Smart lock with RFID and biometric access tested

WeLock sent me the Touch41 smart door lock for a test. I installed it in our front door and can now tell you about it first-hand.

Security

Where do I start? With the Germans and their probably globally unique claim to security, which seems downright absurd in view of the crime statistics in Germany. This is not primarily about facts, but about feelings. The German soul is free to do so. It should feel safe.

I am not a security expert, so I had to read deeply into this topic. Much more than fits into this article.

Typisches deutsches Einfamilienhaus mit üblichen Sicherheitsvorkehrungen
Typical German detached house with the usual security precautions

Does the insurance pay?

For example, I phoned various insurance companies, the German Insurance Association and the police. I wanted to know whether it’s true that the insurance company won’t pay if you don’t use a VdS-certified locking cylinder, or whether this myth is just a myth after all.

And yes, unless you have an ancient contract that specifies the number of prongs *sigh* of a key bit, in this day and age insurance companies have no specifications regarding the lock cylinder. Even an antique coloured bar lock is sufficient as long as you have also locked the door. Pulling it shut is not enough! The insurance will pay if there are signs of burglary.

More secure?

There is a huge difference between quietly „picking“ a modern profile cylinder in one minute without leaving any traces and loudly breaking off a smart lock in two minutes, drilling it open and then hammering in a large screwdriver to turn the lock. The smart lock seems insecure to the layman, as it could be broken off, but we have two points here that burglars don’t like:

  • It makes noise
  • It costs time

The positive thing for us is that in the event of forced entry, signs of break-in are visible, so the insurance pays out. If a locking cylinder is only opened by lockpicking, it is not even possible to determine whether the front door is only closed.

Burglars are usually only equipped with a large screwdriver and look for the easiest way into the house. This is usually not the front door, but a tilted window, patio door or side door. Incidentally, most burglaries are committed during the day by opportunists.

Typischer, unauffälliger Einbrecher
Typical, inconspicuous burglar

What do the police say?

When I asked the police advice centre for the state of Hesse, they gave me an estimate of less than 10 percent for the „front door“ burglary route. Common burglary routes are patio and balcony doors and windows accessible at ground level. Unbarred basement windows are also a popular way into a building.

Burglars are mainly interested in cash and jewellery. However, it is also interesting to note the thoughtful statement that they sometimes have the impression that burglars only break in for the sake of it because nothing has been searched.

Cash and jewellery? We are immediately ruled out as a primary target group. If I have 20 euros in my pocket, that’s a lot. 🙂 I hardly ever need cash. And we don’t wear jewellery anyway. We’re lucky. 🙂

Polizeiliche Beratung
Police counselling

When asked directly about a smart lock, the officer’s biggest concern was that you wouldn’t be able to get in with dirty fingers if you didn’t have your phone or RFID token with you. With a smart lock, however, at least three opening methods don’t have to work; with a normal lock, forgetting the key is enough. 🙂

The police see the advantage that if a key (transponder key) is lost, the authorisation for the missing key can be withdrawn so that it can no longer be used. This also eliminates the need to replace the locking cylinder.

If you have the Mona Lisa hanging in your living room, you don’t need to worry about a locking cylinder – you have a complete security concept. For us mere mortals, a standard lock is usually sufficient. As before: The front door is the least common way to break into a house.

I received a few links on the subject in an e-mail:

Smart front doors?

Yes, I have already reported on my concept of a smart door several times. We already had the motorised lock from Abus on the door, but have never used it because I’m still looking for a good access control system. However, as you can see from the diagram, that’s not enough. The bottom line is that this solution is cheaper than buying a complete Smartdoor for a five-figure sum, but it’s not really cheap either. In addition, you definitely need to know what you are doing and put in the time and effort.

Our requirements

Our aforementioned lock from ABUS eats batteries like a couch potato binging a series, but the lock also needs to repeatedly turn the key with a motor and be connected to the base via Z-Wave. Without a remote control, we had no advantages with this lock because we still had to open the door with the key. It locked at night and unlocked in the morning, that’s it.

But in our house it’s like a dovecote. We’re constantly leaving or entering the house and going out into the garden or to the play centre. My wife’s son regularly forgets his house key and when his mother-in-law comes, we have to go to the door and open it. We also regularly have to give the cat sitter a key.

However, our aim is to open the front door primarily using biometrics. If necessary, we can also use an RFID tag or a smartphone. However, neither of the latter options offers any advantage over handling a key.

WeLock Touch 41

Like many other providers, WeLock has a lock on offer that already has this access control integrated. They wrote to me and asked if I would like to test the lock. Yes, I found that really exciting because I had previously been rather sceptical about such solutions.

As a smarthome nerd and cloud fan, am I sceptical? Yes, of course. It’s easy to be generally against anything new, but it’s difficult to find arguments for and against a technology. In principle, I always approach new topics from the perspective of a technophobe, which means I overlook fewer weak points.

My prejudices

I was prejudiced, because you’re always told that you can only have a secure home with the „right“ locksmiths.

Security

The first thing I thought was: this is unsafe. I’ve already written all about this above. The lock is no less secure than our ABUS profile cylinder, on the contrary. What’s more, you can’t open it without leaving a trace.

Energy consumption

The second thought: Oh, how primitive, I have to turn the lock by hand. But that saves me batteries. WeLock promises that the batteries will last eight to ten months if you open the lock ten times a day. Ten openings a day is a lot, even by our standards.

As you have to wake up the lock with a button on the knob before opening it, which is basically instantaneous, it saves even more energy.

It is no longer possible to unlock the door if you ignore the battery status warnings until they are empty. In that case, you have to go into town and buy new batteries. The other solution would have been to connect the phone to the lock with a USB-C cable, supply it with power and open it with the app.

The annoying cloud

The third thought was: it’s one thing whether a lamp is connected to the cloud, but quite another whether the front door is. However, the WeLock Touch41 does not need a cloud, it works completely autonomously. For energy-saving reasons, it also only supports Bluetooth. Outstanding!

The only purpose of creating an account is so that you don’t have to restart the pairing procedure when you change smartphones, but simply install the app and log in with your access data.

If you want, you can even use the lock completely without an app. However, it is then not possible to memorise RFID tags, as these are identified via the printed QR code. It is also not possible to open the lock with a USB-C cable in an emergency.

The convenient cloud

My fourth thought was: I want to integrate the door into my smart home and be able to open it with voice commands! Why is that? Because stop! But what would I get out of it? Giving the Google Assistant the command to open the front door and then telling a visitor to turn the lock through the intercom? In the meantime, I would have walked to the door myself or activated the door buzzer.

WeLock offers a Bluetooth bridge for fans of cloud solutions. I was also offered this for a test. I declined as it currently only works with Amazon’s Alexa, but we use Google Assistant. I want to carry out realistic tests and not just pick up hardware for free. I simply owe it to my readers and the environment.

As already mentioned, the lock cannot open a door automatically, i.e. it cannot pull back the deadbolt and latch bolt using motorised force. This reassures me more than it bothers me. Imagine accidentally giving the opening command while on holiday. The lock opens the door and the wind pushes it open. In this case, you would have to call a neighbour and ask them to close the door again. This cannot happen with the WeLock Touch41.

On the other hand, it would have been very practical for us and might even have saved the life of a raccoon if we had been able to open the door remotely using a voice command when the fire brigade was at the door in our absence and threatened to force it open. All we would have had to do was install the Amazon Alexa app.

What if we forget to turn off the water for the garden on our next holiday or something happens again and third parties need to be let into the house? In any case, remote opening from holiday saves time and money.

Come to think of it, it might be interesting to test the Bluetooth bridge after all. I will ask WeLock for a test position after all.

Key data

An overview of the WeLock Touch41 and its technical data.

Installation dimensions

The lock fits easily into most German front doors into which a normal profile cylinder also fits.

Dimensions of the product’s door knobs Diameter: outside 46 mm / inside 38 mm; length: outside 56 mm / inside 57 mm
Adjustable locking cylinder length outside 40 mm – 55 mm / inside 30 mm – 60 mm
Suitable for door thicknesses 50 – 100 mm
Compatibility Simple 1:1 replacement of the existing Euro locking cylinder of the house or flat door.

Opening methods

The Touch41 can be opened in various ways: by fingerprint, with an RFID card or via the app.

Fingerprints Storage space for up to 100 fingerprints (including 3 with admin function).
RFID cards Up to 20 cards can be memorised.
App Apps available for iOS and Android.

Resilience

The locking cylinder complies with protection class IP65. This means that the product is dust-tight and protected against water jets from all directions.

However, the manufacturer WeLock points out that the lock must be protected from direct weather influences. In Germany, however, front doors with a protective roof or protected installation are common, depending on the region.

According to the manufacturer, the Touch41 is not suitable for external gates that are not covered. If the lock is to be used outdoors, care must be taken to ensure that it is protected from the weather. For example, there is a risk that the lock will completely freeze over in frost due to rain and snow. Weather protection must therefore be fitted.

Electrostatic protection Up to 30,000 volts
Water resistance IP65 certification
Suitable doors Doors with canopy, not suitable for free-standing external gates
Fire protection Can be opened from the inside at any time
Service life Up to 10 million closing operations
Operating temperature -30 °C to 60 °C

Energy consumption

The batteries cannot be charged via the USB port, even if rechargeable batteries are used. The USB port is only used to enable emergency opening using a power bank or smartphone.

Display OLED display for battery status, settings and warnings
Power supply 3 x AAA 1.5 V batteries (AA)
Battery life With 10 unlocking operations per day, the battery charge lasts 8-10 months
Emergency power supply USB backup for unlocking when the battery is empty
USB connection Only suitable for unlocking, not for charging!

Scope of delivery

In principle, you should be able to remove the old lock and install the new one using the tools supplied.

1x „WELOCK Fingerprint Smart Lock“
3x RFID cards
1x Allen key
1x Phillips screwdriver
1x spare rubber plug
1x handful of replacement screws
4x instruction manual
1x instruction leaflet

Configuration

In principle, the configuration can also be carried out on the removed lock. This is recommended, for example, when installing the Touch41 in winter. 🙂

App or no app?

It is not necessary to use the app, the lock can also be used completely independently. However, the app offers advantages if you want to create and manage users. The access logs are also only accessible via the app.

The three cards supplied can be set up for guests or tradesmen and assigned a validity period.

Your own RFID cards can only be programmed directly on the lock – and these cannot be configured with a validity period either.

Hand on heart: I don’t start with four people who should have access to the house, create users and assign fingerprints and cards to them. This may be useful if you use the lock commercially and want to know when someone has entered the building or when the door was locked in the evening.

Yes, well, after a separation from your partner, you could also delete your fingerprints and cards individually – or carry out a factory reset and re-enrol your own fingerprints and cards, which works quickly and easily.

Believe me, I deleted everything several times during my tests and the family members had to re-enter their fingerprints. 🙂 That’s the way it is when you experiment a lot to be able to write a well-rounded article.

As you can see, you can only assign five fingerprints to each user, even though we usually have ten fingers. This is not a problem, the remaining five fingerprints can be saved, but not assigned. This is only interesting for the unlocking log and deleting individual prints. We only enter all ten prints because we can.

Three Bluetooth remote controls can be assigned to each user. The lock can recognise up to eight remote controls in total.

ID number

Before we do anything with the Touch41, we make a note of the ID number on the lock and the packaging. We need this to connect to the app.

Inserting the batteries

I don’t know about you, but I like to do the configuration work at my desk.

We put the batteries in the lock. To do this, we remove the cover of the outer knob. This is secured with a grub screw, which we loosen with the enclosed Allen key.

Now remove the rubber cover and undo the Phillips screw.

Insert the batteries and screw the flap back on, replace the rubber cover and put the cover back on the knob and secure it with the grub screw.

The QR codes only contain the link to the article page at WeLock. I have removed it on the outside. Microsoft does it the same way: Security through obscurity. 🙂

I also didn’t like having a barcode on the door. Simply for aesthetic reasons, the look is too „technical“ for me. I should have left it as you can now see non-removable adhesive residue on the rubber cover. Unfortunately, the sticker is so thick that it is now dog-eared and it was applied so precisely that I couldn’t get it perfectly positioned. 🙁

Deposit admin fingerprints

The yellow notice says that you must first set up the fingerprints of one or more administrators so that the lock cannot be opened with just any fingerprint or RFID tag. This is not a mistake, but an important security aspect so that you do not accidentally lock yourself out when installing the locking cylinder.

  1. Press the button for longer than 5
  2. The display now expects admin fingerprints „Add Admin FP
  3. Place the first finger several times until „New User FP Admin : 1, 2 or 3“ appears
  4. You can then continue directly with the next fingerprint until all three admin fingerprints have been read in

Now we can only open the lock with these three fingerprints.

Alternatively, you can add one or two more admins instead of your own fingerprints. Only admins can add additional users (fingerprints). Adding Finder fingerprints via the app does not work.

Side note: The device can only be switched to German on the device itself.

Adding user fingerprints

While we’re at it, we can also scan in our remaining seven fingers (as normal users). When you come back from the garden or working on the car, your hands are usually dirty and it can happen that one or two fingers can no longer be recognised. It’s better to scan all the prints straight away. The Touch41 stores up to 100 different fingerprints.

The procedure is the same again:

  1. Press the button for longer than 5
  2. The display now awaits authorisation by an admin: „Please Auth
  3. Now press the button once briefly until the display shows „Add User FP“ and then „Accepting FP„.
  4. Place the first finger several times until „New User Finger ID : 1, 2, 3 … 100“ appears on the display.
  5. You can then continue directly with the next fingerprint until all fingerprints have been read in

Add your own RFID card

20 cards can be stored.

  1. Press the button for longer than 5
  2. Press the button until „Add Card“ appears on the display
  3. Insert the card, „New User Card User:01, 02 … 20“ appears when the card has been successfully read
  4. You can then proceed directly to the next card

Add guest

You can add a guest via the app and only with the original RFID token:

  1. tap„Add card“
  2. select„Start time and end time“ or „Unlimited
  3. Scan the QR code on the token

Installation

During installation, the distance from the centre of the locking cylinder to the outer edge of the door frame must be at least 33 mm so that the knob does not touch the door frame. If rosettes are used, this distance is reduced accordingly.

In our case, the distance is 35 mm. When using a 14 mm thick rose with cylinder protection, the knob just barely touched the door frame when closing the door. We replaced it with a stainless steel rosette 2.5 mm thick. The door now closes with a comfortable gap.

I can’t use the Touch41 on our burglar-resistant patio door on the KBZ because the distance between the door frame and the centre of the lock is only 19 mm.

Remove the old lock

Every front door is a little different. Ours is now almost sixty years old, but the basic principle is still the same.

  • First you have to remove the fittings on the inside and outside.
  • Undo the fixing screw of the locking cylinder on the side of the door leaf.
  • Use the spanner to turn the bolt of the old locking cylinder until you can pull the cylinder out of the door.

Install Touch41

The new locking cylinder is installed in the same way as the old one was removed. In most cases, it is shorter than the old one. This is intentional and better than if it is too long.

Schliesszylinder im Vergleich
Locking cylinder in comparison

We can see that the fixing hole for the screw and the turning bolt are in the same place. Both knobs on the Touch41 can be moved along the pivot axis so that the lock adapts to the door.

We have an old door that is poorly insulated and therefore relatively thin at 67 mm thick. We don’t want another one either, because the old one fits the house well and is sufficiently secure with lots of bolts. Modern doors with a total thickness of up to 100 mm can also be fitted with the Touch41.

  1. Loosen both knobs with the Allen key and remove the inner one
  2. The rotary bolt must be aligned with the locking cylinder, i.e. pointing downwards
  3. The Touch41 is now pushed in from the outside
  4. Fasten again with the screw on the side of the door leaf
  5. Push the outer knob in until it rests on the outer rose but does not rub – now screw it tight again
  6. Do the same with the inner knob

That’s it! That’s it already! It’s no more difficult than replacing a normal locking cylinder!

Here you can see very clearly how easy it was to adapt the lock from the old, 14 mm thick rosette to the new, much thinner rosette of just 2.5 mm.

Emergency opening?

You can see a battery indicator on the display with every interaction and the app warns you when the battery is low – but as you know, this is ignored until it’s too late. „Yes, tomorrow, tomorrow I’ll definitely do it.“

If the batteries are really flat, you can still power the Touch41 via a power bank or your smartphone. I’ll put this little screwdriver from the accessories, a set of batteries (AAA) and a USB-C to USB-C cable in the glove compartment to be on the safe side.

A test with the batteries removed went without a hitch. I connected my phone to the lock and was able to open the door with my fingerprint or the app.

RFID?

And what about RFID? You can add the original RFID tags from WeLock via the app and define a validity period if you are within Bluetooth range of the lock. The app scans the QR code with the smartphone camera, transmits it to the lock via Bluetooth together with the time period and you can use the tag immediately to open the door.

Yes, we have scanned and tested the tags, but we don’t use them. They are too cumbersome for us. You might as well pull a key out of your pocket.

Nevertheless, it’s always good to have an alternative for opening the door. You have to give WeLock credit for the fact that you can also use RFID tags (13.56 MHz) from other manufacturers. Existing access tokens, e.g. from work or a sports club, can easily be added directly to the lock via the menu.

Each of us has an RFID tag that I have taught to the lock.

Smartphone as an RFID tag?

Using your own smartphone as an RFID token for the Smart Lock may be impossible as some phones, such as the Google Pixel, send a rotating ID.

Many modern smartphones have a rotating NFC ID that prevents tracking and replay attacks by regularly generating new temporary UIDs.

This measure protects privacy and increases security by preventing the ID from being associated with a specific user or device, making it pointless to copy the ID. Rotation is automatic and therefore cannot be used for applications that require a static ID, such as access control systems.

These systems use maintenance-free, passive RFID tags that do not require batteries and therefore always work.

Security

Is the RFID implementation used also secure?

The really good thing is that WeLock uses 13.56 MHz RFID and not the outdated 125 kHz RFID chips that are used in many cheap access control systems, such as those found in well-known online shops – which I would really advise against. This is much more secure and reliable. I wrote something about RFID access control here.

More specifically, Mifare Classic 1k RFID tags with HF band (13.56 MHz) are used. How could it be otherwise, these have some known weaknesses. Nothing wild that would make us as homeowners lose sleep at night, but I just don’t want to leave it unmentioned.

  • The chip uses a proprietary encryption algorithm called Crypto-1, which is not considered sufficiently secure.
  • Researchers discovered weaknesses in Crypto-1 back in 2008 that make it possible to decrypt the data on the chip with relatively little effort.
  • There are various successful attacks against Mifare Classic 1K chips, such as sector-based attacks, replay attacks or dark-side attacks.

An attacker could copy the RFID tag with a special reader and software tools if he gets his hands on it. Once they have done this, they can also make an imprint of all other traditional front door keys. However, reading the encrypted RFID tag takes considerably longer than copying a normal key.

I immediately tried to copy the RFID tag with my smartphone, but was unable to do so. The app can read the tag data, but not completely. I also tested hash algorithms to deduce the ID of the RFID tag from the QR code and vice versa. ChatGPT was also unable to establish any correlations.

I suspect that the app may generate the RFID ID from the QR code using the ID number of the lock. So the QR code seems to be a kind of public key. But I’m no expert and can only speculate here. Well, even if you take a photo of the QR code, you can’t deduce the ID from it and you can’t use it to create a „duplicate key“.

All these „security gaps“ do not mean that the WeLock Touch41 is vulnerable per se. It is by no means vulnerable, as it only accepts the stored RFID tokens. However, the tokens can be copied with a little effort and expertise.

Contrary to popular belief, passive RFID tags cannot be copied remotely as their transmission power is far too low for this. It is a maximum of a few centimetres. If you wear the token on your key ring, the metal interferes massively with reading anyway.

Yes, we Germans always believe that we have to protect our front door from James Bond or Ethan Hunt – and then we leave the kitchen window ajar.

Test?

If the lock recognises a fingerprint, it beeps and locks the knob with the locking cylinder. Now you can unlock the door. A few seconds later, the connection is unlocked again and you can turn the outer knob freely around its axis. The inner knob is always firmly connected so that the door can be locked manually from the inside.

Hardware

We put the lock through its paces for a fortnight. It didn’t fail for any of us. We felt the fingerprint recognition was better than on our smartphones. Even with dirty, wet or greasy fingers, we had no problems getting into the house.

Only after mowing the lawn, when I had to get the clippings out of the basket with my hands and had doodle-green fingers, the recognition only worked on the ring finder of my right hand. That’s why I’m a fan of scanning all fingerprints.

I checked the correct recognition in the app log and everything is great. No incorrect assignments.

Software

Fingerprint scanning cannot be started via the app. In general, the lock and the app complement each other, and only the two together offer full functionality. The app is only required for more sophisticated user management. Naturally, the menu in the lock cannot do this and it would not be practical. However, if you don’t want to use the app, there are no real functional disadvantages in everyday life.

The translation of the app is perfectly fine. It may not be elegant, but it is absolutely understandable and functional. I am satisfied.

Smarthome

I have not yet been able to find any modules for ioBroker. This also clearly raises the question of what the point is. You could view the locking protocols. Or switch on the light when a user wants to enter the house. However, I suspect that someone with a smart home control centre has also installed a door contact at the front door to do this.

I don’t see any disadvantage for me if I can’t read the lock in ioBroker. You need a Bluetooth bridge near the lock anyway, because it doesn’t have WLAN. That’s a good thing, otherwise the batteries would soon be flat.

Conclusion

So what is my opinion of the lock? It is „only“ a locking cylinder that replaces the classic key with a variety of modern authentication methods. It is not a motorised lock that can completely unlock the door on its own. In principle, I would only use such a motorised lock with a door closer.

However, there is nothing to stop you combining the WeLock Touch41 with a motorised lock. The clear advantage: nobody can open the lock from the outside by lockpicking without destroying it. However, the motorised lock must then also have an adapter for a standard square drive, as the motorised locks turn the (partially sawn-off) key. I suspect that I could print such a drive for our Abus motorised lock.

But let’s just keep such a motorised lock drive in mind – for pros and cons.

Contra

Now I really have to do some soul-searching and find the fly in the ointment. There is no perfect product, that’s for sure. But what are the weaknesses that I can accuse this product of, come hell or high water?

  • cannot unlock the door independently
  • Fingerprint assignment cannot be started in the app
  • Cloud only possible via Bluetooth bridge
  • no connection to a smart home centre such as ioBroker possible
  • no WLAN
  • the lock must be drilled out in the event of a defect

Wow, so many negative points? But are they really negative? No, not really, because these points were rightly not in the Touch41 specifications. The product does exactly what it was designed to do.

And in the event of a defect? If a normal locking cylinder were defective or sabotaged with adhesive, it would also have to be drilled out. WeLock specifies a service life of up to 10 million (10,000,000) locking operations.

To put this into perspective: If every member of a family of four opened the Touch41 from the outside three times a day, the lock would last over 2,200 years. If the owner of our house had installed this lock sixty years ago, it would only have had 262,000 locking operations.

Surely we all agree that modern technology doesn’t last that long, right? You want to buy something new as a nerd, don’t you? 🙂 At some point, the manufacturer will have another cool lock up their sleeve that we really want to have. 🙂

Pro

The advantages of the Touch41 clearly outweigh its (irrelevant) disadvantages.

  • Significantly faster unlocking than a motorised lock
  • Simple installation
  • Easy configuration
  • Wide range of authentication methods
  • Authorisation can be deleted in the event of key loss
  • Backup opening options
  • High quality appearance
  • Very high WAF
  • no cloud compulsion
  • no app compulsion
  • long battery life
  • Cloud access can be retrofitted with bridge
  • Amazon Alexa compatible (with Bridge)
  • Google Assistant connection in progress (with Bridge)

Recommendation?

I was really sceptical at first. But I’m happy with the lock and I’m going to keep it in our front door. Personally, I feel just as secure with it as with the conventional ABUS locking cylinder. The only difference is that I have much greater convenience and the certainty that the (unlikely) break-in through the front door will leave a trace and the insurance will pay.

Last but not least, I can no longer remove the Touch41. That has become impossible because the other family members would stop me.

Buying?

You can buy the lock directly from the manufacturer or via Amazon.

WeLock directly

Buy WeLock Touch41

50 Euro voucher FD57
Final price: 132 EUR

Shipped from a German warehouse.

Amazon

Buy WeLock Touch41

7 euro voucher: secbn018
Valid until: 09 June 2024, 23:59

Final price: 132 EUR

Schreibe einen Kommentar

Ich bin mit der Datenschutzerklärung und der Speicherung meiner eingegebenen Daten einverstanden.