An unattended kiosk asks you to trust a screen to do a job you would normally give a person. That trust cuts both ways. The device has to be locked down enough that a curious guest cannot wander into your settings, switch apps or empty the registration list, and at the same time it has to be open enough that a first-time visitor can walk up, understand it and check themselves in without help. Lean too far towards security and you build something nobody can use. Lean too far towards openness and you build something anybody can break.
Most kiosk problems come from getting that balance wrong in one direction. The good news is that the two goals are not really in tension once you separate them properly. Lock the device, not the experience.
What you are actually defending against
It is worth being precise about the threat, because the realistic risks are mundane and the dramatic ones are rare. You are not mainly defending against a determined attacker. You are defending against ordinary curiosity and ordinary accidents:
- A guest who taps out of the check-in app and ends up on the home screen.
- A child left at the kiosk who explores every button there is.
- Someone who tries to use the device as a free web browser.
- An accidental swipe that closes the app mid-queue and strands the next ten people.
These are not malicious, but each one takes a working kiosk out of service until a staff member resets it. The aim of locking down is mostly to make the device boring: there is one thing to do here, and no obvious way to do anything else.
Securing the device without souring the welcome
The cleanest mental model is two layers. The outer layer is the device itself — the tablet, its operating system, its settings. The inner layer is the check-in experience the guest sees. You want the outer layer sealed and the inner layer friendly.
For the outer layer, the standard tools do most of the work:
- Put the device into a single-app or kiosk mode so the check-in screen is the only thing it will run.
- Disable the gestures and buttons that would otherwise exit the app or reach system settings.
- Mount it physically so it cannot be picked up, pocketed or angled away.
- Require a staff PIN to leave the check-in screen, so a reset is possible but not accidental.
None of that touches the guest experience. A visitor never sees the lock; they see a screen that does one clear thing. That is the whole point — the security should be invisible to the people you want to welcome and immovable to the ones you do not.
A good kiosk feels open to a guest and sealed to everyone else.
The friendly side of the same problem
Locking the device is the easy half. The harder half is making sure the experience inside the lock is something a stranger can finish unaided, because there is no member of staff to rescue them. A secured kiosk that confuses people is not secure — it just fails quietly, with a queue forming and nobody checking in.
So the inner layer has its own rules: large touch targets, one decision per screen, plain instructions and an obvious way to start over if someone fumbles. The flow should be short enough that a guest who has never seen it can complete it on the first attempt. Designing a kiosk flow people finish goes deep on that, and it pairs naturally with everything here — a locked kiosk only earns its place if guests actually get through it.
There is a quiet exit rule too. If a guest does manage to get stuck — wrong name, no record, a genuine edge case — the screen should point them to a human rather than dead-ending. The PIN-protected route out is for staff; the guest-facing route out is "please see the desk," clearly worded and never a blank screen.
A short audit before you leave it alone
Because the kiosk runs unattended, the time to catch problems is before the first guest, not after the tenth. A two-minute check covers most of it:
- The check-in app is locked as the only thing that runs.
- A deliberate attempt to exit lands on a PIN, not the home screen.
- The device is physically fixed and cannot be lifted.
- A full check-in completes from a cold start, including the "see the desk" path.
- The staff PIN is known to the people working nearby and nobody else.
Run that once per device at the start of the day and the unattended hours look after themselves. The failure mode you are preventing is not a breach; it is a kiosk that has silently dropped out of its app and is now a useless slab while people wait beside it.
Trust, earned in both directions
A kiosk works because two different kinds of trust hold at once. The organiser trusts the device to stay on task and keep the data intact. The guest trusts the screen to be straightforward and not waste their time. Locking down without locking out is simply the practice of honouring both at the same moment.
Seal the device so curiosity and accidents cannot derail it, keep the experience inside that seal genuinely easy, and give every guest a clear way to reach a human if they need one. Get that balance right and an unattended kiosk does exactly what a good greeter would: it lets the right people through quickly and quietly closes the door on everything else. CheckInHub runs its kiosks in a locked single-app mode for precisely this reason, but the discipline matters more than the tool. Lock the device, not the welcome.
