Tailgating: Access Control Tutorial

By Brian Rhodes, Published Oct 31, 2019, 10:54am EDT (Info+)

Nearly all access control systems are vulnerable to an easy exploit called 'tailgating'. Indeed, a friendly gesture in holding doors for others often compromises access security.

IPVM Image

** **** ****, ** **** * look ** '**********', *** **** ****** causes, *** ******** * ******* ** address/minimize **********:

  • '**** ****' ******
  • **********/********* *****
  • ********/********
  • ************ *********/*********
  • ******* & *********

The *******

'**********', **** ****** '************', ********* *** situation **** * ************ ****** **** opens * **** ******** *** ** more *********** ** *********** **** ******* while *** **** ** ****.

*** ********* *** ******** ***** **** holding * **** **** *** *******. It **** ******* ************, ********* **** someone ** ******* ** ********* ****** it ******* ** **** ****.

****, *** **** ***** ** ***, is **** ******* ******* * ********* act ** ********* ******** ****** * valid ********** ** **** *** ******** system. **********'* ****** *** ****** ** entire ******** ********.

Common ******** *** ******* *****

** **** ********, ******* *** **** open *** ****** ** * ****, kind **********. ********, ********** ******** *** door **** ****** *** ** ********* as ****, *** *** ****** *** will ******* ********* ** **-*******.

*******, **** ****** ** *** ******** how **** *** *********** ** ****** control ****** **** ***** *** '**** manners'.

IPVM Image

******, **** ******** ********** ** *** holding * **** ***** *********. ********* articles ******** *** ******* ** ******** are *******, ****:

*******, *** ****** ***** ******** **** to ********* ** ***** *** **** secure *** ********** **** ****** *** locked.

Security ********* ** ***

**** ****** ** *** ************ **** to ********* *** ******** ******** ** a **** ** ********, *** **** fail ** ********* *** ***** ***** behavior *** **.

*** **** ****** ** ******* '**********' with '********' ** ********** ********* ** why, ** **, * **** ** a ******** *****. *** *** ******** doors, *** **** ***** ********** ****, are *********** **** ** *** ******** access ********** *********. *** ** * door ** **** ****** *** ******, or ** ** ** ******** **** access ******* **** ******* ** *******, it ****** ***** ** **** **** and ******** **** ****** ***** ********** entry.

*** ***** ********, **** ******** *** door ******* ** ********* ** ********* security **********. ******** ****** *** ******* signage ** '*** ****', *** ***** effective *** ** ******* **** **** risk.

IPVM Image

Other ************ *******

***** *** * ******* ** ***** tailgating **** ******. ************* *** '***' of **** **** ********** ***** ** determine *** **** ******* ******* **:

  • Bad *******: Especially in rainy and cold climates, holding the door open offers a welcome shortcut to those seeking the warm and dry environment of a facility. In these cases, sheltered entries, **********, ** ******* **** ******** *** tendency ** **** **** ***** *** of ************* *********.
  • Misaligned/Worn *****: Over the course of thousands of open/close cycles, even commercial grade doors, hinges, frames, and closers sag or become worn over time. If left unchecked, doors may not fully close when opened or may take a long time to close, therefore allowing many people entrance from a single card read. A regular and discipline door maintenance schedule for access-controlled openings is critical to prevent the issue.
  • *************/********:***** *** * ******* ** ****** ways ** **** * **** **** latching ***** ** *** **** ******. Doorstops, *****, *******-** ****, *** ******** tampering *** *** ******** ******** ** eliminate *** **** ** ********** * credential *** ******, ***** **** ** onerous ** *********. *** **** ******, consider ************ '******* ****' ***** ** delivery ********* **** ******* *** ******** systems ** ******** ********* *** ******* other ************** ***** *** ******* ******.
  • Malicious ******: Preventing untrusted or dangerous people from entering an area is often the primary goal of access control. Often, readers and locks alone are not enough to mitigate this risk despite the occurrence being minor. To properly prevent undetected entry, often additional engineering controls like sensors, analytics, or even turnstiles are needed.

Tailgating *********

*** **** ** ********** ** ********** and ****** ***** ****** ********** ******** is **********. ***********, * **** ** engineering ******** *** ********* ** ****** the *******. ** *** ******* ***** we **** * **** ** *** major *****:

  • '**** ****' ******
  • **********/********* *****
  • ********/********
  • ************ *********/*********
  • ******* & *********

'Hold ****' ******

**** ****** ******* ******* **** *** ability ** *********** ******** ********- ****** ******** **** ***** ******* a **** ** ****** ** *** - *** *** ** *** ** alarm ** * **** ** **** open *** *** ****.

******** ****** ** ***** **** ****** than * *** *******, ******* ********** that ******** ****** *** **** ** pass ******* * '**** ****' ****. However, ***** **** ** * ***-**** or **** ******* *** ********** **********, it **** ** *** ******* ****** of ******** ******** **** ***********. ****** a ******** ******** ******** *** ****** control ******, **** ******** ** ****** to ** (********) ********* ** ********** and ***********.

********** ****** ****** ******* **** ******* $200 - $*** ******* **** ****** control ******* *** ** ********** ** sound * ***** ***** *** ****** beeper *** **** ******** ******** ** a '****' ************* *******.

Turnstiles/Revolving *****

** ****** *****, ********** **** ***** from *******, ***** ********** ******* ** sleeker, *****, *************** ****** ****** ******* points. **** **** ** ********* ********* entry ** * ****** ****** ** a **** *** ********** *** ******* to **** * **** **** *** unauthorized ******.

*** *********** ***** ***** ******** ** example ** ** '****** *********' ******** to ******** ****** **** ** ******** space, *** ******** '**********' *********:

** ******* **** ********** **** ** our**** **** ********* (*****)****.

*** **** ** ********** *** ********* doors *** ***** **** $*,*** ** $25,000+ *** *** ********** **** ****** features, *** *********** *************. *** ****, see ************* *****.

Mantraps/ ********

***** ************* *** ********* **** ******* two **** ** ********** *****. ******* sized **** ***** ****** *** *** occupant, *** ***** *** ********** ** open *** *** ** * ****.

**** ***** *** ******** *** ****** be ****** ***** *** ******** *** has **** ****** *** ** ******. Because *** ******** ***** ****** * mantrap ** *****, **** *** ****** per **** **** ** ********* ******* the *****.

IPVM Image

***** ************* **** * ******* ** operation **** ****** ********; ** **** cases, *** ******** ** ******** ** segregate '***** ****' ************ **** ******* contamination, ** **** *** **** ** inspection *********** *** **********. ***** ************* are *********, ***** ******* $**,*** ** more, *** ******* **** *** ******** sets ** ***** *** **** ***** physical **********, **** *** ***** *** most ****** ****-********** ********.

*** ****, *** ********* ******* ******** *****.

Piggybacking *********/*********

**** ******, ******* ***** ** ******* hung ** *** ***** ** * door, ** * ***** ***, ** nearby ********-****** ************ *******, *** ********** to ****** ********** ******** ******* ** opening. *** ******** ******* ** * single ********** ** ******** ******* *** actual ******** ******** ** ** *********** into ** *******.

** ******* *** *****-***** ****** ******-********** *******: ************ ******* ******** ***** ** **** entering * ****:

*** ******* ** *** ****-***** ********* detector **** ** *** ***** ***** below:

** **** ****** * ***** ****** app ******** **** ******* ****** **** overhead ** ******* ******** ********* ****.

*** **** ** ***** ********* **** but ********* ***** **** ~$*** *** a ****** ******** (**** ******), ** $3,000+ *** * ****** **** ********* mat ** '***** *******' ******.

Anti-Tailgating ********* ******

***** ********* ******, *** '****' ****** is * ***** ****** ** ******.

**** ******** ******** ***** **** ********** simply **** ** ******** ************ *** signage ** ****** ********** ******* ***** the *****. ******* *** ******* ** organizational **** ** ********* *** *****, the ************* (*** ********** *****) ** tailgating ******.

** **** *****, ****** **** **** signs *** ********* *** ********* ** deal **** *** *****, *** **** can ** **** ** **** ******:

IPVM Image

** ***** ***** ***** ********** **** be *********, *** *** ** ********** and ******* ** ******. *******, *** to *** **** ** ***** *********, many *** ***** **** **** *** expensive *** ******* *** *** **** costly (*** ****-*********) ******* **** ********* Detection ** ***** *********.

Comments (16)

Anti pass back is only effective means.

Agree
Disagree
Informative
Unhelpful
Funny

I disagree because anti-passback would only prevent credentials from being shared, not multiple people stepping through an opened door.

Agree: 8
Disagree
Informative
Unhelpful
Funny

The best way to prevent tailgating in an access controlled environment, for the employees only, is to use areas within the system. If the employee doesn't read into the perimeter door entry point, say the perimeter area, then the system can be setup to not allow entry into the next area, say interior area, which forces the employee to follow protocol better. Not 100% effective though and requires good design and thought up front as areas can get convoluted quickly in a large system. This however, doesn't help with letting people in who do not have to credentials or access to the site but does help with making sure employees read into the building so access can be tracked for reporting purposes.

I have seen this help with the issue of keeping unauthorized persons from entering the building by tailgating as often in a larger company because you don't always know who is an employee and who is not and thus you are less likely to hold the door open for someone else.

Again not fool proof but does help.

Agree: 2
Disagree
Informative
Unhelpful
Funny

The best way to prevent tailgating in an access controlled environment, for the employees only, is to use areas within the system. If the employee doesn't read into the perimeter door entry point, say the perimeter area, then the system can be setup to not allow entry into the next area, say interior area, which forces the employee to follow protocol better. Not 100% effective though and requires good design and thought up front as areas can get convoluted quickly in a large system.

Great to see someone else identify this approach. Unfortunately in practice: interior spaces frequently have more tailgating occurrences. This is often due to employees leaving their badges on their desks, or entering with their coworkers regularly where only one team member uses their credential. While you may have a staffed and monitored main entrance, you definitely do not have staff near the interior doors.

Agree: 1
Disagree
Informative
Unhelpful
Funny

Anecdotally, I have worked with a corporate security team that attempted to resolve tailgating through culture, and a high level of responsiveness. This was driven through multiple approaches by the security team: Monitoring main entrances physically, holding employees accountable if they let someone else in, and security confronting people in the building who did not use a card.

The hours invested within the program were not high, as this was using technology in place, staffing in place, and used the extra downtime most security times have.

The culture of accountability took about 2 years until we saw employees stopping coworkers, asking them to swipe their cards. A hard-fought battle, where Security was now sending out emails thanking employees for their diligence. Was it worth it?

We stopped doing it for anything other than critical infrastructure spaces within the next year.

The best way to address this is through that mixture of culture, and technology. The best analytics in the world are useless if you don't have process and engagement. Even then, you MUST continuously evaluate if that investment is worthwhile.

Agree: 4
Disagree
Informative
Unhelpful
Funny

Undisclosed #1, can I talk with you for 10 minutes?

I'd really appreciate learning more about the lifecycle of that project. I'm carter@camio.com and will propose a quick video chat on your calendar if OK with you?

Agree
Disagree
Informative
Unhelpful
Funny

Do like Amazon did, put in Boon Edam Tourlock Security Portals at all perimeter entry points and secure areas. One person at a time with decent throughput, yes a bit expensive but it solves the problem.

Agree
Disagree
Informative
Unhelpful
Funny

The first video from dFlow wasn't perfect, and you notice the people walking through an already open speed gate turnstile. Not the best example I feel, could it be wobbly gates didn't work well for the marketing purposes!

Most modern units now have multiple sensors top and bottom and contain some software intelligence where they can detect a break in the signal and so offer an alarm event. You will find one reason why this kind of turnstile is quite deep just so the sensors can have a respectable distance apart.

That being said, countless times i've seen people hopping throught turnstiles with one ticket, close to their buddy with zero issues. Or at least nobody to catch them.

Agree
Disagree
Informative
Unhelpful
Funny

'Tailgating', also called 'piggybacking'...

piggybacking is the pre-meditated, consensual form of tailgating, imho.

Agree: 4
Disagree
Informative: 1
Unhelpful
Funny: 1

Another issue we get at our facility, besides tailgating, is the damn wind! Due to the layout of our infrastructure, an offshore breeze of 15 mph or greater, and suddenly 25% of our doors will get stuck open, with the auto-closers unable to overcome the air pressure differences.

We have to post signage on all of these doors telling our employees to pull the doors closed behind them! Can you imagine being told, after badging in, that you must then turn around, grab that door and pull it closed behind you? You can imagine how well that works out.

An onshore breeze luckily doesn't hold any of our doors open, however, they slam closed with such ferocity, you expect the entire building to start folding into itself like the house at the end of the Poltergeist movie.

Agree
Disagree
Informative
Unhelpful
Funny

I service a "secure" facility in Houston. They employ both Turnstiles and Man-Traps in different locations. They are considered a nuisance by the employees who do everything possible to circumvent them, especially when they have forgotten their credential and left it home. I have even seen two people cramped into one "area" of a turnstile with both people "shuffling" through. It can be a real hazard if someone is inadvertently caught by a loose strap or other hanging object.

Management chooses to ignore the issue. You can only install the security the customer wants. It is then their responsibility to ensure it is used properly!

Agree
Disagree
Informative
Unhelpful
Funny

Sometimes for classroom or seminar room, it would be easier to keep the door open rather than the irritating sound of alarm.

Agree
Disagree
Informative
Unhelpful
Funny

Good to have it at entrance of public transport.

Agree
Disagree
Informative
Unhelpful
Funny

Something that comes to mind when reading this article is doors with handicap operators. A see a lot of people who will use them but don't actually need to use them. They will badge in and after door opens, they walk through the door is left open for 10 seconds behind them.

Agree
Disagree
Informative
Unhelpful
Funny

Great point and well said.

Agree
Disagree
Informative
Unhelpful
Funny

Tailgating/piggybacking, though mitigated through some use of technology, is, and always will be, a personnel issue. Having the technology is great and very helpful for companies trying to prevent tailgating. However, it is important to understand that all parties need to be brought into the conversation. Including a section on general safety and security practices in a new hire orientation is key to employee buy in and will ultimately help in securing the facility or site. Additional reinforcement is also key to success whether it is added through safety training or company meetings. I've found that the best tech to prevent tailgating, though expensive and it takes up quite a bit of real estate is the turnstile. Man traps work well, however, they are more susceptible to piggy backing due to varying size of openings. In my previous experience with anti-tailgating sensors, they are passive devices and often get ignored after time by employees because there is no physical barrier. They are also sometimes hard to calibrate and may provide false flags or not at all.

Agree
Disagree
Informative
Unhelpful
Funny
Login to read this IPVM report.
Why do I need to log in?
IPVM conducts reporting, tutorials and software funded by subscriber's payments enabling us to offer the most independent, accurate and in-depth information.
Loading Related Reports