The Access Passback Problem

By Brian Rhodes, Published Aug 18, 2021, 09:33am EDT

'Passback' -- the practice of using someone else's credentials to gain entry, is a troubling access control vulnerability.

IPVM Image

In this report, look at the problem and how designers can minimize vulnerabilities, including:

  • Passback vs Tailgaiting
  • Why Passback is an access risk
  • Soft anti-Passback: time limit
  • Hard anti-Passback: reader pattern and flow
  • Biometrics & Turnstiles
  • Integrator feedback on solutions they use
  • Many just ignore the risk

Passback *********

'********' ***** '******* ***********'. From *** ******* *****, two ****** *** ******* through ** ******-********** **** by ******* *** **** badge:

IPVM Image

'********' ****** **** '****** A' ***** ***** ********** to '****** *' ** that ****** *** **** access. **** ******** ** similar ** ******** * door *** ******* * mail **** ** ** outside ****** ** ******* your ******** **** ******* else.

Security *************

** ****, ******** ***** that *** ****** ** not *********** ****** ** the *** ** *** designed, *** ** *****, it ***** **** * potential ****** ***** *****.

Less ***** **** **********, ***** * *******

'**********' ***** **** **** a ********** *** ****** a ****, ** ** left **** ** **** more **** *** ********** is ******* ** **** through. ** ******** ** 'Passback', '**********' ******** *** requirement ** **** *** credentials, ***** '********' ******* them.

************ * *********** **** in ***** ** ******** threats, ***** ******** ** generally **** ******* *** potentially ** *********. ******** is ******* *** **** with ********* ****** ** a ********** ** ***** used, **** *** *** that ********* *** *** user.

** *******, ******** ** easier ** ****** **** Tailgating, **** **** ********* or ******** ************* ************ preventing *** *** **** of *** ****.

*** **** ** *** more *********** ********** ******, see****** **********: ******* ******** Vulnerability.

Anti-Passback *********

** ******* *** ****, Access ******* ******* ***** feature **** ******** '****-********' controls:

  • **** ****** (**** ****** 'Soft ****-********')
  • ****** ******* & **** (also ****** '**** ****-********')

*******, ** ***** ********* are *** **** ** be ****, *********** ******** can ** **** **** with ***** ****:

  • **********
  • **********

Soft ****-********: **** ******

*** ******** *** **** basic ******* ***** * credential ****** ** **** at *** **** ****** twice ****** * ******* amount ** ****. **** feature ** ***** ******** with ********** ****** ******* but ******** ************* ** use **** ******* *** installed.

****** ********* * **** from ******** ****** ** the **** ****** *** a ****** ** * to * ******* *********** the *********** ** ********** using * **********. ** some *****, *** ***** may *** **** ** fully ******** **** ***, but *** ***** ** flagged ** * ****** for ********** ** *********** further.

*******, **** **** ** control *** ** ************ if ***** ************ **** something ***** ******* * card, ****** ********** ** a ************, ** **** some ***** ********** ****** for ******* **-************* ******* an *******.

Hard ****-********: ****** ******* *** ****

*** **** ****** ** more **********, *** **** more ****** ** *********.

***** '****** ******* *** flow' ******* ******** ********** reads ** ****** * logical ******* ****** * system. *** *******, * credential **** ** **** at ** '***' ****** before ** *** ** used *** ** '**' function. ********, * ********** cannot ** **** ** enter '******** *' ** 'Building *' *** *** first **** ******.

**** ****-******** ****** ** the **** ********* ******* have *** *********** *** problem, *** ** ******** the **** **** ** 'OUT' ******* **** **** be ********* *** ****** an ******** ** ****** all ***** ********** ****** a ********, **** ***** that *** ************ ****.

Using ********** ********* ****

******** *** ** ********* by ************* ***** ***** on ********** (***** ***** body) ******* ** '*********' credentials.

IPVM Image

*******, *** *** ********, users, ** ********** *** able ** *** **********, and **** ********* ******* may ** ******.

Turnstiles & ********* ***** **********

* ******, *** ********* costly, ****** ** ********** Passback ** ***** **********, revolving *****, ** ******** to ********** ******* **** than * ****** ****** entering ** *** ****.

***** ********** ** ***** should ** ******** ** a *** **** **** allows *** ***** ** a ****, *** ** gaps ** ******** ****** exist ** ****** ******* credentials *** ** ******.

*** ****, ********* ******* ********** *****.

Other *********

************ ********** ******** ********* involves **** **** **** software. *** *******, ** our********* ********* ** ************ and ****************, **** **** ** solution ***** **** *****,

IPVM Image

**** **** **% ** those ********* ********* ***** more **** *** ******** method *********:

  • *******:******* ****** ******** ******** using ************ ******* ** record ****** ******.
  • *******:*** **** ****** '****' measure ** ******* *** risk *** *** *** of ***** ** ****** people **** ******** *** system ******* ****** ** undermines ******** ********.

Ignoring **** ******

*******, **** ****** ** ignore *** *****. ***** 15% ** ********* **** they ****** ** ******* because ********** ** ** too ******, ** ** is *** ****** ** a **** ** ******* countermeasures.

Dangerous ** ******

******** ** ****** *** threat ******* ********* ** gain ***** ** ***** they *** *** ** verified ** *****. **** Passback ******* ** ******** risk, ** ********** *** sizable ********** ** ****** control.

Comments (23)

* ***** **** ** say **** **** ** experience **** ****-******** ** when *** ****** ** violated, ***** ** ** alert ** *** ****** but ****** ** ***** granted. ***** ****-******** ** when *** *** *** pass * ***** ********** within * ******* **** frame. *** **** ** a *** ******* *** they *** *** ******** methods.

Agree
Disagree
Informative
Unhelpful
Funny

IPVM Image

**** ********, ** * case ** * ****** door, *** ***** ****** passback ******* ** **** holding ** ******* *** door?

** *** **** ** a ****** ********* ***** there **

*) ** *** ** hold ** ****, ***

*) **** ** **** the **********

** ***** ***** ** me, *** * **** has ******* ** *****.

Agree
Disagree
Informative
Unhelpful
Funny

** **** *****, ***** may ** ********** ******, sensors, ** ********* **** would ****** *** * tailgating *****, *** *** necessarily ** ********. ** the ******* *** ******* but ********* ****** ** be ********/********* ***********.

Agree: 1
Disagree
Informative
Unhelpful
Funny

** **** *********** ***** tailgating ***** ****** - I'd ***** ** ** pretty *************** ** **** hold *** **** ****, but **** ****** ******* (especially **** ********** *** high-security *****) **** ***** if * **** ** held **** *** ****.

******** ** * ****** way ****** ****!

Agree: 1
Disagree
Informative
Unhelpful
Funny

**** ********, ** * case ** * ****** door, *** ***** ****** passback ******* ** **** holding ** ******* *** door?

** **** *** ***** person *** ***** ** a ***** ****.

Agree: 1
Disagree
Informative: 3
Unhelpful
Funny

**** ** * **** answer * *** *** considered!

Agree
Disagree
Informative
Unhelpful
Funny

******** ***’* *** ****** up ** *** **** anti-passback ****** ******* ** the *****.

Agree: 1
Disagree
Informative
Unhelpful
Funny

*., **** ** *** think ** *** **** of ***** *** ** those ****** ***** (*-* ft) ******* ** *** exit, **** *** **** being **** *** ******** wouldn’t **** ** **** their **** *** *** waif *** *** *****, but ***** **** **** normally?

***** *** ******* **** too **** ** *** way ***?

Agree
Disagree
Informative
Unhelpful
Funny

** ***** ****** **** for ******* ********* ** once, *** ****** *** or *** *** credentials *** **** *** read ***** ***** ** quite *****, ****** ~*"/***** or ****.

Agree: 1
Disagree
Informative
Unhelpful
Funny

******’* **** ** **** their ****

*****'* **** ******** ** any ******** ****** *** have ****** **** (**** a *******)

Agree
Disagree
Informative
Unhelpful
Funny

**** **** ** *** as ******* * ******* as ********** ** ** view. *** ****** * have **** ********** ***** a ***** **** ** used ** ** *******. Tail **** ********* ** door **** ****** *** great, *** ***** **** detect ***** *** ***** occurs. ** *** **** addresses **** ******* ***** the ***** **** ***. Send * *****? **** a **** **** *** let *** ******** ******* into * ****? **** the ******? *** *** have * *****, *** my ***** ** ***'** looking ** * ***** recording, * ***** *** already ********.

**** **, **********-***** ******* are ****** * *********** for ****; *** ** you ** ** *****, you *** ** **** to **** ** *** door ** ******. ***** are **** (**********, ********* doors, ***) **** *** indeed ***** * ***-****-***-****** entry ******, *** *** cost ** **** *******. Two ***** ** ******* turnstiles *** *******, *** set *** **** **** $100K. *** * **/* guard ** *** *** and ****** ******* $**** per ****. ****, **** not ****** **** ******* at ***** ********* ***** to *** ******** ** your ********* ** ******** cannot ** ****** ********.

Agree
Disagree
Informative: 1
Unhelpful
Funny

**** * **** ** alarm ******. *** ** my ******** ******** *** hilariously ****”****-**** ****?? *** customer **** *** *** to *** ** **, three ***** ***** **** will **** *** ** take ** ***!” **** has **** ** **********.

Agree
Disagree
Informative
Unhelpful
Funny

*** **** **** *** to **** ** ***?

Agree
Disagree
Informative
Unhelpful
Funny

******** *** ** ** into *** ****** ** fix *** **** ** the ****** *** ******** rules. *********.

Agree
Disagree
Informative
Unhelpful
Funny

***. ****, ** ** in-out ****** *********, ***** forget ** ***** ***; or **** ** *** back ** ** **** time. **** ********* **** often ******** ******* ** intervene *** *** *** card... ******** ** *** point ** ***********. ** gets ****** ** ***** are *****, ******** *** procedures *** ************* *** violators * ****, ** helps ** *** **** is **** ** ***** activities **** ** **** and **********.

Agree: 1
Disagree
Informative
Unhelpful
Funny

* ****** ******* ******* new ** ****** ******* that **** **** **** "buy-in" **** ***** *****, and **** ******** *** protocols **** **** ** change. ** *** ***'* do ****...****, *** *** what *** ***.

Agree: 2
Disagree
Informative
Unhelpful
Funny

**** * **** ** alarm ******.

*** ** *****, *** went ******®

Agree
Disagree
Informative
Unhelpful: 2
Funny: 4

**

* **** ** ** actual *** ***** ******* school. ** *** ** Dad. ** *** ** son. * **** **** to **** ******* ** an ****** ******* ******* me ****. *** ********* in **** ********* ******* you ** *** ** make ***** ** ** internet ***** ***?

Agree: 1
Disagree
Informative
Unhelpful: 1
Funny

*** ********* ** **** statement ******* *** ** try ** **** ***** of ** ******** ***** guy?

* ***** ** *** probably ******* ** *** jovial **** **** “***********” funny ******** *** ** in, *** ********, ***** you **** ******** ******** end ***** *** ***** naïveté? **** ******** *** informative, ******!

** **** *** ** appalling **** ** *******; had * ********** **** for **** * ******, how ***** *** ****-**** a **** *********** *** concept ** ** “***** School” ***** ** ** you, * ***** **** never **** *****.

-*** * ***** ***

Agree
Disagree
Informative
Unhelpful: 1
Funny: 1

IPVM Image

Agree
Disagree
Informative
Unhelpful
Funny

*** *** *** ***? Besides ** @**!

Agree
Disagree
Informative
Unhelpful
Funny

*** *** *** ***?

@ ***?

Agree
Disagree: 1
Informative
Unhelpful: 1
Funny

****** ******** ******** ***** be ********* ******* *** pop-up ** *** ********'* photo ** *** ****** control ****** *** ** a *** *********** ** a ******.

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 7,264 reports and 968 tests and is only available to subscribers. To get a one-time preview of our work, enter your work email to access the full article.

Already a subscriber? Login here | Join now
Loading Related Reports