printer friendly version

The evolved principles of anti-pass-back

The term anti-pass-back is well known in the time & attendance and access control industry. For different people, this term has come to have different meanings. In its broadest sense, the concept of anti-pass-back can be viewed from three different angles:

1. Pass-back: Using token-based identification systems (cards, dongles, etc.), an employee is able to clock in through an access control system, and then pass his/her card back to one another person to use the same access token to gain entrance to a restricted area. This makes the employer vulnerable to having unauthorised personnel on his/her premises.

2. Pass-on: Conversely, having an employee sending his identification token to work with one of his colleagues, allows for the erroneous recording of working hours without having to physically show up for work. Needless to state that this kind of pass-on behaviour has a direct impact on a company’s wage bill, as productivity figures and presenteeism statistics are almost impossible to rely on with 100% certainty.

3. Tailgating: Tailgating refers to an employee following another employee through a door, boom gate, or any other access controlled mechanism without presenting his credentials. This can – to a large extent – be mitigated by the use of turnstiles. But even this is not foolproof (ask the skinny guys). If the necessity of providing credentials – be it token based or biometric – cannot be enforced, no system can prevent tailgating from occurring. In this instance, the system as a whole fails, and it is therefore a point that should be mentioned, but excluded from further discussions in this writing.

Dr Liam Terblanche

The anti-anti-pass-back

To combat these kinds of fraudulent behaviour, various solutions have been developed around the following principles: traditional-, regional-, timed- and nested anti-pass-back control.

Traditional anti-pass-back is a mechanism that simply relies on the alternative recording of In vs. Out movement. A person entering a parking lot must drive through the IN gate before being allowed to leave through the OUT gate.

Regional anti-pass-back takes this one step further in that the rules build on one another to provide better logic and control through various regions. A typical example of regional anti-pass-back is where a system disallows the entrance into a building if it was not preceded by an entrance onto the premises.

Timed anti-pass-back is a cost-saving solution where the system simply ‘forgets’ the status of a person after a given amount of time. An example would be entrance into a work area where a person can re-enter the same door without having to clock OUT through another door, if, say 20 minutes, have elapsed since the previous clocking.

The last iteration of the anti-pass-back principle is that of nested anti-pass-back where a designated sequence of entering/exiting certain doors is being enforced. This is typically implemented in high-security areas where the actual predetermined sequence forms part of the security of the system as a whole.

So how is anti-pass-back enforced?

‘Hard’ anti-pass-back simply denies access when the predetermined anti-pass-back rules are not met. ‘Soft’ anti-pass-back has a more forgiving approach in that it allows access through the controlled area, but follows that with a notification to the administrator that the anti-pass-back rules have been violated. It has been found that the soft approach has the added benefit of not creating bottlenecks at high-usage areas like turnstiles whilst hundreds of fellow employees try to enter the premises at the same time. Consultative and even disciplinary processes typically forms part of the soft anti-pass-back implementation.

Does biometrics spell the end of anti-pass-back requirements?

If one precludes the principle of tailgating, pass-back and pass-on behaviour, anti-pass-back in its traditional sense become irrelevant. It is physically impossible to clock through a device and then pass on ones fingerprint to another person to move through that same controlled point. But like every absolute, there is a way around it.

What has been found is that an employee may stand to the side of a turnstile, clock with his finger, and then stand back so that his friend steps through the now unlocked turnstile. He would then proceed to produce his biometric credentials again, to gain access to the premises for himself.

Although timed-anti-pass-back can mitigate this risk by introducing a delay before the same person can clock again, most modern-day biometric solutions are configured to act in isolation, meaning that the person can simply walk over to the next turnstile and clock in again within seconds after his first clocking.

The solution

Traditional token-based access control solutions required dedicated cabling so that real-time control could be established and hard anti-pass-back rules enforced. With modern-day biometric devices where access rules, time masks, public holidays and shift requirements can be loaded onto the device itself, the cost of installing these solutions has been hugely reduced as a simple network access point is typically all that is needed.

As soon as hard anti-pass-back control is required, however, additional dedicated communication between these devices re-introduces the cost of more cabling, Wiegand interfacing, additional controllers, and backup systems. The author is of the opinion that soft anti-pass-back in conjunction with biometric access control solutions is by far the simplest, most affordable, and almost equally secure solution available.

Proper configuration of the warning system of the soft solution is imperative. If a person misbehaves as in the example mentioned above, a warning – either via e-mail or SMS – to his superior could result in immediate intervention without breaching any security constraints.

In the end, it is a risk/cost trade-off. Having a real-time hard anti-pass-back system in conjunction with biometrics is by far the most secure solution one can have, and one would imagine various instances where this requirement would be a non-negotiable. Gaols and nuclear reactors are just two of those that spring to mind.

But for a large number of traditionally hard anti-pass-back scenarios, the replacement of token-based identification systems with that of biometrics eliminates the concepts of pass-back and pass-on behaviours to a large degree. Using timed anti-pass-back on the devices and soft enforcement of the anti-pass-back rules, a biometric access control solution can give you very similar levels of security at a fraction of the cost.

Share this article:

Further reading: