The Passback Problem

By: Brian Rhodes, Published on Sep 14, 2016

Every security system has flaws, even high-tech ones. While Electronic Access Control helps keep sensitive areas safe, it is not without weaknesses.

One of the most troubling vulnerabilities is called 'Passback' - the practice of using someone else's credentials to gain entry. In this note, we take a look at the problem and how designers can minimize vulnerabilities, looking at:

  • Passback vs Tailgaiting
  • Software solutions including time limit and reader pattern and flow
  • Other solutions including biometrics, cameras, turnstiles and signange
  • Ignoring it

The ******* *******

'********' ** *** ********** term *** '******* ***********', taken **** *** ******* of *** ****** ******* through ** ******-******* *********. Suppose '****** *' ***** their ***** *** ****** through ********, *** '****** B' ** *** ******* access **** *** ****. 'Passback' ****** **** '****** A' ***** ***** ***** to '****** *' ** that ****** *** **** access.

**** ******** ** ******* equivalent ** ******** * door *** ******* ** mail **** ** ** outside ******, ** ******* your ******** **** ******* else. ** ****, ** means **** *** ****** is *** *********** ****** in *** *** ** was ********, *** ** worst ** ***** **** the ****** *** ** knowledge ** * ********* threat.

Less ***** **** **********, ***** * *******

** ***** ** ******** threats, ********** ** * '******' ****, while ******** ** ********* less *******.  **** ******** events ***** **** ****** try ** **** **** to ********* *** ****** control ******, ***** ********** typically ****** ******* **. So ** *******, ******** is ****** ** ****** with '****' ******* ** with ****** ********* ** users ** ***** ******* credentials.

****** *******, '**********' ***** that **** * **** has **** ****** ** a **********, ** ** left **** ** **** more **** *** ********** is ******* ** ****-*******. ** contrast ** '********', '**********' simply ******** *** *********** to **** ********** ***********. However '****-********' ********, ********** those ** *** '******* and ****' *******, *** be able ** ****** *** 'tailgating' *******. 

*** ****, *** ************* - ****** ******* Tutorial.

Basic ******** *********

** ******* *** ****, Access ******* ******* ***** feature '****-********' ********, ***** generally ********* * *** of ******** ******* ** credential ***. *** *******:

**** *****:* **** ****** ** used ** *** **** reader ***** ****** * certain ****** ** ****. While **** ********** * decidedly '***-****' ********, ** is *** ******* ** implement. ****** ******** * card ** ** **** on *** **** ****** for * ****** ** 3 ** * ******* discourages *** *********** ** improperly '*******-****' * **********. However, **** **** ** control *** ** ************ to *****, ** *** occasion **** ************ **** something ***** ******* * card, ****** ********** ** a ************, ** **** some ***** ********** ****** for ******* **-************* ******* an *******.

****** ******* *** ****: **** **** ** control ******** ********** ***** follow * ******* ******* within * ******. *** example, * ********** **** be **** ** ** 'OUT' ****** ****** ** can ** **** *** an '**' ********. ******** a ********** ****** ** used ** ***** '******** B' ** '******** *' has *** ***** **** exited. **** ****** ** anti-passback ** *** **** comprehensive ** *********** *** problem, *** ** ******** the **** ************* *** places ** ******** ** having *** ***** ********** within * ********, **** doors **** *** ************ used.

**** ****** *** ****** Patterning *** ******** ******** that ****, *** *** all, ****** ******* ********** software ********. *** *****, more ****** *********, ********** hardware ********* ******* ********* is ********.

Other *********

************ ******** ******** ********* involves **** **** **** software.  *** *******, ** our ********* ********* ** ************ and ********** ******, **** **** ** solution ***** **** *****, and **** **** **% ** those ********* ********* ***** more **** *** ******** method:

*** **** ****** '***** solutions' ******* ***** ******** cited:

  • **********:* **** *** ** prevent ******** ** ** credential ***** ** ********** ******* of '*********' ***********. ***** ****** permissions ** ****** ******** features ********* ***** **** sharing.
  • *******: ******* ****** ******** ******** using ************ ******* ** record *** ****** ** misuse *** ********* ** access ******.
  • **********:*** **** ****** '******' method **** ***** **********, revolving *****, ** ******** to ********** ******* **** than ** ****** ****** entry ** *** ****.
  • *******:*** **** ****** '****' measure ** ***** **** indirectly ** ********* ******* the **** *** *** use ** ***** ** remind ****** **** ******** the ****** ******* ****** or ********** ******** ********.

Ignoring ************ **** ******

*******, ******* *** ***** identified ** *** ******* was ******** *** *****. About **% ** ********* said **** ****** ** nothing, ******* ********** ** ** too ******, ** ** is *** ****** ** a **** ** ******* countermeasures.

******** ** ****** *** threat *** **** ******* for ****, *** ***** so ********** *** *********** to ********* *** **** invalidate *** ***** ******** that ******* ***** ********** access ******* ****** *********** mechanical **** *** *****.

 

Comments (15)

Good article. At least you started out okay. It seems that you are using the terms passback and piggyback as synonyms and then juxtaposing them to tailgating.

In their common use, tailgating and piggybacking are synonyms but passback is entirely different.

The big difference is that passback is an act done by two or more people specifically to deceive the system while tailgating (or piggybacking) is more commonly an act of convenience done by a single person.

I agree they are distinct issues, which is why our tailgating report (Tailgating - Access Control Tutorial) gets separate treatment.

However, the methods of dealing with both issues can be similar (ie: cameras, biometrics, signage) so that is where the lines blur a bit. Especially given the results of how APB is practically addressed, 'tailgating' enters the conversation.

If only dealing with tailgating was as simple as the 'antipassback' settings are!

So is piggybacking "users sharing credentials" or not?

Piggybacking is one form of sharing credentials.

Thank you for this article. The problem may be solved using face verification. Using it an access control management software checks that it's exactly card owner has applied the card. I'm from AxxonSoft and this scenario is frequently used by our partners. It's much more reliable than face recognition itself, may be used at must important access control points only and does not need physical contact like fingerprint readers.

Igor, are you making the point that biometric authentication, unlike possession and knowledge authentication, makes passback much less likely? If so, I agree, but the type of authentication does not impact the likelihood of tailgating or piggybacking as far as I can figure....

I disagree with both of you as biometrics is often it’s own credential or a second factor. Take a multi turnstile example. Person A presents credential (card and/or biometric) a turnstile to let friend in and then goes to second turnstile and lets themselves in. This is still passback.

Brian, good article, as always. Passback is very different from Tailgating or Piggybacking. Tailgating is when somebody tucks in behind an authorized user without their knowledge or consent. Piggybacking is when the authorized user is complicit in allowing the unauthorized user through the portal.

I have a number of high-security sites I visit that the order we card in and out of areas matters.

I have to enter a secured area after my escort and leave before my escort, ( so I am not in while my escort is on the out).

I am curious how common this is

Not very common as it’s expensive to set up and operationally maintain. In my experience.

I have to enter a secured area after my escort and leave before my escort, ( so I am not in while my escort is on the out).

I am curious how common this is...

Pro-member Fischer’s thoughts on a similar topic can be found here.

For example, a credential must be used at an 'OUT' reader before it can be used for an 'IN' function. Likewise a credential cannot be used to enter 'Building B' if 'Building A' has not first been exited.

and if you are swiping on exit of Building A but never swiped on entry, the controller should call out “Piggybacker!” and hit you with a 15 second* delayed egress penalty.

*or whatever the maximum is by local ordinance

UD2 do you know of a platform that does this?

Appreciate the attempt to take on this subject, as others have stated in comments the article started strong but quickly decayed by bringing in tailgating.

text from the article, “Time Limits and Reader Patterning are software features that some, but not all, access control management software supports.”.

May you give some examples of access control management software that has good features and poor features. Here is an example of a software that has both but still falls short.

I am currently fighting a pass back issue in a manufacturing facility that uses Prowatch, being that Prowatch was originally designed for airports you would think it would have a robust anti-passback feature set. However, it only has timed (soft) and pattern/flow (hard) out of the box. Timed only applies to one reader and does not allow for targeting the card with the rule. For example there are two full height turnstiles next to each other, I can create a rule to prevent the same card being used on the same turnstile for a time period, but can not prevent that card from being used on the neighboring turnstile. In my manufacturing environment there are no outbound readers so a hard anti-passback rule it out of the question. While I am working on some custom programming to help solve the issue, we are currently running audit/compliance reports and using management (HR) as an enforcer.

Would like to understand what you are seeing across multiple access control management software products to help combat this problem.

You could reset APB status very frequently, this will have the same effect as 'timed' but across multiple readers. Not sure how that is done in Prowatch, but should be possible. You have to be careful that the time between valid entries is accounted for though.

Just to note, hard/soft APB is means enforcing/recording violations, not how you seem to be defining it.

Read this IPVM report for free.

This article is part of IPVM's 6,534 reports, 880 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Keypads For Access Control Tutorial on Jul 28, 2020
Keypad readers present huge risks to even the best access systems. If...
Dahua Critical Cloud Vulnerabilities on May 12, 2020
Dahua has acknowledged a series of cloud vulnerabilities that researcher...
Exit Devices For Access Control Tutorial on Aug 25, 2020
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety...
Free Online NFPA, IBC, and ADA Codes and Standards 2020 on Sep 03, 2020
Finding applicable codes for security work can be a costly task, with printed...
Risks Of Managing End User Passwords (Statistics) 2020 on Sep 11, 2020
Alarmingly, most integrators used spreadsheets to manage passwords, IPVM...
Vehicle Gate Access Control Guide on Mar 19, 2020
Vehicle gate access control demands integrating various systems to keep...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
ZKTeco Presents SpeedFace Recognition + Body Temperature Detection on Apr 21, 2020
ZKTeco presented its SF1008+ reader with body temperature and face mask...
FLIR Markets Windows Temperature Screening, Violates IEC And Causes Performance Problems on Jul 17, 2020
FLIR, one of the largest thermal screening manufacturers, is marketing...
HID Presents Mercury Security & Aero Access Controllers on Aug 25, 2020
HID presented Mercury Security & Aero Access Controllers at the 2020 IPVM...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
US GSA Explains NDAA 889 Part B Blacklisting on Jul 31, 2020
With the 'Blacklist Clause' going into effect August 13 that bans the US...
Milestone Presents XProtect On AWS on May 04, 2020
Milestone presented its XProtect on AWS offering at the April 2020 IPVM New...

Recent Reports

OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...
China Bems Temperature Measurement Terminal Tested on Sep 22, 2020
Guangzhou Bems (brand Benshi) is the manufacturer behind temperature...
Axis Exports To China Police Criticized By Amnesty International on Sep 21, 2020
Axis Communications and other EU surveillance providers are under fire from...
Milestone XProtect on AWS Tested on Sep 21, 2020
Milestone finally launched multiple cloud solutions in 2020, taking a...