The Passback Problem

By: Brian Rhodes, Published on Sep 14, 2016

Every security system has flaws, even high-tech ones. While Electronic Access Control helps keep sensitive areas safe, it is not without weaknesses.

One of the most troubling vulnerabilities is called 'Passback' - the practice of using someone else's credentials to gain entry. In this note, we take a look at the problem and how designers can minimize vulnerabilities, looking at:

Passback vs Tailgaiting
Software solutions including time limit and reader pattern and flow
Other solutions including biometrics, cameras, turnstiles and signange
Ignoring it

***** ******** ****** *** flaws, **** ****-**** ****. While ********** ****** ******* helps **** ********* ***** safe, ** ** *** without **********.

*** ** *** **** troubling *************** ** ****** 'Passback' - *** ******** of ***** ******* ****'* credentials ** **** *****. In **** ****, ** take * **** ** the ******* *** *** designers *** ******** ***************, looking **:

******** ** ***********
******** ********* ********* **** limit *** ****** ******* and ****
***** ********* ********* **********, cameras, ********** *** ********
******** **

[***************]

The ******* *******

'********' ** *** ********** term *** '******* ***********', taken **** *** ******* of *** ****** ******* through ** ******-******* *********. Suppose '****** *' ***** their ***** *** ****** through ********, *** '****** B' ** *** ******* access **** *** ****. 'Passback' ****** **** '****** A' ***** ***** ***** to '****** *' ** that ****** *** **** access.

**** ******** ** ******* equivalent ** ******** * door *** ******* ** mail **** ** ** outside ******, ** ******* your ******** **** ******* else. ** ****, ** means **** *** ****** is *** *********** ****** in *** *** ** was ********, *** ** worst ** ***** **** the ****** *** ** knowledge ** * ********* threat.

Less ***** **** **********, ***** * *******

** ***** ** ******** threats, ********** ** * '******' ****, while ******** ** ********* less *******. **** ******** events ***** **** ****** try ** **** **** to ********* *** ****** control ******, ***** ********** typically ****** ******* **. So ** *******, ******** is ****** ** ****** with '****' ******* ** with ****** ********* ** users ** ***** ******* credentials.

****** *******, '**********' ***** that **** * **** has **** ****** ** a **********, ** ** left **** ** **** more **** *** ********** is ******* ** ****-*******. ** contrast ** '********', '**********' simply ******** *** *********** to **** ********** ***********. However '****-********' ********, ********** those ** *** '******* and ****' *******, *** be able ** ****** *** 'tailgating' *******.

*** ****, *** ************* - ****** ******* Tutorial.

Basic ******** *********

** ******* *** ****, Access ******* ******* ***** feature '****-********' ********, ***** generally ********* * *** of ******** ******* ** credential ***. *** *******:

**** *****:* **** ****** ** used ** *** **** reader ***** ****** * certain ****** ** ****. While **** ********** * decidedly '***-****' ********, ** is *** ******* ** implement. ****** ******** * card ** ** **** on *** **** ****** for * ****** ** 3 ** * ******* discourages *** *********** ** improperly '*******-****' * **********. However, **** **** ** control *** ** ************ to *****, ** *** occasion **** ************ **** something ***** ******* * card, ****** ********** ** a ************, ** **** some ***** ********** ****** for ******* **-************* ******* an *******.

****** ******* *** ****: **** **** ** control ******** ********** ***** follow * ******* ******* within * ******. *** example, * ********** **** be **** ** ** 'OUT' ****** ****** ** can ** **** *** an '**' ********. ******** a ********** ****** ** used ** ***** '******** B' ** '******** *' has *** ***** **** exited. **** ****** ** anti-passback ** *** **** comprehensive ** *********** *** problem, *** ** ******** the **** ************* *** places ** ******** ** having *** ***** ********** within * ********, **** doors **** *** ************ used.

**** ****** *** ****** Patterning *** ******** ******** that ****, *** *** all, ****** ******* ********** software ********. *** *****, more ****** *********, ********** hardware ********* ******* ********* is ********.

Other *********

************ ******** ******** ********* involves **** **** **** software. *** *******, ** our ********* ********* ** ************ and ********** ******, **** **** ** solution ***** **** *****, and **** **** **% ** those ********* ********* ***** more **** *** ******** method:

*** **** ****** '***** solutions' ******* ***** ******** cited:

**********:* **** *** ** prevent ******** ** ** credential ***** ** ********** ******* of '*********' ***********. ***** ****** permissions ** ****** ******** features ********* ***** **** sharing.
*******: ******* ****** ******** ******** using ************ ******* ** record *** ****** ** misuse *** ********* ** access ******.
**********:*** **** ****** '******' method **** ***** **********, revolving *****, ** ******** to ********** ******* **** than ** ****** ****** entry ** *** ****.
*******:*** **** ****** '****' measure ** ***** **** indirectly ** ********* ******* the **** *** *** use ** ***** ** remind ****** **** ******** the ****** ******* ****** or ********** ******** ********.

Ignoring ************ **** ******

*******, ******* *** ***** identified ** *** ******* was ******** *** *****. About **% ** ********* said **** ****** ** nothing, ******* ********** ** ** too ******, ** ** is *** ****** ** a **** ** ******* countermeasures.

******** ** ****** *** threat *** **** ******* for ****, *** ***** so ********** *** *********** to ********* *** **** invalidate *** ***** ******** that ******* ***** ********** access ******* ****** *********** mechanical **** *** *****.

Comments (15)

Undisclosed #1

09/14/16 04:08pm

Good article. At least you started out okay. It seems that you are using the terms passback and piggyback as synonyms and then juxtaposing them to tailgating.

In their common use, tailgating and piggybacking are synonyms but passback is entirely different.

The big difference is that passback is an act done by two or more people specifically to deceive the system while tailgating (or piggybacking) is more commonly an act of convenience done by a single person.

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #1 | 09/14/16 04:41pm

I agree they are distinct issues, which is why our tailgating report (Tailgating - Access Control Tutorial) gets separate treatment.

However, the methods of dealing with both issues can be similar (ie: cameras, biometrics, signage) so that is where the lines blur a bit. Especially given the results of how APB is practically addressed, 'tailgating' enters the conversation.

If only dealing with tailgating was as simple as the 'antipassback' settings are!

Undisclosed #2

In reply to Brian Rhodes | 09/14/16 05:03pm

So is piggybacking "users sharing credentials" or not?

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #2 | 09/14/16 05:13pm

Piggybacking is one form of sharing credentials.

Igor Falomkin

AxxonSoft | 09/15/16 05:34am

Thank you for this article. The problem may be solved using face verification. Using it an access control management software checks that it's exactly card owner has applied the card. I'm from AxxonSoft and this scenario is frequently used by our partners. It's much more reliable than face recognition itself, may be used at must important access control points only and does not need physical contact like fingerprint readers.

Skip Cusack

In reply to Igor Falomkin | 09/19/16 02:20pm

Igor, are you making the point that biometric authentication, unlike possession and knowledge authentication, makes passback much less likely? If so, I agree, but the type of authentication does not impact the likelihood of tailgating or piggybacking as far as I can figure....

Undisclosed End User #3

In reply to Skip Cusack | 11/03/19 03:39am

I disagree with both of you as biometrics is often it’s own credential or a second factor. Take a multi turnstile example. Person A presents credential (card and/or biometric) a turnstile to let friend in and then goes to second turnstile and lets themselves in. This is still passback.

Skip Cusack

09/19/16 02:00pm

Brian, good article, as always. Passback is very different from Tailgating or Piggybacking. Tailgating is when somebody tucks in behind an authorized user without their knowledge or consent. Piggybacking is when the authorized user is complicit in allowing the unauthorized user through the portal.

Paul Govero

IPVMU Certified | 05/14/19 08:32pm

I have a number of high-security sites I visit that the order we card in and out of areas matters.

I have to enter a secured area after my escort and leave before my escort, ( so I am not in while my escort is on the out).

I am curious how common this is

Undisclosed End User #3

In reply to Paul Govero | 11/03/19 03:41am

Not very common as it’s expensive to set up and operationally maintain. In my experience.

Undisclosed #2

In reply to Paul Govero | 11/03/19 04:00am

I have to enter a secured area after my escort and leave before my escort, ( so I am not in while my escort is on the out).

I am curious how common this is...

Pro-member Fischer’s thoughts on a similar topic can be found here.

Undisclosed #2

11/02/19 10:49pm

For example, a credential must be used at an 'OUT' reader before it can be used for an 'IN' function. Likewise a credential cannot be used to enter 'Building B' if 'Building A' has not first been exited.

and if you are swiping on exit of Building A but never swiped on entry, the controller should call out “Piggybacker!” and hit you with a 15 second* delayed egress penalty.

*or whatever the maximum is by local ordinance

Undisclosed End User #3

In reply to Undisclosed #2 | 11/03/19 04:06am

UD2 do you know of a platform that does this?

Undisclosed End User #3

11/03/19 04:04am

Appreciate the attempt to take on this subject, as others have stated in comments the article started strong but quickly decayed by bringing in tailgating.

text from the article, “Time Limits and Reader Patterning are software features that some, but not all, access control management software supports.”.

May you give some examples of access control management software that has good features and poor features. Here is an example of a software that has both but still falls short.

I am currently fighting a pass back issue in a manufacturing facility that uses Prowatch, being that Prowatch was originally designed for airports you would think it would have a robust anti-passback feature set. However, it only has timed (soft) and pattern/flow (hard) out of the box. Timed only applies to one reader and does not allow for targeting the card with the rule. For example there are two full height turnstiles next to each other, I can create a rule to prevent the same card being used on the same turnstile for a time period, but can not prevent that card from being used on the neighboring turnstile. In my manufacturing environment there are no outbound readers so a hard anti-passback rule it out of the question. While I am working on some custom programming to help solve the issue, we are currently running audit/compliance reports and using management (HR) as an enforcer.

Would like to understand what you are seeing across multiple access control management software products to help combat this problem.

Undisclosed #4

11/04/19 04:41am

You could reset APB status very frequently, this will have the same effect as 'timed' but across multiple readers. Not sure how that is done in Prowatch, but should be possible. You have to be careful that the time between valid entries is accounted for though.

Just to note, hard/soft APB is means enforcing/recording violations, not how you seem to be defining it.

Read this IPVM report for free.

This article is part of IPVM's 6,366 reports, 855 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Related Reports

Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020

Access control users have included capabilities that are not commonly used that can help zero-in and discover potential Coronavirus hotspots in a...

Breaking Into A Facility Using Canned Air Tested on Jan 28, 2020

Access control is supposed to make doors more secure, but a $5 can of compressed air may defeat it. With no special training, intruders can...

Securing Access Control Installations Tutorial on Oct 17, 2019

The physical security of access control components is critical to ensuring that a facility is truly secure. Otherwise, the entire system can be...

Fail Safe vs. Fail Secure Tutorial on Oct 02, 2019

Few terms carry greater importance in access control than 'fail safe' and 'fail secure'. Access control professionals must know how these...

Contactless Access Credentials Guide on Oct 29, 2018

Contactless credentials are the most common component used in an access control system and while many look alike externally, important differences...

Cybersecurity for IP Video Surveillance Guide on May 18, 2018

Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in...

Forced Entry / Duress Access Tutorial on May 17, 2018

Even though access control normally keeps people safe, tragedies have revealed a significant issue. If users are forced to unlock doors for...

TVT Backdoor Disclosed on Apr 09, 2018

Security researcher Bashis has disclosed a backdoor in TVT video surveillance products, with TVT issuing its own 'Notification of Critical...

Door Position Switches (DPS) For Access Control Tutorial on Mar 05, 2018

Door position switches do not get enough respect. They solve a major problem of access control systems yet are frequently ignored or...

Geovision Unprecedented Security Vulnerabilities And Backdoor on Feb 06, 2018

Cybersecurity vulnerabilities have plagued the video surveillance market. Now, Bashis, discover of the Dahua backdoor, has discovered 15...

Most Recent Industry Reports

Access Control Online Show - July 2020 - With 40+ Manufacturers - Register Now on Jul 01, 2020

IPVM is excited to announce our July 2020 Access Control Show. With 40+ companies presenting across 4 days, this is a unique opportunity to hear...

Hanwha Face Mask Detection Tested on Jul 01, 2020

Face mask detection or, more specifically lack-of-face-mask detection, is an expanding offering in the midst of coronavirus. Hanwha in partnership...

UK Government Says Fever Cameras "Unsuitable" on Jul 01, 2020

The UK government's medical device regulator, MHRA, told IPVM that fever-seeking thermal cameras are "unsuitable for this purpose" and recommends...

Camera Course Summer 2020 on Jun 30, 2020

This is the only independent surveillance camera course, based on in-depth product and technology testing. Lots of manufacturer training...

Worst Over But Integrators Still Dealing With Coronavirus Problems (June Statistics) on Jun 30, 2020

While numbers of integrators very impacted by Coronavirus continue to drop, most are still moderately dealing with the pandemic's problems, June...

FLIR Screen-EST Screening Software Tested on Jun 30, 2020

In our FLIR A Series Test, the cameras' biggest drawback was their lack of face detection, requiring manual adjustment when screening each...

Dahua Buenos Aires Bus Screening Violates IEC Standards and Dahua's Own Instructions on Jun 30, 2020

Dahua has promoted Buenos Aires bus deployments as "solutions that facilitate community safety". However, they violate IEC standards and,...

UK Firm Markets False Fever Screening, Hikvision Disavows on Jun 30, 2020

A UK security firm falsely claimed its Hikvision-based thermal solution could be used for "accurately detecting fever in any person", even claiming...