Practical Solutions To Piggybacking and TailgatingBy Brian Rhodes, Published Feb 12, 2015, 12:00am EST
Piggybacking and tailgating are two of access control's biggest threats. In this note, we share survey results from more than 100 integrators about the specific steps they have implemented to solve them.
We asked "How do you deal with the problems of users sharing credentials (ie: Piggybacking) or holding doors open for others (ie: Tailgating)?"
More than 100 integrators and end users responded. A breakdown of their answers into common groups is given below:
And then a full breakdown of all answers is shown below:
The Risks Defined
For those not familiar, the two problems we polled in this question are particularly difficult to address and resolve with traditional access control methods. These issues are commonly defined as:
- Tailgating: We addressed the risk of users holding open doors to allow more than one user to pass in our Access Control Killer: Tailgating note. Access control systems have a difficult time preventing the problem, as they only control locks on standard doors; not how long they are opened.
- Passback: A related problem is credential sharing (colloquially called 'passback') due to users handing their credentials to the person behind you through a crack in the door, gap in the turnstile, and so on. Access systems often include methods of exception reporting, alarms, or even active denial called 'anti-passback', and the use of biometric readers also can prevent the problem. We examined the subject in our Passback Problem note.
Responses mentioned more than ten different methods to control or mitigate the risk. More than 80% of the responses mentioned more than one method of control and more than 50% mentioned two or more.
With that said, the options below were the most commonly cited:
- Cameras: The most common approach involved using surveillance cameras to record and verify no misuse was happening at access points.
- Turnstiles: The most common 'strict' method were using turnstiles, revolving doors, or mantraps to physically prevent more than an single person entry at any time.
- Signage: The most common 'soft' measure of those that indirectly or passively address the risk was the use of signs to remind people that misusing the system invites danger or undermines security controls.
- Nothing: About 15% of responses said they simply do nothing about the issue. Either addressing it is too costly, or it is not enough of a risk to warrant countermeasures.
In the sections below, we list the individual approaches respondents gave in controlling or addressing the tailgating and pass back problem:
Video Integration: Clearly integrating cameras with access is a popular approach, with many responses mentioning it as the first option even when others were given:
- "Generally on all external access controlled doors\gates we piggy back with integrated security cameras"
- "We install CCTV cameras covering the doors and have a specific camera along with access control system that takes a snap every time a card or finger is swiped."
- "Add snapshot camera to the system for every access given or use a separate CCTV looking at the suspected gate/door if the access system does not allow the snapshot."
- "Integrating video as a administration aid and behavior deterrent."
- "We install cameras tied to the door so a time stamp is attached along with video of each read. It's then up to the owner to enforce their policy."
However, unless video is actively monitored or tailgating/passback events addressed, it is not a magic solution for the problems. Even placing cameras where they are plainly visible or including public view monitors can become ineffective and be ignored over time if the issues are not actively addressed or paired with other methods.
These approaches take the hardest approach to preventing or address the issue directly. Engineering controls like turnstiles, or 'hard antipassback' are used to outright physically prevent issues.
In this group, users install openings that tightly control how many people enter on one scan. The tailgating risk is almost always eliminated, since a door cannot be propped or held open for anyone. Rather, in order to advance the turnstile, each user must present a credential.
- "If it is a high security application, we recommend the installation of a turnstile type solution."
- "The easiest way is to install card controlled turnstiles. These only let one person through at a time. It's not the cheapest though."
- "Man trap, if needed."
- "Revolving Door (Boon Edam Tourlock), spot checks using video cameras with Warning Letters going on their file."
- "Optical Turnstiles if managed by local security guard."
- "Turnstiles- I like Orion Entrance Controls and Smarter Security brands for high volume areas."
Hard APB (AntiPassback)
To a lesser degree, users mentioned hard antipassback controls to actively deny credentials from being used out of sequence. This typically means a card cannot be used at the same reader twice (especially in quick succession) without being used first at other readers. In most cases, the logical flow of users in an access controlled facility are then unable to simply handoff or 'passback' an active credential even through a turnstile, fence, or window.
- "If a card-holder passes into an area by swiping his card and tries to use the card at any other area without first exiting the original area, his card is disabled and a report sent to his supervisor by SMS/email."
- "We employ the feature that turns cards off if used out-of-turn. It works."
- "Our systems send immediate alarms when passback is tried. Tailgating is not possible because we use turnstiles."
- "We use antipassback that turns off a card if used with first scanning in or out of a previous area."
Other users reported stationing manpower at access point to manage the risk, and that guards directly addressed problems with offenders when they happen:
- "Depute the Guards to cross verify whether the authorized credentials are allowed inside."
- "Camera operators report the tailgaters."
- "Our sites use guards to make sure this stuff does not happen."
- "I think security staff reminding people once or twice per quarter is the best approach."
- "If you are suspected of tailgating or passback, the guards come visit you to investigate."
These steps are less stringent, and potentially leave systems open to abuse risk, but are less expensive, less obtrusive, and overall represent the most popular ways of dealing with the issue.
Many responses suggest hanging signs in strong language is effective. While doing nothing to actively mitigate the risk, signage is a compulsory reminder to users to not misuse or undermine the access system.
- "Large signs notifying entrants of video surveillance paired with multiple cameras facing entrants is a good deterrent."
- "We hang signs to remind people not to tailgate."
- "Basically plastic placards hung at each entrance and exit."
- "We actually put signs beside the reader and add cameras that integrates with the access."
- "In some factory environments, single width mantraps with tailgate sensors are effective."
Another common, if not absolute, method of controlling the risk is to leave enforcement and training to personnel managers. Through a mix of confrontation, procedures, and training the security threats of tailgating and pass back are managed.
- "Stern talking to by the Owner, including elevating it above the access control POC."
- "We advise against it. When we write security admin plans, we make explicit instructions to not do that."
- "Policy enforcement with strict disciplinary actions, including forfeiture of badge, unpaid suspension from work, etc."
- "(End Users) have beat it into their employees that this is the way it must be done, plus, they reconcile card reads to their time sheets, and challenge employees on it. If you have no discipline all the beepers, photo beams, reports will do no good."
- "Getting supervisors to address the issue is our main approach. This works most of the time."
A number of responses, about 15%, mentioned that they do not address the issue at all, or the response is weak. The security problem is simply not perceived to be great enough to warrant aggressive response or additional costs to address.
- "The only way we currently "deal" with this is with the "slap on the wrist" for people who do this."
- "It is basically an ignored problem."
- "To be honest, we don't really. Our customer's aren't really too concerned about it."
- "Our customers do not see the risk, despite us trying to convince them."
- "Even if someone tailgates, no one bothers with addressing it. Just not a big issue really."
One aspect is clear: totally managing the problem is difficult and takes a number of solutions used in conjunction. Several answers addressed the difficulty in quashing the problem, and the multiple methods needed:
- "The one customer that has tight security does it through education. They have signs like the Apple example. They slap offending hands. But it ends there. They tried anti-passback and mustering for a few days and found out how prevalent the problem was. Their jaws hit the floor. By far the most offenders were in the executive building. There was no executive buy in. After spending thousands of dollars to create the traps / in-out readers, it was all turned off. Without having management authority with some teeth, it won't happen."
- "This is a tough issue. Several of our sites have implemented reports and use the access control as a "sign-in" system, so if a user doesn't scan then, the report shows it as though they are absent from work. Some of our sites have also combined this with anti-passback features. Many of the sites also have cameras at the doors and the sites review the camera footage and take action against the people sharing credentials and also the people allowing the piggybacking or tailgating."
3 reports cite this report:
Back to Top