Onity Hotel Key Cards

Onity lock generations — HT, ADVANCE, integra, Trillium and DirectKey

Onity originated as TESA (Spain, 1941), was rebranded under United Technologies' UTC Fire & Security as "Onity" in 2002, moved into Carrier's Global Access Solutions business at the 2020 UTC / Raytheon split, and was acquired by Honeywell Building Automation on 3 June 2024 for ~$4.95 billion. Honeywell announced a planned corporate Automation / Aerospace split in February 2025; the Automation entity (expected to spin out in H2 2026) will house Onity. Procurement teams writing about Onity in 2026 should date-pin the parent reference: "Onity, a Honeywell brand (planned for the Automation spin-off in H2 2026)" is the precise framing.

The lock hardware lifecycle spans four eras: HT-series magstripe (1990s onwards, with HT24 and HT28 adding RFID hybrid variants), ADVANCE (HF RFID native, 2012–2018), integra (HF RFID with Plus support, 2014 onwards), and Trillium (current flagship with BLE-ready hardware that supports the Onity DirectKey app). Most active estates run two or three of these generations side by side because partial refurbishments leave HT-series legacy doors in service while suites and renovated floors migrate to Trillium.

The Trillium upgrade path is the most procurement-relevant detail: converting an HT-series door to Trillium replaces only the escutcheon, the control board and the reader head. The door cut-out, the mortise and the strike plate are unchanged. That is why properties on Onity rarely move to a competitor's lock platform — the conversion economics are unusually friendly within the Onity portfolio.

The table below maps each generation to its native credential, encoder pairing and the procurement-relevant notes. ANSI / BHMA A156.25 Grade 1 certification applies to HT24, HT28 and the current Trillium hardware. Onity does not publish door-thickness ranges as concrete public numbers; the typical hospitality fit is 1 3/8″ to 2 1/4″ (35–57 mm) consistent with ANSI hospitality mortise spec.

Chip-family compatibility per generation

Onity's HF reader heads cover MIFARE Classic 1K and MIFARE Plus across the active generations. MIFARE DESFire is not advertised as a standard credential on Onity's English-language product pages and the 2026 competitive-research signal is that DESFire support is narrower than other manufacturer estates. Confirm with Onity service before specifying DESFire stock.

• MIFARE Classic 1K (ISO/IEC 14443A, 13.56 MHz) — the broadest compatibility envelope across Onity RFID generations. Works on HT24 RFID / HT28 Smart RFID hybrid, ADVANCE, integra and Trillium. Standard for properties that still have any ADVANCE doors in the estate. As with every Classic deployment, Crypto-1 is publicly broken at the protocol level; new estates should sequence a migration to Plus or another AES-capable credential.
• MIFARE Plus (SE / S / X) — accepted by integra and Trillium in SL1 (Classic-compatible) mode on firmware lines from roughly 2017 onwards; SL3 AES-128 authenticated sessions are supported on Trillium and post-2019 integra firmware. Plus is the practical migration step from Classic on Onity hardware.
• MIFARE DESFire EV1 / EV2 / EV3 — NOT advertised as standard support on Onity. Some retrofit configurations may accept DESFire on Trillium reader heads, but this should be treated as a custom validation rather than a default specification. Cross-check with Onity service before ordering DESFire stock for an Onity estate.
• MIFARE Ultralight C — supported on some Onity retrofit configurations and is a common low-cost paper-card inlay for high-throughput properties.
• Magstripe (Track 2, proprietary Onity layout) — used by all HT-series locks and some ADVANCE dual-interface retrofits. The track format is proprietary to Onity and not interchangeable with Saflok / VingCard magstripe payloads.
• 125 kHz proximity (HID Prox / EM4100) — not natively supported on Onity hospitality locks at any generation.

Encoder lifecycle — PP32, Encoder 1100, 2100, 4000 plus OnPortal back-end

Onity uses four distinct encoder products across its history. The encoder at the front desk (not just the lock at the door) limits which chip families can actually be issued. OnPortal is the current Windows-based front-desk software that drives all the desktop encoder variants.

• PP32 portable programmer — the current handheld unit used to program Trillium, HT24, HT28 and ADVANCE locks. Supports magstripe, RFID and Bluetooth programming. Replaces the older HT Portable programmer used on HT22 magstripe.
• Encoder 1100 — the first Onity RFID desktop encoder. Supports MIFARE Classic 1K encoding over USB, PC/SC compliant. Sufficient for ADVANCE estates but limited for Plus SL3 or DESFire.
• Encoder 2100 — the integra-era desktop encoder. Supports MIFARE Classic, Plus (SL1 / SL3 on current firmware), and optional Ultralight C. PC/SC compliant. The most common encoder in active Onity estates today.
• Encoder 4000 — the current Onity desktop encoder paired with Trillium and DirectKey deployments. Supports Classic, Plus, optional Ultralight C and provisions BLE mobile keys alongside physical cards.
• HT22I encoder and ADV15MSA encoder — older / specialised variants that appear on legacy installations.
• OnPortal — the Windows-based front-desk software that drives all desktop encoders. The PMS-side connection runs through OnPortal rather than a separate certified-driver suite.
• DirectKey Toolkit (iOS app, Apple App Store id `1498832903`) — the commissioning app used by engineering staff to commission Trillium and BlueDiamond readers in the field.
• Encoder firmware is the limiting factor for Plus SL3 on the 2100; firmware should be verified with Onity service before ordering Plus SL3 stock.

Mobile Access — DirectKey, Apple Wallet, Google Wallet, Hilton Honors integration

Onity's mobile-key layer is DirectKey, launched in 2015 and deployed at scale with Hilton in February 2016 across 100+ properties under the Hilton Honors Digital Key programme. DirectKey is a BLE credential layer that overlays integra and Trillium hardware; it coexists with physical card issuance rather than replacing it.

• DirectKey — Onity's BLE mobile-key layer. The credential is issued from the DirectKey app server and the guest's phone presents it to the lock over BLE. The same reservation can also issue a short-expiry physical card alongside the BLE key as a fallback.
• Lock requirements — DirectKey requires either an integra lock with the BLE module installed or a Trillium lock with the BLE-capable reader. Older ADVANCE doors cannot accept DirectKey without a hardware upgrade.
• BLE range — typically 30–80 cm at the reader; deliberately suppressed above 1 m to avoid drive-by false unlocks.
• Apple Wallet and Google Wallet — supported on Trillium with newer firmware as NFC wallet keys; verify with Onity service which firmware line enables wallet emulation on the property. Wallet support on integra is less consistent.
• Hilton Honors Digital Key (2016) — the largest documented DirectKey deployment, rolled out across 100+ Hilton properties starting February 2016. Onity continues to support DirectKey across Hilton's hospitality brands today.
• DirectKey Toolkit (iOS `id1498832903`) — the staff-side commissioning app for Trillium and BlueDiamond readers.
• Mobile-only operating models still need a physical card-stack baseline. ADA accessibility, mobile-device failures, walk-in guests without the property app, and front-desk operational overrides all require a backup physical card.

PMS integration — OPERA, Mews, Apaleo, Clock PMS, InnQuest

Onity integrates with the major PMS platforms through certified interface drivers that connect via OnPortal to the encoder. Compatibility is usually a question of driver version, not card chip. But the driver still dictates the payload structure written to the card.

• Oracle OPERA — the most common PMS pairing for Onity; both OPERA 5 (on-premise) and OPERA Cloud are supported through the Onity OPERA interface.
• Mews — integrated via the Mews Open API; staff cut keys directly from Mews Operations once the Onity connector is installed on the front-desk PC.
• Apaleo — listed as an Onity-integration partner; common pairing for cloud-native independents and small chains.
• Clock PMS — published Onity integration; common pairing in independent European hotels.
• InnQuest (roomMaster Anywhere) — Onity integration documented for North American mid-market hotels.
• Agilysys LMS / rGuest — used in casino and resort estates through the Onity-Agilysys certified interface.
• Cloud PMS platforms run a local Onity encoding agent (Windows service) on the same workstation as the encoder to bridge the cloud PMS to USB encoder hardware.
• Batch encoding for group arrivals is supported on the Encoder 4000 with current OnPortal firmware; older encoders typically issue one card at a time.

Security update — 2012 Cody Brocious DEF CON 20 disclosure and HT-series remediation

In July 2012, security researcher Cody Brocious presented at Black Hat USA 2012 and DEF CON 20 a critical Onity HT-series vulnerability that allowed unauthenticated opening of any HT-series lock through the DC charging port on the underside of the lock. The attack used a ~$50 self-built device built around an Arduino-class microcontroller that read a 32-bit sitecode from the lock's memory through the one-wire interface and replayed it to open the door. The disclosure remains, alongside the 2024 Saflok Unsaflok / CVE-2024-29916 incident, one of the two largest single-vendor disclosures in hotel-lock history.

Two procurement-relevant facts to anchor on: first, no public CVE identifier was ever formally assigned to the Onity HT-series vulnerability. This is an unusual gap in the NIST National Vulnerability Database for a disclosure of this scale, and is itself a worth quoting on a buyer's-guide page. Second, Onity's remediation programme combined a free plastic port-shield kit (and Torx screws to secure it) with a paid firmware upgrade for hotels that wanted the underlying firmware patch. Many properties accepted only the free port-shield kit. As a result, a fraction of HT-series locks in the field are still on the original vulnerable firmware behind the port shield.

The Aaron Cashatt criminal case (2015–2017) demonstrated the real-world consequence. Cashatt used a Brocious-style device hidden in an Oakley sunglasses case to break into more than 100 hotel rooms across the United States. He was sentenced to nine years in state prison on burglary charges and, in a separate federal case, 50 months for an associated credit-card fraud scheme (US Attorney, Eastern District of Tennessee, 2018). Wired's 2017 Andy Greenberg feature "Inside an Epic Hotel Room Hacking Spree" remains the definitive long-form account.

For card procurement in 2026: ordering new card stock does not by itself remediate or expose the 2012 vulnerability. Properties with HT-series locks still in service should confirm with Onity service that the controller is on the remediated firmware line (or has the port-shield + Torx kit installed) before ordering new card stock. The Trillium upgrade path closes the exposure by replacing the HT control board entirely while preserving the door cut-out.

Common field failure modes

Field failures on Onity estates follow a predictable pattern. Understanding where the break usually happens shortens the troubleshooting cycle and prevents unnecessary card replacements.

• Wrong encoder for the chip family. An Encoder 1100 attempting to write Plus SL3 or DESFire produces silent write failures; verify the encoder model and firmware before blaming the card batch.
• OnPortal and PMS connector version drift. After a PMS upgrade the Onity-side driver can be left on an older revision; the chip is fine but the payload structure changes.
• Sector-key mismatch on Classic cards after a workstation image refresh. Onity-specific sector keys were lost; re-export the site key from OnPortal and re-initialise the encoder before issuing test cards.
• DirectKey BLE handshake fails on integra. Usually the lock's BLE module is not installed (verify physically) or the DirectKey subscription is not yet active for the property.
• HT-series "works on some rooms but not others". On a remediation-incomplete HT estate, some boards are on patched firmware and some are not; the symptom looks like a card problem but is a firmware-version problem.
• Wallet key fails to provision on a Trillium reader head. Confirm the lock firmware is on the wallet-enabled line (newer than Trillium baseline) and that the property's Apple Wallet / Google Wallet integration is active at the back-end.

Card material and thickness constraints

Onity HF readers are relatively permissive on material but not unlimited. The constraints below surface most often in pilot-to-production transitions.

• Standard ISO/IEC 7810 ID-1 thickness (0.76 mm ± 0.08 mm) is the safe default across HT (RFID hybrid), ADVANCE, integra and Trillium reader heads.
• Thicker cards (1.0–1.2 mm) — premium PVC, wood-effect or bamboo cards — read reliably on integra and Trillium; ADVANCE readers are tuned narrower and can be marginal above 0.9 mm.
• Wood and bamboo cards with MIFARE Classic 1K or MIFARE Plus inlays are well-validated on integra and Trillium; pilot a production-thickness sample before committing to a full order.
• Metal-edge and anti-metal cards are not recommended on any Onity generation; the shielding detunes the HF antenna and causes intermittent reads.
• Transparent PVC reads compatibly but loses the printed branding surface; usually deployed as a staff or secondary credential.
• Dual-interface (magstripe + RFID) cards add roughly 0.05 mm to the card stack but remain within ISO tolerance. Common during HT-to-ADVANCE migration windows; should be validated on the specific lock generation before bulk order.

What to validate before scaling

An Onity pilot should exercise both the hardware path (chip, reader generation, encoder firmware) and the operational path (OnPortal, PMS connector, DirectKey if in scope). Scaling before both paths are proven is the most common source of pilot regret.

• Test the card on at least one door from each generation in scope — ADVANCE, integra and Trillium reader heads are not interchangeable from a chip-selection point of view.
• Run a full check-in, extend, re-encode and cancel cycle on a live PMS reservation through OnPortal to surface driver edge cases.
• Log the lock-board firmware and the encoder firmware for every tested unit. These are the first two numbers Onity service will ask for.
• If HT-series magstripe is still in the estate, confirm the remediation firmware or the port-shield + Torx kit is in place before issuing new stock.
• Cross-check the DirectKey BLE flow if mobile key is in scope; a card-only pilot will miss wallet-emulation regressions on Trillium with newer firmware.
• Plan a small (100–200 card) first production batch before scaling to the full property order. Most field failures show up in the first 30 days of live issuance.

FAQ