Skip to main content

Preventing access abuse and credential sharing

How to use ClubRight to detect and prevent credential sharing, login abuse, and unauthorised access at your club.

Credential sharing, screenshot-sharing of QR codes, and other forms of access abuse can quietly cost a club significant revenue. This article sets out the ClubRight features and operational measures you can combine to reduce abuse, and explains the trade-offs of approaches we have chosen not to build.

ClubRight features to reduce access abuse

  1. Enable rotating QR codes (Settings → Club Info → Club Access). QR codes can expire after 90 seconds maximum, making screenshots useless except in that tiny window. Any screenshot sent to a friend will typically be expired before they can use it. Note: only Nortech-based access control systems (CRC400, DeltaQuest) support rotating QR codes.

  2. Set visit limits (Settings → Club Info → Club Access). Configure a maximum number of visits per period, for example 2 visits per 24 hours. Anyone exceeding this is automatically barred from their next entry attempt. This catches both QR sharing and credential sharing in one go. Different periods are supported, such as 7 visits weekly.

  3. Require profile photos (Settings → Club Info → Member Area). Turn on mandatory profile photo capture at sign-up. Combined with CCTV or walk-around checks, you can verify suspect entries against the registered photo.

  4. Run visit reports (Dashboard → Reporting → Retention Reports → Attendance). This report sorts members by visit count over the period you select, so shared accounts surface immediately at the top. Look for unusually high visit counts, then cross-check visit times against CCTV.

  5. Check "Who's In Right Now" (Dashboard). This live view shows current check-ins and duration. Use it during shifts to spot unfamiliar faces and cross-reference with member profile photos.

  6. Use the user blocklist (Settings → Club Info → Club Access). Prevent identified offenders from accessing ClubRight or your club using the blocklist feature.

Example visit report:

Additional measures to consider

1. Hearts and minds approach

Technology alone will not solve access abuse. Combining it with clear communication is powerful:

  • Update your Terms and Conditions to state that access abuse results in immediate membership termination, potential legal action for revenue recovery, and the right to charge for a second, third, or fourth membership for anyone sharing their credentials

  • Send a member communication acknowledging you are aware of access sharing, outline the consequences (lifetime ban, small claims court action, additional charges), and remind members that as a local business, sharing access is essentially theft

  • Staff training: ensure your team knows how to use the visit reports, can challenge members to verify date of birth, address, or phone number on file, and understands the process for blocking abusers

  • Member reward system: consider offering a free month or credit to anyone who reports access abuse, which turns your members into a first line of defence

  • Additional charges: charging a second membership fee by stored card or Direct Debit for anyone caught sharing access. Add this right to your Terms and Conditions before relying on it.

💡 Tip: Simply communicating awareness of the issue often stops a significant portion of abuse immediately.

2. Front desk entry management

A staffed desk with a desktop QR scanner and mandatory photo verification is extremely effective. The trade-off is cost, space, and losing true 24/7 unmanned access. Worth considering for peak hours at minimum.

3. Biometrics

Facial recognition is the most robust technology solution for preventing access abuse. ClubRight integrates with facial-biometric systems. There is upfront cost and an extra step in the join journey, but if access abuse is significant, the lost-revenue calculation can stack up.

The main drawbacks are upfront cost, an extra step in the join journey (which kills the instant "join and enter" flow), and occasional matching issues due to appearance changes or lighting. If you would like to explore this, contact us and we can introduce you to our biometric access control partners.

Why we don't use certain technologies

Anti-screenshot technology

Can be bypassed by simply photographing the screen with another phone, so we have focused on rotating QR codes instead, which actually reduces the problem more effectively.

Two-factor authentication for members

Creates significant user friction (waiting for SMS codes, expired codes, lost phones) and is easily bypassed ("just send me the code"). We do offer 2FA as a feature for staff logins where data security is paramount, but member feedback from operators who have tried it has been overwhelmingly negative.

Device management

Limiting logins to a fixed number of devices, like Netflix does, sounds good in theory. In practice, many members legitimately use multiple devices (personal phone, work phone, PC, laptop, tablet) to access ClubRight. Limiting to one device is unworkable and creates massive support volumes ("I sold that phone and now I can't de-register it", "I can't log in to add my new phone, it says I've exceeded my device count"). It is also easily bypassed by two people each registering their own phone on the same account.

Industry context and reality check

Access abuse affects virtually every unmanned entry operation across all sectors to some degree. Even large chains with significant technology investment still experience it. There is no perfect technological silver bullet that hits the right balance of user experience, reliability, and low cost. The combination of features and actions outlined above significantly reduces the problem, and facial recognition is the most robust available technology, though not without its own limitations.

National operators generally avoid more draconian measures because of the cost-versus-benefit calculation and the disruption to member experience.

In practice, perceived access abuse is often greater than the reality. Independent clubs typically fare significantly better than large corporate chains, since members usually have more loyalty to local businesses and are less likely to abuse them.

Suggested next steps

If you suspect credential sharing or access abuse is happening at your club:

  1. Run the visit report and identify the worst offenders, then investigate further using CCTV

  2. Check your ClubRight settings align with access abuse reduction, particularly access period limits

  3. Apply the hearts and minds approach with member communication and Terms and Conditions updates

  4. Contact us to discuss facial recognition if you want to explore that route

Did this answer your question?