Current Clubright Features to reduce Access Abuse:
Enable Rotating QR Codes (Settings > Club Info > Club Access)
QR codes can expire after 90 seconds maximum, making screenshots useless except in that tiny window. Once this feature is enabled, any screenshot sent to a friend will typically be expired before they can get to use it. Note - it is only the Nortech-based access control systems (CRC400/DeltaQuest) that allow rotating QR codes.
2. Set Visit Limits (Settings > Club Info > Club Access)
Configure maximum visits per period – for example 2 per 24 hours. Anyone exceeding this gets automatically barred from their next entry attempt. This can catch both QR sharing AND credential sharing in one go. We allow different periods too, for example, 7 visits weekly.
3. Require Profile Photos (Settings > Club Info > Member Area)
Turn on mandatory profile photo capture at sign-up. Combined with your CCTV or walk-around checks, you can verify suspect entries against their registered photo.
4. Run Visit Reports (Dashboard > Reporting > Retention Reports > Attendance)
This is a great little easy to run report and sorts by the highest visit counts, over the period you select. This will immediately flag accounts that may be being shared at the top– you'll likely see suspicious patterns straight away. Look for accounts with an unusually high visits count and check it out, match their visit times on their profile and check CCTV.
Example below:
5. Check "Who's In Right Now" (Dashboard)
This live view shows current check-ins and duration. Use it during your shifts to spot unfamiliar faces and cross-reference with the member profile photos.
6. User Blocklist (Settings > Club Info > Club Access)
Prevent offenders from accessing Clubright and/or your club using the blocklist feature
Additional Measures to Consider:
1 - Hearts and Minds Approach
Technology alone won't solve everything – combining it with clear communication is powerful:
Update your Terms & Conditions to explicitly state that access abuse results in immediate membership termination, potential legal action for revenue recovery, and the right to charge for a second/third/fourth membership on anyone who shares their own membership credentials
Send a member communication explaining you're aware of access sharing, outline the consequences (lifetime ban, small claims court action, additional charges), and remind them that as a local business that you've worked really hard to build up, this is essentially theft
Staff training: Ensure your team knows how to use the visit reports, can challenge members to verify DOB/address/phone number on file, and understand the process for blocking abusers
Member reward system: Consider offering a month free or credit to anyone who reports access abuse – turns your members into allies
Charging additional sums (e.g. a 2nd membership fee): by stored card or DD, for anyone that is caught sharing access, add to your T&C's to provide this right to do so
Communicating awareness of the issue often stops a significant portion of abuse immediately
2 - Front Desk Entry Management
A staffed desk with desktop QR scanner and mandatory photo verification is extremely effective. The trade-off is cost, space, and losing true 24/7 unmanned access. Worth considering for peak hours at minimum.
3- Biometrics (Long-term Solution)
Facial recognition is the only truly bulletproof technology solution for preventing access abuse. The good news here is that Clubright integrates with facial-biometric systems. Investment is needed (both financially, and in user experience terms), but this may be balanced by preventing lost revenue through credential sharing, the ROI calculation might stack up.
The main drawbacks: upfront cost, extra step in the join journey (kills instant "join and enter" flow), and occasional matching issues due to appearance changes or lighting. If you'd like to explore this, we can connect you with our biometric access control partners to discuss costs and implementation.
Industry Context:
Access abuse can affect virtually every unmanned entry operation across all sectors to a larger or smaller degree. Even large chains with significant technology investment still experience access abuse. There is perfect technological silver bullet, that hits that sweet spot of a great user experience, total reliability, and a relatively low-cost. But the combination of the features and actions outlined above significantly reduces the problem, and facial recognition is the most robust technology out there at this time to totally prevent access abuse, even though it's not perfect itself.
There are reasons that most national operators have not implemented more draconian measures than they have now, and these are typically cost vs benefit, and disruption to the user experience, which leads on to:
Why we don't use certain technologies:
1 - Anti-screenshot technology: Can be bypassed by simply photographing the screen with another phone, so we've focused on rotating QR codes instead, which actually is more effective in reducing the problem.
2 - Two-factor authentication for members: Creates massive user friction (waiting for SMS codes, expired codes, lost phones) and is easily bypassed ("just send me the code"). We do offer this as a feature for staff logins where data security is paramount, but member feedback from operators who've tried it, has been overwhelmingly negative.
3 - Device management: Limiting logins to X number of devices (like Netflix for example) sounds good in theory, but many members legitimately use multiple devices (personal phone, work phone, PC, laptop, tablet, etc.) to access Clubright. Limiting to one device is practically unworkable and as per 2FA, leads to massive user friction, even allowing for 2 devices still creates large support volumes and a poor member experience ("I sold that phone, and now I can't de-register it" "I can't login to add my new phone, as it says I've exceeded my maximum device count") and is easily bypassed by two separate people registering their own phones on one account. We've not implemented this, as it creates more problems than it solves.
Reality Check:
Typically the perception of significant access abuse is greater than the reality. Independents gyms usually fare significantly better than large corporate chains – people generally have more loyalty to local businesses and are less likely to abuse them.
If you are suffering from credential sharing or access abuse, then Suggested Next Steps:
Run the visit report and identify the potential worst offenders, and investigate further using CCTV
Check the Clubright features are set to align with access abuse reduction, particularly access period limits
Implement the hearts and minds approach with member communication and your T&C's
Contact us to discuss Facial Recognition if this is a route you'd like to explore further