While data breaches or hacks are extremely rare, no system is ever completely immune to risk, most commonly from:

Phishing attacks – fraudulent emails or websites designed to capture users' login details.
Credential reuse – passwords compromised from other platforms and tested across multiple services.
Malware – keylogging software on infected devices.
Social engineering – manipulation tactics to obtain user login information.

At Access, we take data protection and system security extremely seriously. Our Guestline Property Management System includes a range of advanced security features designed to prevent unauthorised access and ensure guest and business data remains secure. We strongly recommend that all users take full advantage of these measures to maintain the highest level of protection, including:

Watch our security best practices webinar

To help you and your team get the most out of these security features, we've created a comprehensive webinar covering practical steps to protect your property and guest data. Whether you're new to the platform or looking to strengthen your security posture, this session provides actionable guidance you can implement immediately.

Watch the webinar on demand – simply enter your details to access the full recording.

Use strong, unique passwords

When accessing the Guestline Property Management System, your username and password are the front line of data security at the very minimum, users should:

Set passwords to a strong, unique password they haven't used before.
Use a combination of uppercase, lowercase, numbers, and special characters.
Make it at least 12 characters long.
Don't reuse passwords from other accounts.
Never share their account with another user or have "communal" accounts.
Change the password regularly.
Consider using a password manager to generate and store strong passwords.

How to reset a password depends on your account type:

Email-based accounts can reset passwords themselves at any time. For more information, visit our support article on Resetting your own platform user password.
Username-based accounts require an Admin to reset passwords. For more information, visit our support article on Reset another platform users' password.

Check the URL before entering credentials

To protect yourself from phishing attacks, always verify the website address before entering your username and password credentials. Cybercriminals often create fake login pages that look real but have small differences in the URL.

If the URL looks wrong, do not enter your credentials. This simple step can prevent your user account from being compromised. What to watch out for:

Spelling mistakes in the address.
Extra words or characters.
Unusual or suspicious domain names.
Very subtle differences such as letters replaced with similar looking characters, for example 'o' replaced with '0'.
Legitimate-looking subdomains that aren't official.

Important security practices:

Never use search engines to find the Guestline login page – fraudulent sites often appear in search results and paid advertisements.
Bookmark the official URL below, share them with your team, and always use a bookmark to log in.
Never click login links in emails – even if an email appears to be from Guestline or Access, navigate directly to the site using your bookmarked URL rather than clicking any links.
When in doubt, contact support before entering your credentials.

Official Guestline login URLs to bookmark or share with your team:

UK & Europe - use either:

APAC region - use either:

Enhanced login protection

We've implemented advanced bot detection technology to protect your account from automated attacks. When suspicious activity is detected, our system will present a CAPTCHA challenge to verify you're human. Most users won't notice any change during normal logins, as this security layer works in the background, though you may see it if using VPNs or logging in via a new device. This protection helps stop attackers from automatically testing large lists of stolen passwords against your account.

Manage user access carefully

Use Single Sign-On (SSO) to centrally manage who can access your Guestline systems.

We recommend you:

Assign roles and permissions to ensure users only access the data and functions they need.
Permissions to edit other users’ permissions can only be assigned to users with MFA enabled.
Promptly remove access when staff leave, block accounts for extended absences, and adjust permissions when staff change roles.
Regularly audit your user list to prevent accidental or unauthorised access to sensitive information.

For more information, read our support article on editing user permissions and blocking users.

Inactive user blocking

Automatic Inactive User Blocking enhances platform security by automatically blocking user accounts that have been inactive for more than 90 days. When an account is blocked due to inactivity, the user will be unable to log in until an administrator unblocks the account and resets their password.

Enable Multi-Factor Authentication (MFA) with one-time password

We strongly recommend making Multi-Factor Authentication mandatory across your organisation to provide an additional layer of security beyond passwords and permissions.

MFA requires users to verify their identity using a second factor, such as a code sent to their phone or an authentication app. This significantly reduces the risk of unauthorised access — even if a password becomes compromised.

For more information, read our support article on Multi-factor Authentication (MFA) overview.

Enable Multi-Factor Authentication (MFA) with passkeys

Passkeys provide a phishing-resistant MFA option for enhanced security when accessing your Guestline account. They use either a physical security key (such as a YubiKey or Google Titan) or your mobile device’s biometric sensor, fingerprint, or PIN. This creates a unique cryptographic link between your account and the official Guestline sign-in page, ensuring attackers cannot intercept or copy your credentials.

For more information, read our support article on passkeys for Multi-Factor Authentication (MFA).

Enable Trusted Browsers

Use Trusted Browsers to ensure that only approved and recognised devices can access your Guestline PMS system. This feature helps prevent logins from unknown or suspicious devices. Allows you to monitor devices accessing your system and block them.

For more information, read our support article on Trusted Browsers - manage browsers. This is a new feature currently being rolled out. If you don't have access, contact support to be added to the next deployment.

Log out

We recommend you log out of Guestline PMS when you move away from your workspace or finish your shift.

To keep your account secure, you'll be automatically logged out after:

2 days of continuous use.
Or 24 hours of inactivity.

This helps protect your account from unauthorised access while minimising interruptions to your work.

Be cautious with emails

Phishing emails are a leading attack method designed to steal credentials or install malicious software.

Train staff to:

Verify senders carefully.
Avoid clicking on suspicious links.
Remember Access will never request passwords via email or ask you to log in via a link in an email or message.

Keep your systems secure

Ensure all users maintain up-to-date antivirus software and browsers, never save passwords in browsers, log out after each session, especially on shared devices, and position screens away from public view to prevent shoulder surfing.

A sophisticated phishing attack is targeting Microsoft 365 users through fake verification pages. If you use Microsoft services, be extremely cautious: never copy and paste URLs from emails or verification pages, as attackers are exploiting this to bypass security and gain access to accounts without needing passwords or MFA codes.