The Passback Problem

By: Brian Rhodes, Published on Sep 14, 2016

Every security system has flaws, even high-tech ones. While Electronic Access Control helps keep sensitive areas safe, it is not without weaknesses.

One of the most troubling vulnerabilities is called 'Passback' - the practice of using someone else's credentials to gain entry. In this note, we take a look at the problem and how designers can minimize vulnerabilities, looking at:

  • Passback vs Tailgaiting
  • Software solutions including time limit and reader pattern and flow
  • Other solutions including biometrics, cameras, turnstiles and signange
  • Ignoring it

***** ******** ****** *** flaws, **** ****-**** ****. While ********** ****** ******* helps **** ********* ***** safe, ** ** *** without **********.

*** ** *** **** troubling *************** ** ****** 'Passback' - *** ******** of ***** ******* ****'* credentials ** **** *****. In **** ****, ** take * **** ** the ******* *** *** designers *** ******** ***************, looking **:

  • ******** ** ***********
  • ******** ********* ********* **** limit *** ****** ******* and ****
  • ***** ********* ********* **********, cameras, ********** *** ********
  • ******** **

[***************]

The ******* *******

'********' ** *** ********** term *** '******* ***********', taken **** *** ******* of *** ****** ******* through ** ******-******* *********. Suppose '****** *' ***** their ***** *** ****** through ********, *** '****** B' ** *** ******* access **** *** ****. 'Passback' ****** **** '****** A' ***** ***** ***** to '****** *' ** that ****** *** **** access.

**** ******** ** ******* equivalent ** ******** * door *** ******* ** mail **** ** ** outside ******, ** ******* your ******** **** ******* else. ** ****, ** means **** *** ****** is *** *********** ****** in *** *** ** was ********, *** ** worst ** ***** **** the ****** *** ** knowledge ** * ********* threat.

Less ***** **** **********, ***** * *******

** ***** ** ******** threats, ********** ** * '******' ****, while ******** ** ********* less *******.  **** ******** events ***** **** ****** try ** **** **** to ********* *** ****** control ******, ***** ********** typically ****** ******* **. So ** *******, ******** is ****** ** ****** with '****' ******* ** with ****** ********* ** users ** ***** ******* credentials.

****** *******, '**********' ***** that **** * **** has **** ****** ** a **********, ** ** left **** ** **** more **** *** ********** is ******* ** ****-*******. ** contrast ** '********', '**********' simply ******** *** *********** to **** ********** ***********. However '****-********' ********, ********** those ** *** '******* and ****' *******, *** be able ** ****** *** 'tailgating' *******. 

*** ****, *** ************* - ****** ******* Tutorial.

Basic ******** *********

** ******* *** ****, Access ******* ******* ***** feature '****-********' ********, ***** generally ********* * *** of ******** ******* ** credential ***. *** *******:

**** *****:* **** ****** ** used ** *** **** reader ***** ****** * certain ****** ** ****. While **** ********** * decidedly '***-****' ********, ** is *** ******* ** implement. ****** ******** * card ** ** **** on *** **** ****** for * ****** ** 3 ** * ******* discourages *** *********** ** improperly '*******-****' * **********. However, **** **** ** control *** ** ************ to *****, ** *** occasion **** ************ **** something ***** ******* * card, ****** ********** ** a ************, ** **** some ***** ********** ****** for ******* **-************* ******* an *******.

****** ******* *** ****: **** **** ** control ******** ********** ***** follow * ******* ******* within * ******. *** example, * ********** **** be **** ** ** 'OUT' ****** ****** ** can ** **** *** an '**' ********. ******** a ********** ****** ** used ** ***** '******** B' ** '******** *' has *** ***** **** exited. **** ****** ** anti-passback ** *** **** comprehensive ** *********** *** problem, *** ** ******** the **** ************* *** places ** ******** ** having *** ***** ********** within * ********, **** doors **** *** ************ used.

**** ****** *** ****** Patterning *** ******** ******** that ****, *** *** all, ****** ******* ********** software ********. *** *****, more ****** *********, ********** hardware ********* ******* ********* is ********.

Other *********

************ ******** ******** ********* involves **** **** **** software.  *** *******, ** our ********* ********* ** ************ and ********** ******, **** **** ** solution ***** **** *****, and **** **** **% ** those ********* ********* ***** more **** *** ******** method:

*** **** ****** '***** solutions' ******* ***** ******** cited:

  • **********:* **** *** ** prevent ******** ** ** credential ***** ** ********** ******* of '*********' ***********. ***** ****** permissions ** ****** ******** features ********* ***** **** sharing.
  • *******: ******* ****** ******** ******** using ************ ******* ** record *** ****** ** misuse *** ********* ** access ******.
  • **********:*** **** ****** '******' method **** ***** **********, revolving *****, ** ******** to ********** ******* **** than ** ****** ****** entry ** *** ****.
  • *******:*** **** ****** '****' measure ** ***** **** indirectly ** ********* ******* the **** *** *** use ** ***** ** remind ****** **** ******** the ****** ******* ****** or ********** ******** ********.

Ignoring ************ **** ******

*******, ******* *** ***** identified ** *** ******* was ******** *** *****. About **% ** ********* said **** ****** ** nothing, ******* ********** ** ** too ******, ** ** is *** ****** ** a **** ** ******* countermeasures.

******** ** ****** *** threat *** **** ******* for ****, *** ***** so ********** *** *********** to ********* *** **** invalidate *** ***** ******** that ******* ***** ********** access ******* ****** *********** mechanical **** *** *****.

 

Comments (15)

Good article. At least you started out okay. It seems that you are using the terms passback and piggyback as synonyms and then juxtaposing them to tailgating.

In their common use, tailgating and piggybacking are synonyms but passback is entirely different.

The big difference is that passback is an act done by two or more people specifically to deceive the system while tailgating (or piggybacking) is more commonly an act of convenience done by a single person.

I agree they are distinct issues, which is why our tailgating report (Tailgating - Access Control Tutorial) gets separate treatment.

However, the methods of dealing with both issues can be similar (ie: cameras, biometrics, signage) so that is where the lines blur a bit. Especially given the results of how APB is practically addressed, 'tailgating' enters the conversation.

If only dealing with tailgating was as simple as the 'antipassback' settings are!

So is piggybacking "users sharing credentials" or not?

Piggybacking is one form of sharing credentials.

Thank you for this article. The problem may be solved using face verification. Using it an access control management software checks that it's exactly card owner has applied the card. I'm from AxxonSoft and this scenario is frequently used by our partners. It's much more reliable than face recognition itself, may be used at must important access control points only and does not need physical contact like fingerprint readers.

Igor, are you making the point that biometric authentication, unlike possession and knowledge authentication, makes passback much less likely? If so, I agree, but the type of authentication does not impact the likelihood of tailgating or piggybacking as far as I can figure....

I disagree with both of you as biometrics is often it’s own credential or a second factor. Take a multi turnstile example. Person A presents credential (card and/or biometric) a turnstile to let friend in and then goes to second turnstile and lets themselves in. This is still passback.

Brian, good article, as always. Passback is very different from Tailgating or Piggybacking. Tailgating is when somebody tucks in behind an authorized user without their knowledge or consent. Piggybacking is when the authorized user is complicit in allowing the unauthorized user through the portal.

I have a number of high-security sites I visit that the order we card in and out of areas matters.

I have to enter a secured area after my escort and leave before my escort, ( so I am not in while my escort is on the out).

I am curious how common this is

Not very common as it’s expensive to set up and operationally maintain. In my experience.

I have to enter a secured area after my escort and leave before my escort, ( so I am not in while my escort is on the out).

I am curious how common this is...

Pro-member Fischer’s thoughts on a similar topic can be found here.

For example, a credential must be used at an 'OUT' reader before it can be used for an 'IN' function. Likewise a credential cannot be used to enter 'Building B' if 'Building A' has not first been exited.

and if you are swiping on exit of Building A but never swiped on entry, the controller should call out “Piggybacker!” and hit you with a 15 second* delayed egress penalty.

*or whatever the maximum is by local ordinance

UD2 do you know of a platform that does this?

Appreciate the attempt to take on this subject, as others have stated in comments the article started strong but quickly decayed by bringing in tailgating.

text from the article, “Time Limits and Reader Patterning are software features that some, but not all, access control management software supports.”.

May you give some examples of access control management software that has good features and poor features. Here is an example of a software that has both but still falls short.

I am currently fighting a pass back issue in a manufacturing facility that uses Prowatch, being that Prowatch was originally designed for airports you would think it would have a robust anti-passback feature set. However, it only has timed (soft) and pattern/flow (hard) out of the box. Timed only applies to one reader and does not allow for targeting the card with the rule. For example there are two full height turnstiles next to each other, I can create a rule to prevent the same card being used on the same turnstile for a time period, but can not prevent that card from being used on the neighboring turnstile. In my manufacturing environment there are no outbound readers so a hard anti-passback rule it out of the question. While I am working on some custom programming to help solve the issue, we are currently running audit/compliance reports and using management (HR) as an enforcer.

Would like to understand what you are seeing across multiple access control management software products to help combat this problem.

You could reset APB status very frequently, this will have the same effect as 'timed' but across multiple readers. Not sure how that is done in Prowatch, but should be possible. You have to be careful that the time between valid entries is accounted for though.

Just to note, hard/soft APB is means enforcing/recording violations, not how you seem to be defining it.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Access Control

Access Startup Multi-Mount Aims To Streamline Reader Installs on Dec 03, 2019
Startup Multi-Mount claims it makes installing access readers 'Fast', 'Secure,' and fit 'any size frame.' The company states its bracket 'fits most...
Directory of Access Reader Manufacturers on Nov 27, 2019
Credential Readers are one of the most visible and noticeable parts of access systems, but installers often stick with only the brand they always...
Top 2020 Trend - AI Analytics on Nov 22, 2019
170+ Integrators answered: What do you think will be the top industry trend in 2020? Why? For the 4th year in a row, AI/video analytics was...
Glass Doors and Access Control Tutorial on Nov 21, 2019
One of the biggest access challenges are locking and securing glass doors. Unlike wood or steel doors that can be modified to work with...
ISC East 2019 Show Report on Nov 21, 2019
IPVM has finished in New York City covering both days of the ISC East 2019 show. Here is a 6+ minute general walkthrough: Inside this report,...
Avigilon H4 Intercom Tested on Nov 20, 2019
Avigilon is well-known for video surveillance and access, but how well does the company's intercom work? We purchased and tested Avigilon's H4...
Top Manufacturers Gaining and Losing 2019 on Nov 18, 2019
2019 has been an explosive year for video surveillance, with the world's two largest manufacturers, Dahua and Hikvision, being sanctioned for human...
The Access Control Codes Guide: IBC, NFPA 72, 80 & 101 on Nov 07, 2019
For access, there is one basic maxim: Life safety above all else. But how do you know if all applicable codes are being followed? While the...
100+ Companies Profile Directory on Nov 06, 2019
While IPVM covers the largest companies in the industry regularly (like Axis, Dahua, Hikvision, etc.), IPVM strives to do a profile post on each...
Tailgating: Access Control Tutorial on Oct 31, 2019
Nearly all access control systems are vulnerable to an easy exploit called 'tailgating'. Indeed, a friendly gesture in holding doors for others...

Most Recent Industry Reports

Disruptor Wyze Releases Undisruptive Smartlock on Dec 06, 2019
While Wyze has disrupted the consumer IP camera market with ~$20 cameras, its entrance into smart locks is entirely undisruptive. We have...
Bosch Budget 3000i Cameras Tested on Dec 05, 2019
Bosch has long had a hole in its lineup for, as it describes, "competitively-priced cameras". Now, Bosch has released its 3000i series cameras...
Anixter Resisting Takeover From Competitor on Dec 05, 2019
Mega distributor Anixter is going to be acquired but by whom? Initially, Anixter planned to go private, being bought by a private equity firm....
Security Sales Course 2020 - Last Chance Save $50 on Dec 05, 2019
This sales course is customized for the current needs and challenges specific to professionals selling video surveillance and access control...
Ireland National Children's Hospital Chooses Hikvision End-to-End With Facial Recognition on Dec 05, 2019
The world's most expensive hospital project ever, the New Children's Hospital in Ireland, has chosen an all-Hikvision surveillance system including...
AVTech ~$70 IP Cameras Tested Vs Dahua and Hikvision on Dec 04, 2019
Taiwanese manufacturer Avtech is taking direct aim at low cost leaders Dahua and Hikvision with ~$70 starlight and white light illuminator...
Ultinous European Analytics Startup Company Profile on Dec 04, 2019
European analytics-startup Ultinous pitches customers to "Have your own video analysis service!" We spoke to Ultinous to better understand their...
Access Startup Multi-Mount Aims To Streamline Reader Installs on Dec 03, 2019
Startup Multi-Mount claims it makes installing access readers 'Fast', 'Secure,' and fit 'any size frame.' The company states its bracket 'fits most...
Resideo CEO To Step Down on Dec 03, 2019
Resideo's CEO, Mike Nefkins, is stepping down, just 18 months after being brought in to lead the now plagued spin-out. Inside this note, we...
Arcules CEO Retracts False GDPR Claim + Dahua and Milestone Claims Examined on Dec 03, 2019
Arcules CEO has retracted a false claim about his organization being a "fully compliant GDPR company" after IPVM reporting (Arcules CEO Threatens...