Secure real-time clock update in an access control system

What is claimed is: 1. A method, comprising: communicating, by an access control device, a wireless advertisement that identifies a clock status of a real-time clock of the access control device, wherein the clock status includes a clock status value indicating that the real-time clock has not been set; establishing, by the access control device, a wireless communication connection with a computing device in response to the wireless advertisement; transmitting, by the access control device, a session random value to the computing device; receiving, by the access control device, a clock update token from the computing device, wherein the clock update token is indicative of an authority of the computing device to update the real-time clock of the access control device; authenticating, by the access control device, the clock update token based on at least the session random value; and updating, by the access control device, the real-time clock based on a received update time in response to successful authentication of the clock update token. 2. The method of claim 1 , wherein the clock update token comprises a caveated cryptographic bearer token that includes a clock update caveat that limits access control permissions of the computing device over the access control device to updating the real-time clock of the access control device. 3. The method of claim 2 , wherein the clock update token further includes a timestamp caveat that identifies an appropriate time basis for the real-time clock of the access control device. 4. The method of claim 2 , wherein the clock status value is a non-zero random value; and wherein the clock update token further includes one or more caveats corresponding with a cryptographic hash generated based on the non-zero random value and the session random value. 5. The method of claim 4 , wherein authenticating the clock update token comprises: generating a reference cryptographic hash based on the non-zero random value and the session random value; and comparing the reference cryptographic hash to the cryptographic hash corresponding with the one or more caveats of the clock update token. 6. The method of claim 1 , wherein updating the real-time clock comprises updating the real-time clock based on a received update time command. 7. The method of claim 1 , wherein updating the real-time clock comprises updating the real-time clock based on the received update time in response to successful authentication of the clock update token and a determination that the real-time clock has not been set. 8. The method of claim 1 , wherein authenticating the clock update token comprises confirming one or more caveats of the clock update token are valid. 9. The method of claim 1 , wherein authenticating the clock update token comprises determining whether the real-time clock has been set based on a clock status flag. 10. The method of claim 1 , wherein communicating the wireless advertisement comprises communicating a Bluetooth Low Energy advertisement; wherein establishing the wireless communication connection comprises establishing a Bluetooth Low Energy session with the computing device; and wherein the session random value is associated with the Bluetooth Low Energy session. 11. The method of claim 1 , further comprising receiving, by the access control device and from the computing device, a request to control the access control device in response to updating the real-time clock; and wherein the request includes a caveated cryptographic bearer token that includes a time-based caveat that defines a time limit for control of the access control device. 12. The method of claim 1 , wherein the computing device is a guest mobile computing device and the access control device is a lock device. 13. The method of claim 1 , further comprising: detecting, by the access control device, that the real-time clock of the access control device has been factory reset; and updating, by the access control device, a clock status indicator of the access control device in response to detecting the real-time clock of the access control device has been factory reset; wherein communicating the wireless advertisement that identifies the clock status of the real-time clock of the access control device comprises communicating the wireless advertisement that identifies the clock status of the real-time clock of the access control device in response to updating the clock status indicator of the access control device. 14. The method of claim 13 , wherein the clock status indicator comprises at least one of a clock status flag or a clock status bit of the access control device. 15. A method, comprising: establishing, by a computing device, a wireless communication connection with an access control device in response to receipt of a wireless advertisement from the access control device identifying a clock status of a real-time clock of the access control device, wherein the clock status includes a non-zero random value indicating that the real-time clock has not been set; receiving, by the computing device, a session random value from the access control device; transmitting, by the computing device, a request for a clock update token to a server, wherein the request includes the non-zero random value and the session random value; receiving, by the computing device, the clock update token from the server, wherein the clock update token is based on a hash of the non-zero random value and the session random value and includes a clock update caveat that limits access control permissions of the computing device over the access control device to updating the real-time clock of the access control device; and transmitting, by the computing device, the clock update token to the access control device to update the real-time clock in response to confirmation of successful authentication of the clock update token by the access control device. 16. The method of claim 15 , wherein the clock update token comprises a caveated cryptographic bearer token that includes the clock update caveat and one or more caveats corresponding with a cryptographic hash generated based on the non-zero random value and the session random value. 17. The method of claim 15 , wherein the clock update token comprises a macaroon. 18. The method of claim 15 , wherein establishing the wireless communication connection comprises establishing a Bluetooth Low Energy session with the access control device in response to receipt of a Bluetooth Low Energy advertisement from the access control device; and wherein the session random value is associated with the Bluetooth Low Energy session. 19. The method of claim 15 , further comprising transmitting, from the computing device to the access control device, a request to control the access control device subsequent to transmittal of the clock update command; and wherein the request includes a caveated cryptographic bearer token that includes a time-based caveat that defines a time limit for control of the access control device. 20. The method of claim 15 , wherein the computing device is a guest mobile computing device, the access control device is a lock device, and the server is a cloud-based server. 21. An access control system, comprising: at least one processor; and at least one memory comprising a plurality of instructions stored thereon that, in response to execution by the at least one processor, causes the access control device to: communicate a Bluetooth Low Energy advertisement