The evolved principles of anti-pass-back

July 2012 Access Control & Identity Management

The term anti-pass-back is well known in the time & attendance and access control industry. For different people, this term has come to have different meanings. In its broadest sense, the concept of anti-pass-back can be viewed from three different angles:

1. Pass-back: Using token-based identification systems (cards, dongles, etc.), an employee is able to clock in through an access control system, and then pass his/her card back to one another person to use the same access token to gain entrance to a restricted area. This makes the employer vulnerable to having unauthorised personnel on his/her premises.

2. Pass-on: Conversely, having an employee sending his identification token to work with one of his colleagues, allows for the erroneous recording of working hours without having to physically show up for work. Needless to state that this kind of pass-on behaviour has a direct impact on a company’s wage bill, as productivity figures and presenteeism statistics are almost impossible to rely on with 100% certainty.

3. Tailgating: Tailgating refers to an employee following another employee through a door, boom gate, or any other access controlled mechanism without presenting his credentials. This can – to a large extent – be mitigated by the use of turnstiles. But even this is not foolproof (ask the skinny guys). If the necessity of providing credentials – be it token based or biometric – cannot be enforced, no system can prevent tailgating from occurring. In this instance, the system as a whole fails, and it is therefore a point that should be mentioned, but excluded from further discussions in this writing.

Dr Liam Terblanche
Dr Liam Terblanche

The anti-anti-pass-back

To combat these kinds of fraudulent behaviour, various solutions have been developed around the following principles: traditional-, regional-, timed- and nested anti-pass-back control.

Traditional anti-pass-back is a mechanism that simply relies on the alternative recording of In vs. Out movement. A person entering a parking lot must drive through the IN gate before being allowed to leave through the OUT gate.

Regional anti-pass-back takes this one step further in that the rules build on one another to provide better logic and control through various regions. A typical example of regional anti-pass-back is where a system disallows the entrance into a building if it was not preceded by an entrance onto the premises.

Timed anti-pass-back is a cost-saving solution where the system simply ‘forgets’ the status of a person after a given amount of time. An example would be entrance into a work area where a person can re-enter the same door without having to clock OUT through another door, if, say 20 minutes, have elapsed since the previous clocking.

The last iteration of the anti-pass-back principle is that of nested anti-pass-back where a designated sequence of entering/exiting certain doors is being enforced. This is typically implemented in high-security areas where the actual predetermined sequence forms part of the security of the system as a whole.

So how is anti-pass-back enforced?

‘Hard’ anti-pass-back simply denies access when the predetermined anti-pass-back rules are not met. ‘Soft’ anti-pass-back has a more forgiving approach in that it allows access through the controlled area, but follows that with a notification to the administrator that the anti-pass-back rules have been violated. It has been found that the soft approach has the added benefit of not creating bottlenecks at high-usage areas like turnstiles whilst hundreds of fellow employees try to enter the premises at the same time. Consultative and even disciplinary processes typically forms part of the soft anti-pass-back implementation.

Does biometrics spell the end of anti-pass-back requirements?

If one precludes the principle of tailgating, pass-back and pass-on behaviour, anti-pass-back in its traditional sense become irrelevant. It is physically impossible to clock through a device and then pass on ones fingerprint to another person to move through that same controlled point. But like every absolute, there is a way around it.

What has been found is that an employee may stand to the side of a turnstile, clock with his finger, and then stand back so that his friend steps through the now unlocked turnstile. He would then proceed to produce his biometric credentials again, to gain access to the premises for himself.

Although timed-anti-pass-back can mitigate this risk by introducing a delay before the same person can clock again, most modern-day biometric solutions are configured to act in isolation, meaning that the person can simply walk over to the next turnstile and clock in again within seconds after his first clocking.

The solution

Traditional token-based access control solutions required dedicated cabling so that real-time control could be established and hard anti-pass-back rules enforced. With modern-day biometric devices where access rules, time masks, public holidays and shift requirements can be loaded onto the device itself, the cost of installing these solutions has been hugely reduced as a simple network access point is typically all that is needed.

As soon as hard anti-pass-back control is required, however, additional dedicated communication between these devices re-introduces the cost of more cabling, Wiegand interfacing, additional controllers, and backup systems. The author is of the opinion that soft anti-pass-back in conjunction with biometric access control solutions is by far the simplest, most affordable, and almost equally secure solution available.

Proper configuration of the warning system of the soft solution is imperative. If a person misbehaves as in the example mentioned above, a warning – either via e-mail or SMS – to his superior could result in immediate intervention without breaching any security constraints.

In the end, it is a risk/cost trade-off. Having a real-time hard anti-pass-back system in conjunction with biometrics is by far the most secure solution one can have, and one would imagine various instances where this requirement would be a non-negotiable. Gaols and nuclear reactors are just two of those that spring to mind.

But for a large number of traditionally hard anti-pass-back scenarios, the replacement of token-based identification systems with that of biometrics eliminates the concepts of pass-back and pass-on behaviours to a large degree. Using timed anti-pass-back on the devices and soft enforcement of the anti-pass-back rules, a biometric access control solution can give you very similar levels of security at a fraction of the cost.

For more information contact Accsys, +27 (0)11 719 8000, [email protected],

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Gallagher Security launches Augmented Reality Training in Australia
Gallagher Training & Education Access Control & Identity Management
Gallagher Security has announced the latest addition to its innovative suite of training solutions, Augmented Reality Training, demonstrating its continued commitment to innovation and improving access to security training opportunities.

Fluss launches the next wave of IoT solutions
IoT & Automation Access Control & Identity Management News & Events
Fluss has announced its newest IoT product; Fluss+ continues to allow users to manage access from anywhere globally and brings with it all the advantages of Wi-Fi connectivity.

The future of digital identity in South Africa
Editor's Choice Access Control & Identity Management
When it comes to accessing essential services, such as national medical care, grants and the ability to vote in elections to shape national policy, a valid identity document is critical.

Defending against SIM swap fraud
Access Control & Identity Management
Mobile networks must not be complacent about SIM swap fraud, and they need to prioritise the protection of customers, according to Gur Geva, Founder and CEO of iiDENTIFii.

Access Selection Guide 2024
Access Control & Identity Management
The Access Selection Guide 2024 includes a range of devices geared specifically for the access control and identity management market.

Biometrics Selection Guide 2024
Access Control & Identity Management
The Biometrics Selection Guide 2024 incorporates a number of hardware and software biometric identification systems aimed at the access and identity management market of today.

Smart intercoms for Sky House Projects
Nology Access Control & Identity Management Residential Estate (Industry)
DNAKE’s easy and smart intercom solution has everything in place for modern residential buildings. Hence, the developer selected DNAKE video intercoms to round out upmarket apartment complexes, supported by the mobile app.

Authentic identity
HID Global Access Control & Identity Management
As the world has become global and digital, traditional means for confirming authentic identity, and understanding what is real and what is fake have become impractical.

Research labs secured with STid Mobile ID
Access Control & Identity Management
When NTT opened its research centre in Silicon Valley, it was looking for a high-security expert capable of protecting the company’s sensitive data. STid readers and mobile ID solutions formed part of the solution.

Is voice biometrics in banking secure enough?
Access Control & Identity Management AI & Data Analytics
As incidents of banking fraud grow exponentially and become increasingly sophisticated, it is time to question whether voice banking is a safe option for consumers.