Hotel keys
Hotel keys, photo by Susanne Nilsson, license CC BY-SA

Everybody hates the keycard, says the NYT, and talks about using your phone instead. There are a few reasons why using your phone as a hotel key is not something I do, or would do.

One reason is provided by the hotels promoting this themselves:

And, since the keys are downloaded electronically through a hotel app, the host has a presence on the guests’ phones, and can offer other exclusive services, like promotions and a chat feature.

Presence on my phone, that sounds rather ominous. Let me count the hotel apps I currently allow on my phone…. 0.

Unless there’s an opt-in for each single additional ‘service’ as part of a hotel’s ‘presence’ on my phone, it is in breach of the GDPR wherever I travel. Do hotel chains really want to expose up to 4% of their annual turnover to liability risks?

The ones I’ve encountered worked through bluetooth. That opens up a wide range of potential vulnerabilities. I never have bluetooth switched on (nor wifi when not in active use, for that matter), and there are very good reasons for that. There might be other bluetooth devices nearby pretending to be my hotel door to get access to my phone, or piggyback on my room door’s communication. A plastic card and a room door never have that issue. NFC based ones have less of these issues, but still bring their own issues.

A vulnerability in a hotel’s mobile app now also becomes a vulnerability for your hotel key as well as for your phone. It also means a phone will contain data traces of any hotel you may have used it as a key. That is a privacy risk in itself, not only to yourself, but potentially as well to people you have encountered. (E.g. investigative journalists would be risking the anonymity and privacy of their sources that way.)

Another reason is, also when I travel alone I have 2 plastic key cards. I keep them in different places, so I have a back-up if one of them gets out of my hands. Having just my phone is a single point of failure risk. Phones get left in hotel bars. Phones slip out of pockets in taxi back seats. Phone batteries die.

That is the third reason, that phone batteries die, especially on intensive work days abroad. Already that is sometimes problematic for mobile boarding passes for e.g. a second leg of a trip after a long haul flight (such as last month on a trip to Canada), or an evening flight home.
When staying in a hotel, after a long day, I sometimes need to leave a phone to charge in my room (sometimes the room safe has a convenient power outlet), while I go have a coffee in the lobby. This month during holidays I left my phone charging during dinner in a hotel in Rouen, as well as in an apartment on the Normandy coast, while we headed out for a walk on the beach.
So when I read in the article “What is also great is that I don’t find myself forgetting my key in the room as I always have my phone with me“, I take that to mean “you can’t leave your room when your phone needs charging” and “you can’t return to your room if your phone battery died”.

Phones and hotel keys all have their vulnerabilities. Putting a key card on your phone doesn’t remove the existing vulnerabilities of existing key card systems, but transfers and adds them to the vulnerabilities of your phone, while also combining and increasing the potential negative consequences of one of those vulnerabilities becoming actualised.

Read Everybody Hates the Key Card. Will Your Phone Replace It? (nytimes.com)

Technology that allows hotel guests to use their phones as room keys is expanding, taking aim at those environmentally unfriendly plastic cards.

3 reactions on “Blind Spots in Phone Based Hotel Key System Reasoning

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.