Smart Lock Security Best Practices - Complete Hardening Guide

✅ 6-8 digits (not minimum 4)
✅ Non-obvious (not 1234, 0000, birthday)
✅ Unique per person
✅ Changed after access revoked
✅ Not written on door/visible

❌ Sequential (1234, 5678)
❌ Repeated (1111, 2222)
❌ Dates (birthday, address)
❌ Shared between users
❌ Same as other locks

☑️ Unique code per person
  - Never share codes
  - Track who has what code
  - Accountability for access

☑️ Change master code from default
  - Never keep factory default
  - Change immediately after install

☑️ Delete codes promptly
  - Guest leaves: Delete same day
  - Employee quits: Delete within 1 hour
  - Relationship ends: Delete immediately

☑️ Audit codes quarterly
  - Review all active codes
  - Delete unused (90+ days)
  - Verify each should still have access

☑️ Document code assignments
  - Spreadsheet or password manager
  - Who: Name
  - Code: xxxxxx
  - Date added: MM/DD/YY
  - Expiration: MM/DD/YY or Permanent

☑️ Unique password for lock app
  - Not same as other accounts
  - 12+ characters
  - Mix: uppercase, lowercase, numbers, symbols

☑️ Enable 2FA (two-factor authentication)
  - App-based (Google Authenticator, Authy)
  - NOT SMS (less secure)
  - Protects even if password stolen

☑️ Biometric login (if available)
  - Face ID / Touch ID
  - Adds convenience + security
  - Still have strong password backup

☑️ Don't save password in browser
  - Use password manager instead
  - LastPass, 1Password, Bitwarden

☑️ Limit admin users
  - Only trusted people get admin
  - Regular users: Can't add/delete others
  - Guest users: Time-limited, restricted

☑️ Review shared access
  - Who has app access?
  - Still need it?
  - Remove when no longer needed

☑️ Disable guest accounts after use
  - Don't leave active indefinitely
  - Set expiration dates

☑️ Monitor login activity
  - Some apps show: Who logged in when
  - Unusual login = Investigate

☑️ Strong WiFi password
  - WPA3 or WPA2 (not WEP)
  - 16+ character password
  - Change from default

☑️ Hide SSID (optional)
  - Makes network less visible
  - Not foolproof but adds layer

☑️ Disable WPS
  - WPS = Security vulnerability
  - Router settings → Disable WPS

☑️ Update router firmware
  - Check quarterly
  - Patches security holes

☑️ Change default router login
  - Not "admin/admin"
  - Strong unique password

☑️ Separate IoT VLAN (if technical)
  - Smart home devices on separate network
  - Limits breach impact
  - Requires capable router

☑️ Firewall rules
  - Block unnecessary inbound
  - Smart locks don't need inbound access
  - Only outbound to manufacturer

☑️ Disable UPnP
  - Universal Plug and Play
  - Convenience vs security trade-off
  - Disable if not needed

☑️ Enable automatic updates
  - Lock firmware
  - Hub firmware
  - App updates
  - Router firmware

☑️ Check monthly if not automatic
  - Lock: App → Settings → About
  - Hub: Settings → System
  - Router: Admin panel

☑️ Don't postpone security updates
  - Critical patches = Update immediately
  - Even if inconvenient

☑️ Subscribe to security alerts
  - Manufacturer email lists
  - Know about vulnerabilities

☑️ Enable all access notifications
  - Door unlocked
  - Door locked
  - Code used
  - Failed attempt

☑️ Review access logs weekly
  - Who accessed when
  - Any unusual times?
  - Unfamiliar patterns?

☑️ Set up critical alerts
  - Multiple failed attempts (5+)
  - Access during unusual hours (2-6am)
  - Tamper detection triggered
  - Low battery (<30%)

☑️ Review at same time each week
  - Sunday evening routine
  - 5 minutes to check logs
  - Catch issues early

⚠️ Warning signs:
  - Access at 3am (when you're home asleep)
  - Multiple failed codes (someone guessing)
  - Unknown code used (deleted user still has access)
  - Unlocked when you thought locked
  - Pattern changes (usually locks at 10pm, now midnight)

✓ Normal patterns:
  - Regular family access times
  - Expected guest access
  - Automated locks/unlocks (as configured)

☑️ Interior screws not accessible from exterior
  - Standard for smart locks
  - Verify during install

☑️ Strike plate reinforced
  - Long screws into door frame (3"+)
  - Metal strike plate, not plastic

☑️ Door itself secure
  - Solid core door (not hollow)
  - Frame properly anchored
  - Hinges on interior (not exterior)

☑️ Backup key secure
  - Not hidden under mat
  - With trusted neighbor
  - Or in lockbox (quality, hidden location)

☑️ Enable tamper alerts
  - Lock attempts to remove
  - Reports to app

☑️ Alarm feature (if available)
  - Some locks: Built-in alarm
  - Loud sound if forced
  - Deterrent + alert

☑️ Camera integration
  - Video doorbell + smart lock
  - Visual record of access
  - Verify identity before granting access

☑️ Multiple access methods
  - PIN code (primary)
  - Physical key (backup)
  - App (when home)
  - 9V emergency (if battery dies)

☑️ Trusted emergency contact
  - Neighbor with backup key
  - Family with app access
  - Know how to reach 24/7

☑️ Emergency procedures documented
  - "If locked out" checklist
  - Contact numbers
  - 9V battery location

□ Review access logs (10 min)
  - Any suspicious activity?
  - All access as expected?

□ Test all access methods (5 min)
  - PIN codes work
  - App access works
  - Physical key works

□ Check battery level
  - >30%? OK
  - <30%? Replace this week

□ Verify users current (5 min)
  - List all users
  - Each still needs access?
  - Delete any that don't

□ Check for firmware updates
  - Lock, hub, router
  - Apply if available

□ Test tamper alert (1 min)
  - Try to remove lock slightly
  - Alert should trigger

Total time: 20-25 minutes monthly

❌ Share master code widely
  - Give individual codes instead

❌ Use same code for everyone
  - Can't track who accessed

❌ Write code on/near door
  - Defeats purpose of lock

❌ Ignore failed attempts
  - Someone may be trying to break in

❌ Never update firmware
  - Vulnerabilities accumulate

❌ Allow ex-users to keep access
  - Delete immediately upon separation

❌ Disable notifications (annoying but crucial)

❌ Skip regular audits
  - Security erodes over time without maintenance

Immediate actions:
□ Change all codes (within 1 hour)
□ Review recent access logs
□ Check for unauthorized users in app
□ Change app password
□ Enable 2FA if not already

□ Factory reset lock (if severe)
  - Erases everything
  - Re-pair and reconfigure
  - Start fresh

□ Change WiFi password
  - If network breach suspected

□ Contact authorities
  - If actual break-in or attempted

□ Document everything
  - Timestamps, suspicious activity
  - For insurance/police if needed

□ Geofencing alerts
  - Notify if access when you're away
  - Requires phone location

□ Photo capture on access
  - Camera takes photo each unlock
  - Video doorbell integration

□ Time restrictions
  - Codes only work certain hours
  - Prevents 3am unauthorized access

□ Attempt limits
  - Lock out after 5 failed codes
  - Prevents brute force

□ Audit trail export
  - Download access logs
  - Keep permanent records
  - Compliance for rentals/business