As a smart-lock vendor, every day we hear the same question from installers, property managers, and end-users: “Is remote unlocking really secure?”
Our answer is simple: Yes—when it is powered by cryptographically-enforced, single-use credentials that die seconds after they are born.
Below we unpack the exact mechanism we deploy to turn an ordinary smartphone into a dynamic token, issue time-boxed access codes, and block every known replay or brute-force attack.
1. From “Static Key” to “Dynamic Token” – Why the Shift Matters
Traditional locks rely on a fixed metal key that can be copied or photographed.
Our system replaces that key with a software token that lives inside the user’s mobile app.
The token is nothing more than:
- A 256-bit shared secret, generated once during onboarding and never transmitted again.
- A real-time clock synchronized to ±1 second with our cloud.
- A FIPS-validated HMAC-SHA256 routine that blends the secret with the current 30-second time slice.
This combination means the credential changes every half-minute and is computationally infeasible to predict without the secret.
2. One-Time Password (OTP) Generation in Four Micro-Steps
When a resident or cleaner requests access:
- Trigger event – Tap “Unlock” in the app or dial our API.
- Input variables – Unix timestamp (rounded to 30 s) + shared secret + lock-ID.
- Hash – HMAC-SHA256 digests the variables into a 256-bit string.
- Dynamic truncation – We extract 6–8 decimal digits and present them to the user as the OTP.
The lock performs the identical math locally; if the codes match within the same 30-second window, the bolt retracts.
3. Anti-Replay & Anti-Brute-Force Safeguards
- Replay Protection: Each OTP is cryptographically tied to that exact 30-second slice. Re-transmitting a captured code—even one second later—fails validation.
- Look-ahead Window: We accept ±1 time slice (60 s total) to absorb minor clock drift, but any attempt outside that window is rejected.
- Rate Limiting: After five consecutive wrong codes, the lock’s keypad goes silent for 60 s and logs the incident to the cloud.
- Forward Secrecy: The shared secret can be rotated remotely if a phone is lost, instantly voiding any cloned tokens.
4. Edge Cases We Planned For
| Scenario | Built-in Counter-Measure |
|---|---|
| No internet | The lock stores the last 48-hour key schedule; offline OTPs still work. |
| Battery pull / clock reset | Real-time clock with super-capacitor keeps time for 7 days without power. |
| SMS downgrade | Optional SMS codes use the identical algorithm but expire in 5 min instead of 30 s. SIM-swap or interception is useless once the window lapses. |
5. Bottom Line for Our Partners
Whether you manage 10 vacation rentals or 10,000 multifamily units, our OTP framework gives you:
- Zero-touch distribution – codes are generated on demand, no physical hand-off.
- Granular expiry – 30 s, 1 h, or 7 days; you decide per user.
- Audit-grade traceability – every unlock event is stamped & signed.
Remote unlocking is not only safe—it is safer than handing out metal keys that last forever.
