Two Approaches, Different Foundations
Hotels pursuing contactless check-in generally evaluate two technologies: NFC (Near Field Communication) and QR codes. Both can deliver a credential to a guest’s phone. Both eliminate the plastic keycard. But the underlying architectures are fundamentally different — and the differences matter for security, privacy, and guest experience.
How QR Code Check-In Works
The QR code approach typically works like this: the guest receives a QR code via email or the hotel app before arrival. At check-in, they present the QR code to a scanner (at a kiosk, front desk, or even the door lock). The scanner reads the QR code, looks up the reservation, and issues a key.
The security model: A QR code is a visual encoding of data — typically a URL or a reservation identifier. Anyone who can photograph the QR code can reproduce it. There is no cryptographic binding between the QR code and the guest’s identity. The QR code proves that someone has a picture of a pattern — not that they are the authorized guest.
The privacy model: QR codes are inherently visible. They can be photographed from a distance, captured by surveillance cameras, or screenshotted and forwarded. The data encoded in the QR code is exposed to any camera in range.
How NFC Check-In Works
NFC-based check-in works differently. The guest taps their phone on an NFC reader (the KeyShare Puck at the front desk, or a reader at the door). The NFC session establishes a secure, encrypted communication channel between the phone and the reader.
During this session, the reader can verify the guest’s identity using their digital ID (ISO 18013-5 mobile driver’s license) — checking the cryptographic signature against the issuing authority. The verification happens in real-time, at the reader, with the credential never leaving the guest’s phone.
The security model: NFC provides cryptographic verification. The digital ID is signed by a government authority. The signature is mathematically verifiable. The credential is bound to the guest’s device through biometric authentication (Face ID, fingerprint). Cloning is not possible — the cryptographic keys are stored in the phone’s secure element.
The privacy model: NFC requires physical proximity (typically < 4cm). The communication channel is encrypted. The credential data is transmitted only during the tap — it cannot be captured remotely. And selective disclosure allows the guest to prove only what’s needed (e.g., “name matches reservation” and “age ≥ 18”) without revealing unnecessary attributes.
The Comparison
| Feature | QR Code | NFC |
|---|---|---|
| Range | Visible distance (meters) | < 4cm (contact) |
| Encryption | None (visual) | AES-encrypted channel |
| Identity verification | None (reservation lookup) | Cryptographic (ISO 18013-5) |
| Clonable | Yes (screenshot) | No (secure element) |
| Selective disclosure | No | Yes |
| Biometric binding | No | Yes (device biometrics) |
| Offline capable | Partial (pre-generated) | Yes (on-device verification) |
| Hardware required | Camera/scanner | NFC reader |
When QR Codes Make Sense
QR codes aren’t wrong — they’re limited. For low-security applications where identity verification isn’t required (event tickets, loyalty check-ins, information sharing), QR codes are simple and effective. They require no specialized hardware beyond a camera.
For hotel check-in specifically, QR codes work for the “confirm my reservation” step. They don’t work for “verify my identity” or “deliver a secure room key.”
When NFC Is Required
Any use case that requires cryptographic identity verification needs NFC. This includes:
- Hotel check-in with digital ID acceptance — verifying the guest’s identity against a government-issued credential
- Room key delivery to mobile wallet — provisioning a secure credential to Apple Wallet or Google Wallet
- Age verification — proving age without revealing date of birth
- Compliance-grade identity verification — meeting KYC/AML or hospitality regulations
The KeyShare Puck combines all of these in a single NFC interaction: verify identity, deliver room key, enroll loyalty, and capture payment — in one tap.
