The Passback Problem

Author: Brian Rhodes, Published on Sep 14, 2016

Every security system has flaws, even high-tech ones. While Electronic Access Control helps keep sensitive areas safe, it is not without weaknesses.

One of the most troubling vulnerabilities is called 'Passback' - the practice of using someone else's credentials to gain entry. In this note, we take a look at the problem and how designers can minimize vulnerabilities, looking at:

  • Passback vs Tailgaiting
  • Software solutions including time limit and reader pattern and flow
  • Other solutions including biometrics, cameras, turnstiles and signange
  • Ignoring it

***** ******** ****** *** *****, **** ****-**** ****. ***** ********** Access ******* ***** **** ********* ***** ****, ** ** *** without **********.

*** ** *** **** ********* *************** ** ****** '********' - the ******** ** ***** ******* ****'* *********** ** **** *****. In **** ****, ** **** * **** ** *** ******* and *** ********* *** ******** ***************, ******* **:

  • ******** ** ***********
  • ******** ********* ********* **** ***** *** ****** ******* *** ****
  • ***** ********* ********* **********, *******, ********** *** ********
  • ******** **

[***************]

The ******* *******

'********' ** *** ********** **** *** '******* ***********', ***** **** the ******* ** *** ****** ******* ******* ** ******-******* *********. Suppose '****** *' ***** ***** ***** *** ****** ******* ********, but '****** *' ** *** ******* ****** **** *** ****. 'Passback' ****** **** '****** *' ***** ***** ***** ** '****** B' ** **** ****** *** **** ******.

**** ******** ** ******* ********** ** ******** * **** *** through ** **** **** ** ** ******* ******, ** ******* your ******** **** ******* ****. ** ****, ** ***** **** the ****** ** *** *********** ****** ** *** *** ** was ********, *** ** ***** ** ***** **** *** ****** has ** ********* ** * ********* ******.

Less ***** **** **********, ***** * *******

** ***** ** ******** *******, ********** ** * '******' ****, ***** ******** ** ********* **** *******.  Many ******** ****** ***** **** ****** *** ** **** **** to ********* *** ****** ******* ******, ***** ********** ********* ****** ignores **. ** ** *******, ******** ** ****** ** ****** with '****' ******* ** **** ****** ********* ** ***** ** avoid ******* ***********.

****** *******, '**********' ***** **** **** * **** *** **** opened ** * **********, ** ** **** **** ** **** more **** *** ********** ** ******* ** ****-*******. ** ******** ** 'passback', '**********' ****** ******** *** *********** ** **** ********** ***********. However '****-********' ********, ********** ***** ** *** '******* *** ****' variety, *** ** **** ** ****** *** '**********' *******. 

*** ****, *** ************* - ****** ******* ********.

Basic ******** *********

** ******* *** ****, ****** ******* ******* ***** ******* '****-********' controls, ***** ********* ********* * *** ** ******** ******* ** credential ***. *** *******:

**** *****:* **** ****** ** **** ** *** **** ****** ***** within * ******* ****** ** ****. ***** **** ********** * decidedly '***-****' ********, ** ** *** ******* ** *********. ****** limiting * **** ** ** **** ** *** **** ****** for * ****** ** * ** * ******* *********** *** convenience ** ********** '*******-****' * **********. *******, **** **** ** control *** ** ************ ** *****, ** *** ******** **** accidentally **** ********* ***** ******* * ****, ****** ********** ** a ************, ** **** **** ***** ********** ****** *** ******* re-credentialing ******* ** *******.

****** ******* *** ****: **** **** ** ******* ******** ********** ***** ****** * logical ******* ****** * ******. *** *******, * ********** **** be **** ** ** '***' ****** ****** ** *** ** used *** ** '**' ********. ******** * ********** ****** ** used ** ***** '******** *' ** '******** *' *** *** first **** ******. **** ****** ** ****-******** ** *** **** comprehensive ** *********** *** *******, *** ** ******** *** **** configuration *** ****** ** ******** ** ****** *** ***** ********** within * ********, **** ***** **** *** ************ ****.

**** ****** *** ****** ********** *** ******** ******** **** ****, but *** ***, ****** ******* ********** ******** ********. *** *****, more ****** *********, ********** ******** ********* ******* ********* ** ********.

Other *********

************ ******** ******** ********* ******** **** **** **** ********.  *** example, ** *** ********* ********* ** ************ *** ********** ******, **** **** ** ******** ***** **** *****, *** **** **** **% ** ***** ********* ********* ***** **** **** one ******** ******:

*** **** ****** '***** *********' ******* ***** ******** *****:

  • **********:* **** *** ** ******* ******** ** ** ********** ***** on ********** ******* ** '*********' ***********. ***** ****** *********** ** ****** ******** features ********* ***** **** *******.
  • *******: ******* ****** ******** ******** ***** ************ ******* ** ****** *** verify ** ****** *** ********* ** ****** ******.
  • **********:*** **** ****** '******' ****** **** ***** **********, ********* *****, or ******** ** ********** ******* **** **** ** ****** ****** entry ** *** ****.
  • *******:*** **** ****** '****' ******* ** ***** **** ********** ** passively ******* *** **** *** *** *** ** ***** ** remind ****** **** ******** *** ****** ******* ****** ** ********** security ********.

Ignoring ************ **** ******

*******, ******* *** ***** ********** ** *** ******* *** ******** the *****. ***** **% ** ********* **** **** ****** ** nothing, ******* ********** ** ** *** ******, ** ** ** *** enough ** * **** ** ******* ***************.

******** ** ****** *** ****** *** **** ******* *** ****, but ***** ** ********** *** *********** ** ********* *** **** invalidate *** ***** ******** **** ******* ***** ********** ****** ******* versus *********** ********** **** *** *****.

 

Comments (7)

Undisclosed #1

09/14/16 04:08pm

Good article. At least you started out okay. It seems that you are using the terms passback and piggyback as synonyms and then juxtaposing them to tailgating.

In their common use, tailgating and piggybacking are synonyms but passback is entirely different.

The big difference is that passback is an act done by two or more people specifically to deceive the system while tailgating (or piggybacking) is more commonly an act of convenience done by a single person.

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #1 | 09/14/16 04:41pm

I agree they are distinct issues, which is why our tailgating report (Tailgating - Access Control Tutorial) gets separate treatment.

However, the methods of dealing with both issues can be similar (ie: cameras, biometrics, signage) so that is where the lines blur a bit. Especially given the results of how APB is practically addressed, 'tailgating' enters the conversation.

If only dealing with tailgating was as simple as the 'antipassback' settings are!

Undisclosed #2

In reply to Brian Rhodes | 09/14/16 05:03pm

So is piggybacking "users sharing credentials" or not?

Thumbnail pp 5

Brian Rhodes

IPVMU Certified | In reply to Undisclosed #2 | 09/14/16 05:13pm

Piggybacking is one form of sharing credentials.

Igor Falomkin

AxxonSoft | 09/15/16 05:34am

Thank you for this article. The problem may be solved using face verification. Using it an access control management software checks that it's exactly card owner has applied the card. I'm from AxxonSoft and this scenario is frequently used by our partners. It's much more reliable than face recognition itself, may be used at must important access control points only and does not need physical contact like fingerprint readers.

Thumbnail skip headshot

Skip Cusack

In reply to Igor Falomkin | 09/19/16 02:20pm

Igor, are you making the point that biometric authentication, unlike possession and knowledge authentication, makes passback much less likely? If so, I agree, but the type of authentication does not impact the likelihood of tailgating or piggybacking as far as I can figure....

Thumbnail skip headshot

Skip Cusack

09/19/16 02:00pm

Brian, good article, as always. Passback is very different from Tailgating or Piggybacking. Tailgating is when somebody tucks in behind an authorized user without their knowledge or consent. Piggybacking is when the authorized user is complicit in allowing the unauthorized user through the portal.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Access Control

UTC, Owner of Lenel, Acquires S2 on Sep 20, 2018
UTC now owns two of the biggest access control providers, one of integrator's most hated access control platforms, Lenel, and one of their...
Favorite Request-to-Exit (RTE) Manufacturers 2018 on Sep 19, 2018
Request To Exit devices like motion sensors and lock releasing push-buttons are a part of almost every access install, but who makes the equipment...
Door Fundamentals For Access Control Guide on Sep 12, 2018
Assuming every door can be secured with either a maglock or an electric strike can be a painful assumption in the field. While those items can be...
Access Control Course Fall 2018 on Sep 06, 2018
Registration IS CLOSED ends this Thursday. Register now. If you are looking to strengthen your ability to design and deploy access systems or...
Drain Wire For Access Control Reader Tutorial on Sep 04, 2018
An easy-to-miss cabling specification plays a key role in access control, yet it is commonly ignored. The drain wire offers protection for readers...
Directory Of 110+ Video Management Software (VMS) Suppliers on Aug 30, 2018
This directory provides a list of Video Management Software providers to help you see and research what options are available. Listing...
Exit Devices For Access Control Tutorial on Aug 28, 2018
Exit Devices, also called 'Panic Bars' or 'Crash Bars' are required by safety codes the world over, and become integral parts of electronic access...
Assa Aperio Wireless Access Reader R100 Tested on Aug 23, 2018
Wireless access control is frequently promoted by manufacturers as a way to cut installation costs. Perhaps the biggest proponent of this is mega...
Synology Surveillance Station VMS Tested on Aug 22, 2018
With so many low-cost NVRs and enterprise VMSes, is there any place in the market for NAS-based VMSes? Recently, IPVM bought a Synology NAS for...
Backup Power For Maglocks Guide on Aug 20, 2018
When the main power fails, many believe maglocks must leave doors unlocked. However, battery backed up maglocks are allowed according to IBC /...

Most Recent Industry Reports

Alexa Guard Expands Amazon's Security Offerings, Boosts ADT's Stock on Sep 21, 2018
Amazon is expanding their security offerings yet again, this time with Alexa Guard that delivers security audio analytics and a virtual "Fake...
UTC, Owner of Lenel, Acquires S2 on Sep 20, 2018
UTC now owns two of the biggest access control providers, one of integrator's most hated access control platforms, Lenel, and one of their...
BluePoint Aims To Bring Life-Safety Mind-Set To Police Pull Stations on Sep 20, 2018
Fire alarm pull stations are commonplace but police ones are not. A self-funded startup, BluePoint Alert Solutions is aiming to make police pull...
SIA Plays Dumb On OEMs And Hikua Ban on Sep 20, 2018
OEMs widely pretend to be 'manufacturers', deceiving their customers and putting them at risk for cybersecurity attacks and, soon, violation of US...
Axis Vs. Hikvision IR PTZ Shootout on Sep 20, 2018
Hikvision has their high-end dual-sensor DarkfighterX. Axis has their high-end concealed IR Q6125-LE. Which is better? We bought both and tested...
Avigilon Announces AI-Powered H5 Camera Development on Sep 19, 2018
Avigilon will be showcasing "next-generation AI" at next week's ASIS GSX. In an atypical move, the company is not actually releasing these...
Favorite Request-to-Exit (RTE) Manufacturers 2018 on Sep 19, 2018
Request To Exit devices like motion sensors and lock releasing push-buttons are a part of almost every access install, but who makes the equipment...
25% China Tariffs Finalized For 2019, 10% Start Now, Includes Select Video Surveillance on Sep 18, 2018
A surprise move: In July, when the most recent tariff round was first announced, the tariffs were only scheduled for 10%. However, now, the US...
Central Stations Face Off Against NFPA On Fire Monitoring on Sep 18, 2018
Central stations are facing off against the NFPA over what they call anti-competitive language in NFPA 72, the standard that covers fire alarms....
Hikvision USA Starts Layoffs on Sep 18, 2018
Hikvision USA has started layoffs, just weeks after the US government ban was passed into law. Inside this note, we examine: The important...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact