The Passback Problem

Author: Brian Rhodes, Published on Sep 14, 2016

Every security system has flaws, even high-tech ones. While Electronic Access Control helps keep sensitive areas safe, it is not without weaknesses.

One of the most troubling vulnerabilities is called 'Passback' - the practice of using someone else's credentials to gain entry. In this note, we take a look at the problem and how designers can minimize vulnerabilities, looking at:

  • Passback vs Tailgaiting
  • Software solutions including time limit and reader pattern and flow
  • Other solutions including biometrics, cameras, turnstiles and signange
  • Ignoring it

***** ******** ****** *** *****, **** ****-**** ****. ***** ********** Access ******* ***** **** ********* ***** ****, ** ** *** without **********.

*** ** *** **** ********* *************** ** ****** '********' - the ******** ** ***** ******* ****'* *********** ** **** *****. In **** ****, ** **** * **** ** *** ******* and *** ********* *** ******** ***************, ******* **:

  • ******** ** ***********
  • ******** ********* ********* **** ***** *** ****** ******* *** ****
  • ***** ********* ********* **********, *******, ********** *** ********
  • ******** **

[***************]

The ******* *******

'********' ** *** ********** **** *** '******* ***********', ***** **** the ******* ** *** ****** ******* ******* ** ******-******* *********. Suppose '****** *' ***** ***** ***** *** ****** ******* ********, but '****** *' ** *** ******* ****** **** *** ****. 'Passback' ****** **** '****** *' ***** ***** ***** ** '****** B' ** **** ****** *** **** ******.

**** ******** ** ******* ********** ** ******** * **** *** through ** **** **** ** ** ******* ******, ** ******* your ******** **** ******* ****. ** ****, ** ***** **** the ****** ** *** *********** ****** ** *** *** ** was ********, *** ** ***** ** ***** **** *** ****** has ** ********* ** * ********* ******.

Less ***** **** **********, ***** * *******

** ***** ** ******** *******,************ * '******' ****, ***** ******** ** ********* **** *******. Many ******** ****** ***** **** ****** *** ** **** **** to ********* *** ****** ******* ******, ***** ********** ********* ****** ignores **. ** ** *******, ******** ** ****** ** ****** with '****' ******* ** **** ****** ********* ** ***** ** avoid ******* ***********.

****** *******, '**********' ***** **** **** * **** *** **** opened ** * **********, ** ** **** **** ** **** more **** *** ********** ** ******* ** ****-*******. ** ******** to '********', '**********' ****** ******** *** *********** ** **** ********** credentials. ******* '****-********' ********, ********** ***** ** *** '******* *** Flow' *******, *** ** **** ** ****** *** '**********' *******.

*** ****, *** ************* - ****** ******* ********.

Basic ******** *********

** ******* *** ****, ****** ******* ******* ***** ******* '****-********' controls, ***** ********* ********* * *** ** ******** ******* ** credential ***. *** *******:

**** *****:* **** ****** ** **** ** *** **** ****** ***** within * ******* ****** ** ****. ***** **** ********** * decidedly '***-****' ********, ** ** *** ******* ** *********. ****** limiting * **** ** ** **** ** *** **** ****** for * ****** ** * ** * ******* *********** *** convenience ** ********** '*******-****' * **********. *******, **** **** ** control *** ** ************ ** *****, ** *** ******** **** accidentally **** ********* ***** ******* * ****, ****** ********** ** a ************, ** **** **** ***** ********** ****** *** ******* re-credentialing ******* ** *******.

****** ******* *** ****: **** **** ** ******* ******** ********** ***** ****** * logical ******* ****** * ******. *** *******, * ********** **** be **** ** ** '***' ****** ****** ** *** ** used *** ** '**' ********. ******** * ********** ****** ** used ** ***** '******** *' ** '******** *' *** *** first **** ******. **** ****** ** ****-******** ** *** **** comprehensive ** *********** *** *******, *** ** ******** *** **** configuration *** ****** ** ******** ** ****** *** ***** ********** within * ********, **** ***** **** *** ************ ****.

**** ****** *** ****** ********** *** ******** ******** **** ****, but *** ***, ****** ******* ********** ******** ********. *** *****, more ****** *********, ********** ******** ********* ******* ********* ** ********.

Other *********

************ ******** ******** ********* ******** **** **** **** ********. *** example, ** ************ ********* ** ************ *** ****************, **** **** ** ******** ***** **** *****, *** **** **** **% ** ***** ********* ********* ***** **** **** one ******** ******:

*** **** ****** '***** *********' ******* ***** ******** *****:

  • **********:* **** *** ** ******* ******** ** ** ********** ***** on ********** ******* ** '*********' ***********. ***** ****** *********** ** unique ******** ******** ********* ***** **** *******.
  • *******:******* ****** ******** ******** ***** ************ ******* ** ****** *** verify ** ****** *** ********* ** ****** ******.
  • **********:*** **** ****** '******' ****** **** ***** **********, ********* *****, or ******** ** ********** ******* **** **** ** ****** ****** entry ** *** ****.
  • *******:*** **** ****** '****' ******* ** ***** **** ********** ** passively ******* *** **** *** *** *** ** ***** ** remind ****** **** ******** *** ****** ******* ****** ** ********** security ********.

Ignoring ************ **** ******

*******, ******* *** ***** ********** ** *** ******* *** ******** the *****. ***** **% ** ********* **** **** ****** ** nothing, ******* ********** ** ** *** ******, ** ** ** not ****** ** * **** ** ******* ***************.

******** ** ****** *** ****** *** **** ******* *** ****, but ***** ** ********** *** *********** ** ********* *** **** invalidate *** ***** ******** **** ******* ***** ********** ****** ******* versus *********** ********** **** *** *****.

Comments (7)

Undisclosed 1

| 09/14/16 04:08pm

**** *******. ** ***** *** ******* *** ****. ** ***** that *** *** ***** *** ***** ******** *** ********* ** synonyms *** **** *********** **** ** **********.

** ***** ****** ***, ********** *** ************ *** ******** *** passback ** ******** *********.

*** *** ********** ** **** ******** ** ** *** **** by *** ** **** ****** ************ ** ******* *** ****** while ********** (** ************) ** **** ******** ** *** ** convenience **** ** * ****** ******.

Thumbnail pp 5

Brian Rhodes

IPVMU Certified / IPVM Admin | In reply to Undisclosed 1 | 09/14/16 04:41pm

* ***** **** *** ******** ******, ***** ** *** *** tailgating ****** (********** - ****** ******* ********) **** ******** *********.

*******, *** ******* ** ******* **** **** ****** *** ** similar (**: *******, **********, *******) ** **** ** ***** *** lines **** * ***. ********** ***** *** ******* ** *** APB ** *********** *********, '**********' ****** *** ************.

** **** ******* **** ********** *** ** ****** ** *** 'antipassback' ******** ***!

Undisclosed 2

In reply to Brian Rhodes | 09/14/16 06:03pm

** ** ************ "***** ******* ***********" ** ***?

Thumbnail pp 5

Brian Rhodes

IPVMU Certified / IPVM Admin | In reply to Undisclosed 2 | 09/14/16 05:13pm

************ ** *** **** ** ******* ***********.

Igor Falomkin

| 09/15/16 05:34am

***** *** *** **** *******. *** ******* *** ** ****** using **** ************. ***** ** ** ****** ******* ********** ******** checks **** **'* ******* **** ***** *** ******* *** ****. I'm **** ********* *** **** ******** ** ********** **** ** our ********. **'* **** **** ******** **** **** *********** ******, may ** **** ** **** ********* ****** ******* ****** **** and **** *** **** ******** ******* **** *********** *******.

Skip Cusack

In reply to Igor Falomkin | 09/19/16 02:20pm

****, *** *** ****** *** ***** **** ********* **************, ****** possession *** ********* **************, ***** ******** **** **** ******? ** so, * *****, *** *** **** ** ************** **** *** impact *** ********** ** ********** ** ************ ** *** ** I *** ******....

Skip Cusack

| 09/19/16 02:00pm

*****, **** *******, ** ******. ******** ** **** ********* **** Tailgating ** ************. ********** ** **** ******** ***** ** ****** an ********** **** ******* ***** ********* ** *******. ************ ** when *** ********** **** ** ********* ** ******** *** ************ user ******* *** ******.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Access Control

Access Control Course Fall 2016 on Sep 22, 2016
IPVM offers the most comprehensive access control course in the industry. Unlike manufacturer training that focuses only on a small part of the...
Door Fundamentals For Electronic Access Control on Sep 20, 2016
Assuming every door can be secured with either a maglock or an electric strike can be a painful assumption in the field. While those items can be...
S2 Founder Touts Mercury Board To Replace Software House on Sep 08, 2016
Access control is a stoic market typically devoid of glitzy, flashy product releases. But one new product is notable because of who is touting it...
Lenel Partners Angry, Lenel Does Not Care on Sep 01, 2016
Even more than Arecont, one manufacturer stands out for consistent complaints - Lenel. Over the past few years, no manufacturer has had more...
ZKAccess Company Profile and Higher Margin Guarantee Examined on Aug 30, 2016
A budget access manufacturer has entered the North American market, but it is not Hikvision or Dahua. This player, ZKAccess, has recently set up...
Genetec Access Control Security Center 5.5 Release on Aug 26, 2016
Inside, we examine Genetec's new Access Control features in Security Center 5.5. Enhanced Active Directory and 'Universal Groups' New, Single...
Tailgating - Access Control Tutorial on Aug 25, 2016
Despite costing thousands of dollars per door, electronic access control systems are vulnerable to an easy exploit called 'tailgating'. Unless this...
Service / Maintenance Contracts Guide And Downloadable Sample Agreement on Aug 18, 2016
This guide provides in-depth recommendations for service / maintenance and a sample service agreement that integrators can edit and customize for...
Hotel Access Control Explained on Aug 17, 2016
Hotel access control seems to work magically. Unlike electronic access control systems used in commercial security, doors in hotels are not...

Most Recent Industry Reports

Nest Cam Outdoor Tested on Sep 23, 2016
After years of claiming an outdoor model was "coming", addressing their biggest user demand, Nest has finally released their Outdoor Camera, an...
ACTi Refuses Race To The Bottom, Shifts To Solutions on Sep 23, 2016
The original low cost IP camera disruptor was ACTi. Back in the 2008 - 2010 time frame, Taiwanese manufacturer ACTi challenged the Western and...
You Get Robbed, Canary Will Pay You Up To $1,000 on Sep 22, 2016
Canary is trying to break the status quo in DIY security, first by raising over $40 million, and now a revamp of their monthly services package...
Milestone Ends Development of "Enterprise" VMS on Sep 22, 2016
Milestone 'Enterprise' was one of the first enterprise video management software offerings, selected by many early adopters of IP video. However,...
History of Video Surveillance on Sep 22, 2016
This is a concise history of video surveillance covering the past decade.  The goal is to help professionals newer to the industry understand...
Access Control Course Fall 2016 on Sep 22, 2016
IPVM offers the most comprehensive access control course in the industry. Unlike manufacturer training that focuses only on a small part of the...
Totally Wireless IP Camera (IPVideo Corp NomadHD) on Sep 21, 2016
Wireless battery powered cameras have been a surveillance pipe dream for years, limited by camera power consumption, battery technology, and...
Axis Launches IP Speakers on Sep 21, 2016
First, Axis introduced an IP horn, then it was video intercoms, and now it is Networked Speakers? While IP-based Public Address systems are not...
Tagged RFID Object Search Recorded Video on Sep 20, 2016
Video analytics has gotten fairly good at tagging people in video, but it does not solve the problem of finding items like specific merchandise or...
FLIR and Geovision Join the Hikvision Price Cut Race on Sep 20, 2016
Hikvision's price cuts are clearly a trend setter. After numerous and increasingly large cuts, the destructive cycle is accelerating. Last month,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact