person admin accounts.
Principle 4: secure the network
A gateway bridges your locks to the internet, so the network it sits on matters.
- Put gateways on a dedicated Wi-Fi network or VLAN, separate from guest networks.
- Keep the gateway firmware current to pick up security patches.
- Restrict outbound access to only what the platform requires.
Principle 5: monitor and audit
Security is not a state, it is a practice. Use the data your system already generates:
- Review unlock logs for anomalies — entries at unusual hours, repeated failed attempts.
- Act on alerts: a forced-entry or tamper notification should trigger a response, not be ignored.
- Periodically review who has access to what, and prune.
Principle 6: defence in depth
Do not rely on any single layer.
- Keep a mechanical key failsafe — but store keys securely, not on the premises in an obvious place.
- Pair locks with door sensors so an open door is detected even if a credential was used.
- For sensitive doors, use an access controller with an electromagnetic lock that resists forced entry.
Principle 7: physical and environmental hardening
Digital security fails if the physical installation is weak.
- Ensure the strike and latch are correctly aligned so the bolt fully engages — a half-thrown bolt is a pry target.
- Use weather-rated hardware on exposed doors.
- Keep batteries fresh; a dead lock forces workarounds that undermine security.
Principle 8: plan for failure
Design for the day something goes wrong:
- Document administrator credentials and recovery procedures (securely).
- Know your failsafe options (mechanical key, emergency power) before you need them.
- Have a revocation plan for a compromised administrator account.
A security checklist
- Least-privilege credentials, time-limited wherever possible
- Immediate revocation on departure or loss
- Strong, unique admin passwords + 2FA
- Gateways on a separate network/VLAN, firmware current
- Regular review of access lists and logs
- Door sensors on sensitive entrances
- Correct strike alignment and mechanical integrity
- Documented recovery and revocation procedures
Further reading
For the technology that underpins these practices, read how smart locks work. For the hardware that supports a hardened deployment, browse the product range. If you would like a security review of a specific deployment, contact our team.