Defence methods against tailgating

Question

This is a follow-up question to this one: Roles to play when tailgaiting into a residential building

How do you protect yourself or your company against tailgaters? What is the best answer when you are asked by, let's say the delivery guy, to let you in?

Is there data about where/when tailgating is most likely? For example, I've seen places where dozens of people go out for smoke breaks at the same time, and return at the same time, and this smoking area is outside a standard entrance. It seems to me that this would be an ideal time/location for a tailgater to get in. — Andy Lester, Nov 18 '18 at 20:51
@AndyLester "most likey"? No, I have not seen data. But there is a lot of data about how physical pen testers have been successful, and the "smoke break" route is the common vector. — schroeder, Nov 19 '18 at 10:38
A [simple set of doors](https://i.stack.imgur.com/1jypR.gif) with someone to ask how they came to be on private property without permission, and cameras to catch the *doorman* whom lets the randoms in. When it comes down to "We can't catch the *other* person, but **you** let them in." no one will trade reprimand and their job to let a stranger in. — Rob, Nov 21 '18 at 02:44

score 138 · Accepted Answer · answered Nov 16 '18 at 15:24

138

This is not a problem that has a social solution. No amount of corporate policy will save you. Humans are social animals. In the end, if people can let other people in, they will. Even if you may be very security aware and not let anyone in, 95% of your collegues will act differently.

You have to work with human nature, not against it.

So if you want to stop tailgating, you'll need one of these, perferably placed in a reception with human supervision:

answered Nov 16 '18 at 15:24

Anders

64,406
24
178
215

64

there are nicer-looking gates :) – schroeder Nov 16 '18 at 15:34
4

@schroeder Indeed. I've seen Metro/subway turnstiles/gates at occasional office buildings, though its not quite as secure. – mbrig Nov 16 '18 at 16:25
Exactly whats in my office, although it's made of glass and the human supervisor requires to see my pass. – deltzy Nov 16 '18 at 18:54
2

Also stops people from say, propping open key-carded doors the way they tend to do in my building. – Jared Smith Nov 16 '18 at 19:01
1

Does this actually work? All of these gates that I've seen in real life have surely enough space for 2 people. And you cannot really fix this without banning fat people from working for you. – Bakuriu Nov 16 '18 at 20:15
65

@Bakuriu Most of the turnstiles I've seen like this have enough room for me and someone I know pretty well, but not enough room for me and a total stranger. It'd be pretty awkward to tailgate through one of these. – Nuclear Hoagie Nov 16 '18 at 20:22
3

@Bakuriu, I certainly do remember one at a back entrance where two normal adults would not fit. At the front entrance there was a normal, more comfortable, turnstile, but there was also security guard there. – Jan Hudec Nov 16 '18 at 20:48
An additional measure to the gate would also be to have security guards that watch for tailgaters or unauthorized people in general patrol the office occasionally as everybody is required to wear their badge in a visible manner. – RandomUs1r Nov 16 '18 at 23:40
7

@Bakuriu there are better doors that physically don't allow anyone to fit in. Somewhat extreme example in this answer https://worldbuilding.stackexchange.com/a/126499/39218 to a question in Worldbuilding SE. – Gnudiff Nov 17 '18 at 07:39
2

I was at a company that made us clock out via these in order to get a water or bathroom break. – aaaaaa Nov 17 '18 at 15:46
1

This is what amazon uses at their fulfillment centers in order for employees to take the floor. Under somewhat heavy scrutiny, too. I believe 2-3 security personnel are always observing – Mark Nov 18 '18 at 12:59
2

An upgrade to this is what I've heard referred to as a "man trap". Essentially there is a keyed door that leads to a corridor which leads to another keyed door. If more than one person is in the corridor, both doors lock. This is typically only used in high-security situations but I can imagine things like this becoming more mainstream, perhaps with an exit for safety reasons. – JimmyJames Nov 19 '18 at 21:17
@NuclearWang: On the other hand, it can be hard to pass with a cake for a colleague's birthday, or worse a stroller, ... – Matthieu M. Nov 20 '18 at 15:34
@JimmyJames How does a man trap detect multiple people? – Nosajimiki Nov 20 '18 at 15:34
2

@MatthieuM. Part of why I'm not fond of this answer is that many turnstiles I've seen have normal doors right next to them to avoid discrimination lawsuits from people who are overweight or in a wheelchair. Human nature becomes a problem because many normal employees will choose to use the regular door. I once worked at a Microsoft building where nearly half the people there choose the normal door, and most people did not even know they were not supposed to. – Nosajimiki Nov 20 '18 at 15:40
@Nosajimiki I'm not sure of the details of actual implementations. I can think of a few possible solutions using motion detectors, cameras, etc. Given that autonomous cars can identify pedestrians, it has to be a lot easier to do in a controlled situation like an empty corridor. – JimmyJames Nov 20 '18 at 15:41
I know a guy who once made it his project to _always_ tailgate his way into the YoYoDyne Industries main building where he worked, and had a keycard for.The motivation was, as I understand it, a combination of "let's see what happens" and "how long can I keep this streak going of never having to swipe my keycard". It's hard to even discern motivation (evil or otherwise) of actors (bad or otherwise) who tailgate. – Nov 20 '18 at 18:31
1

@mbrig The transit-style gates are more secure than mechanical turnstiles. They use light beams to measure the width of the person passing through and sound an alarm and close when two people are detected. They also are accessible for the disabled. Transit gates have the problem of people avoiding fare payment, so similar technology is useful for both. – user71659 Nov 20 '18 at 22:23
@user71659 anything somebody can hop over is clearly less secure than the rather ugly cage system in the photo in the answer, – mbrig Nov 20 '18 at 22:26
@mbrig They have gates that use swinging pieces of glass that are shoulder height, avoiding this problem. I believe that tall gates like pictured aren't used anymore in transit applications due to the threat of stampede, you need to keep an open passage to prevent people from feeling trapped in, and have the ability to break down the barrier if there is a stampede. Life safety over fare collection. – user71659 Nov 20 '18 at 22:33
@jdv - I used a temporary visitor card for about a year. Not because I wasn't entitled to a real badge but more out of a sense of curiosity. No-one (*officially*) told me to get a badge and no-one ever stopped me on my way through the gate. – Richard Nov 21 '18 at 08:00
@Richard I guess it's no surprise that curious technical people are always going to find ways to have unofficial fun with your security infrastructure! (He says as he goes back to _working on a Smartcard security solution_.) – Nov 21 '18 at 14:51
1

Transit gates don't need to be high security. While fare jumpers are annoying, they're hardly the end of the world. The main design goal of transit gates is high traffic and they generally are only mainly acting as a reminder for honest people to tap their transit card, and only to raise the bar high enough to make it awkward/embarassing for the dishonest ones as they'd attract attention. – Lie Ryan Nov 21 '18 at 15:34
For high protection there are mantraps. It's like an electronic turnstile. You get in. Once there's weight/video the chamber rotates in order to lock you in. You auth inside and then the rotation chamber rotates again in inwards facing direction. They have a maximum load of one person. This is guaranteed by space and video surveillance. If multiple people are detected or auth doesn't check out usually the guards will need to show up and help you out (+ shame factor). I have seen this in datacenters and in banking. Keep in mind that these are slow and expensive and ill-fit for "usual" sec level – BlueWizard Nov 25 '18 at 09:09

score 63 · Answer 2 · answered Nov 16 '18 at 15:28

63

You protect yourself by politely challenging people who are trying to get in without using the controls. You simply ask to see their pass or offer to escort them to reception/security. I use the simple phrase, "I'm sorry, I do not know who you are so I cannot just let you in. May I escort you to reception?" If they resist, I monitor them and quietly inform security. For me, it doesn't matter if they are the CEO or a delivery person.

The company protects itself by

installing physical gates that only allow one person in at a time
controls that prevent the same passcard being used on the same side of the gate
human monitors to detect tailgating
training people to politely challenge those trying to get in without using the proper methods

answered Nov 16 '18 at 15:28

schroeder

123,438
55
284
319

24

"I'm sorry, I do not know who you are" - this risks offending people who expect you to know who they are, which can have nasty consequences, especially if you're below-average at remembering people's appearances. Even if the official security policy says it doesn't matter who they are, it matters in practice. – user2357112 Nov 16 '18 at 21:11
35

@user2357112 do you have an alternate phrase to use? Because in no way should you let someone in just to avoid social awkwardness. And yes, I have said that to CEOs. The security policy should matter more than egos. It NEEDS to matter more than egos. – schroeder Nov 16 '18 at 21:20
2

This seems to be open to cases when you do know who they are, but they are still not authorised to get in. I.e. recently dismissed colleague. – trailmax Nov 16 '18 at 22:00
2

"The security policy should matter more than egos. It NEEDS to matter more than egos." - but unless it matters that much to everyone around you, you risk becoming the workplace pariah, or, say, getting fired for racism after several incidents where the people you don't recognize happen to be of the same race. Also, in case it wasn't clear, "offending people who expect you to know who they are" includes cases where you do know who they are, in which case saying you don't is extremely offensive. – user2357112 Nov 16 '18 at 22:17
36

There are two kinds of CEOs: ones that will be pissed, and ones that will applaud you. Either way, you get to find out whether your CEO has your back or not, so it's a win for you. – Jörg W Mittag Nov 16 '18 at 22:17
6

@user2357112 If you work in a country where people of a different race can do what they like (including getting you fired) simply because they are a different race, that isn't an Information Security issue, it's a Human Rights issue. – alephzero Nov 16 '18 at 22:41
6

@alephzero No, it is an information security issue because it changes your threat model. – forest Nov 16 '18 at 23:15
42

Our company is teaching this every three months for years, and makes everyone sign that they got it. Effect: zero. 95% of people hold the door for anyone that doesn't look like a bum. – Aganju Nov 17 '18 at 03:54
1

Doing this is definitely a job for a security guard, not regular employees. Such duties are not in my job description, and I don't have the visible signs of authority (uniform, badge) that justify confronting and potentially offending people. – dbkk Nov 19 '18 at 07:51
6

@dbkk "Tailgating" means that you *choose* to allow someone into a secured door through which you have permission and an access key. It *is* in your job description to protect the assests that you have been entrusted with. You need no uniform or badge, you need only the access key. If it was a public door, then yes, you would be correct that a guard would be required. – schroeder Nov 19 '18 at 08:48
20

If you're after an alternative phrase that doesn't risk offending people, I tend to use "Sorry, have you got your badge?". Suggesting that it might be in their pocket or tucked into their coat is far more polite than suggesting they're a criminal. If they actually can't produce it, then procedure is for employees to go to reception or security and ask for a temp pass anyway - "Oh, you forgot it? Been there before. You know reception can sort you out? Shall I take you?" - I'm trying to be helpful and sympathetic but pretty clearly enforcing that they can't come in without a pass. – ymbirtt Nov 19 '18 at 10:28
2

@Aganju So your company needs random physical pentesting at least once every three months. Bonus points if you can get the CEO, or the head of security, to try to sneak in without their badge... – user Nov 19 '18 at 18:45
@aCVn , I agree, but that is far above my pay grade. We have over 6000 sites worldwide, and I haven't met anyone three levels below the CEO in 30+ years... – Aganju Nov 19 '18 at 20:38
@aCVn, hopefully your employees will know the CEO by sight at least from photos. (Although I've heard stories where the senior executive was asked to show his badge while "tailgating," by someone completely green, in their first week—and happily and politely did so, not even bother telling to tell the person who he was.) – Wildcard Nov 19 '18 at 20:39
1

I have a problem with the quote "I'm sorry, I do not know who you are so I cannot just let you in" from the *other* direction - the assumption that you'd let them in if you *did* know them. That's still bad - it doesn't stop the disgruntled employee who was fired the week before from getting into the building. You should be walking *all* employees without a bad to the receptionist, not just the ones you don't know. – Kevin Nov 19 '18 at 20:53
1

@Kevin implication does not matter because it is not true. But it makes the situation about me and not them. – schroeder Nov 19 '18 at 20:58
Another way of getting their attention and addressing the issue could be, "Hi, may I help you?" (as they're preparing to tailgate). Once you catch their attention, you then could venture into mentioning something such as, "It's our policy to ensure every person entering uses their own badge/card/key, etc." – waxwing Nov 23 '18 at 08:44

score 39 · Answer 3 · answered Nov 16 '18 at 18:21

39

The cheap solution is to put up scary “no tailgating - everyone must badge in at this door - no exceptions - don’t risk your job - report all tailgate requests to Joe at 123-456-7890” signs at each unattended controlled portal. Make sure there are obvious cameras in the vicinity.

If you want people to challenge someone, it’s much easier for them to do so when they have something to back up their assertions. That way they can point to the sign and blame it, instead of coming up with their own reason.

answered Nov 16 '18 at 18:21

John Deters

33,650
3
57
110

3

"Make sure there are obvious cameras in the vicinity" -- and if you want to be paranoid, non-obvious, hidden ones that catch things from different angles. – Nic Nov 19 '18 at 20:57
9

The point is less to investigate the tailgaters than to give the employees a policy sign to blame. Tailgating is a social problem, and you want your employees to have to deal with it as little as possible. – John Deters Nov 19 '18 at 21:01
I'm aware. That's why the extra cameras would be an additional security measure ("if you want to be paranoid"). – Nic Nov 19 '18 at 21:04

Petr · Answer 4 · 2018-11-16T19:06:03.310

28

(Just a passer-by opinion)

Obviously, a physical gate would work the best.

In case you don't want to install these, you may try to request all employees to challenge tailgaters, as schroeder suggests. However, I want to underline one distinction that I find important.

One my employer had the policy "do not allow strangers in, but allow people that you know, even if they do not scan their bage etc.". I have always found this to be somewhat embarassing. I have a bad memory on faces, so I can easily not recognise one of my peers, and if I ask them who they are, this will be an embarassing situation. I believe this is the main reason why such policies do not work good.

At the same time, another my employer had a different policy: "everybody must scan their badge, even if they come in as a group". And it was followed; even if we a group of peers were going to a canteen together, everybody in the group would scan their badge at a controlled door. This makes much easier for employees to control tailgating. In normal situation everybody will scan their badge with a distinct beep. If someone follows me and I do not hear a beep, then I am absolutely not that embarrassed to challenge them. Just because in case he is in fact my peer, he has already done something (a bit) wrong, and thus it's ok for me to challenge him.

edited Nov 16 '18 at 19:06

answered Nov 16 '18 at 17:23

Petr

381
2
5

14

The problem with letting in people that you recognise is the case when the employee was recently let go. – schroeder Nov 16 '18 at 19:17
18

Our company policy is the "everybody must scan" sort. If the CEO of the company forgot his badge and wanted to tailgate through on my swipe, I'd have to tell him "Sorry, sir. I'll be happy to sign the log with the front-desk guard to get you into the building as my guest, since I recognize you, (and they are going to ask you to show your government-issued photo ID for the log, just in case you're a look-alike who fooled me, _and_ make you hang a Visitor badge around your neck) but I won't subvert security policy by letting you enter without going through that documented-exception process." – Monty Harder Nov 16 '18 at 21:25
What do you mean by "a physical gate would work the best"? Tailgating is when someone with access lets someone in _through a gate_, literally. What is a gate if not physical? – pipe Nov 19 '18 at 15:45
6

@pipe there are "single person" gates and doors that make it to where only one person can reasonably fit through at a time. A normal door you can swing open and easily let in a dozen people before someone lets it close. Access control gates make it almost impossible for two people to pass, or at least make it uncomfortable enough that people would rather not do it. – JPhi1618 Nov 19 '18 at 18:51

score 14 · Answer 5 · answered Nov 17 '18 at 02:55

14

As a receptionist, I am trained to vet everyone who comes into the building. If I do not recognize that person, I immediately ask if they need help with anything, and who they have come to see. If they attempt to act with a sense of urgency or authority, then I notify them that they must sign in before entering the building because of food safety protocols, and continue to ask them about the details about why they are here, and then let the person responsible for meeting with them or checking up on them know that they are here.

Our office is relatively relaxed so we let a variety of people in, but typically having several procedures to "slow a person down" like having to sign in, talk to and be vetted by at least one person, and be directed to where they need to go can be very beneficial.

answered Nov 17 '18 at 02:55

William Michael

141
2

6

Unauthorized tailgaters rarely use the front door. The main concern for this subject is going to be those back-doors that make it easy to convince someone on their smoke break to let you into an unsupervised entrance. There are many social engineering tricks to beating receptionists, but that is a different question. – Nosajimiki Nov 17 '18 at 07:22
2

If a building has multiple entrances with a main reception desk, it would seem like the only logical thing to do in that situation would be to either have the receptionist have access to camera systems for other entrances, someone in IT, or a full/part time security guard. Edit : Posted before I finished my comment. As you stated in your response, people will find workarounds when it comes to social encounters, so the only way to ensure this doesn't happen would be to put procedures in place to have people dissociated enough to actually pay attention to these kinds of things. – William Michael Nov 18 '18 at 06:23

PyRulez · Answer 6 · 2018-11-17T16:16:12.953

11

One solution is to have "secret drills".

Ask someone to let you in without a badge. Try and convince them as best you can to let you in. If they let you in without a badge, fire them. Otherwise, reward them.

Okay, it does not need to be that severe, but the point is that the secret drills should be frequent, and there is a clear incentive not to let you in much greater than the social consequences. You might want to start with a more reward focused approach, but as the employees become aware of the secret drills, you should move more towards punishment, since they should "no better".

Of course, don't always use yourself. Use the CEO. Use their immediate boss. Use other employees (although be careful with this, since the employees might let others know they are part of the secret drill. Fake employees might be better). Use someone on a phone just walking in. Use a smoking clown with with a fire axe on his back and a police cap on the head holding 6 packages with a clipboard lying on top demanding to enter the building to check on his elderly mother because he is worried that there is a gas leak.

edited Nov 17 '18 at 16:16

answered Nov 17 '18 at 15:56

PyRulez

2,937
4
15
29

10

`One solution is to have "secret drills".` so...a rather standard pentest? `If they let you in without a badge, fire them.` which would be *terrible* for morale. It's also pretty hard to enforce this the more people work in a building. Especially in a shared office building. What are you going to do if somebody from another company lets you in? Or maybe one of their guests for the day? – VLAZ Nov 17 '18 at 18:08
@vlaz well, kind of. The purpose would be training though, not testing. Also, I did say that was a bit of an exaggeration. Also, you could report it to the person's employers, who wouldn't be happy. – PyRulez Nov 17 '18 at 18:10
5

there's no company in the world that has enough money to pay me to work for them and have such a policy. If the company can't solve their security issues without getting into my business at the company, it's their own damn fault, and there's no reason I have to pay for it. – Andrei Nov 18 '18 at 13:22
3

@Andrei I don't quite understand what you mean by that. This is a threat vector that pretty much only exists due to individual employee behaviors. The issue is the employees letting unauthorized people in, so the only way to solve the security issue would involve "getting into your business at the company" by making sure you follow security protocol (or full-time security at entrance points and a high-tech system, which is costly). I don't see how this would be any different than breaking other security policies. Every user of the system has some role in security. – JMac Nov 19 '18 at 14:45
@JMac The issue is not employees letting unauthorized people in, but unauthorized people getting in by tailgating. As an employee with a non-security job, it is not my job to police the door. The threat is actually caused by improper enforcement of a security policy, and the idea above is the worst ever. In the building I am working, at the backdoor, they replaced the old door with a revolving one in which only 1 person can comfortably fit. Tailgating is now impossible, unless the tailgater gets in the personal space of the employee, which would obviously cause the employee to react. – Andrei Nov 19 '18 at 15:02
@JMac In the same building, at the front door, you first get in through a large revolving door in a guest waiting area, and then you pass some gates with a card, that immediately close after you pass, because they sensed that you passed (not time based). Those gates can be easily jumped over, but that's a sure way to draw the attention of the security people. Again, technically, a tail could stay literally stick to an employee and the system would recognize it as a large person, but I doubt any employee is fine with a stranger hugging them while they pass the gates. – Andrei Nov 19 '18 at 15:08
7

@Andrei Security practices should never only be the responsibility of the employees with security jobs. They would come up with the policies, and attempt to enforce them; but that doesn't mean regular employees can ignore security entirely. Your employees should be trained to not allow tailgaters at all. Sometimes installing turnstiles and the measures you talk about (such as security guards) is prohibitively expensive. That doesn't mean you can't have security practices in place with your employees, and enforce those practices. Low-overhead companies may need security too. – JMac Nov 19 '18 at 15:14
@Andrei While I agree that a revolving door can help, you are missing that humans are prone to WANT to help others. If that tailgater is for example holding a large box of stuff, and asks you to swipe your card for him, most people will do it to be nice if they are not properly trained. Human behavior is literally the easiest target in any secure system. – Nosajimiki Nov 19 '18 at 15:15
1

@PyRulez That said, there is also risk in drills using your own employees. If you know Chad in the IT department might write you up if you let him in, then you can become wary of the people you know, but still complacent with strangers with a clipboard which is the opposite of what you want. The best drills are done by outsourcing a CEH or similar professional who knows the common conns to earn trust, to see if your employees will obey policy when it really matters. – Nosajimiki Nov 19 '18 at 15:21
@Nosajimiki I agree, but what you describe is not tailgating, but social hacking, different problem, with different solutions. The problem at stake was tailgating, i.e. an employee swipes, enters, and by the time the door is closed, the attacker gets past the door. For social hacking the solution is training, as the problem is with the human. For tailgating, the problem is the technology, so that's where the solution should be as well. – Andrei Nov 19 '18 at 15:21
You can't really separate the two. If a bad agent is tailgating, it is unlikely that that is all they have in mind. As for the scope of the question: "How do you protect yourself or your company against tailgaters? What is the best answer when you are asked by, let's say the delivery guy, to let you in?" The OP clearly wants to know how to address "reputable strangers". And that is a social engineering problem. And that requires employee training. (or Facial recognition cameras as I proposed in my answer) – Nosajimiki Nov 19 '18 at 15:27
@Andrei well, they don't need to physically stop tailgaters. They would just need to report them if they refuse to scan their badge. – PyRulez Nov 19 '18 at 15:29
@PyRulez That still requires me to look back and pay attention on what other people are doing, plus the actual reporting. If I'm not hired as a security personnel, I just don't want to do that. Telling on people (known or unknown) is terrible corporate culture. The action of reporting something that doesn't directly affect you takes a great toll on the mind. You'll never have happy people in that environment, if they need to be ready to tell on people, who have not wronged them, twice a day at least. – Andrei Nov 19 '18 at 15:40
1

"Telling on people (known or unknown) is terrible corporate culture." Well, you have to remember that 99% of the time its going to be a drill, so your not really getting someone in trouble except for 1% of the time. Basically it would just be telling your supervisor "One of those dumb secret drill guys just walked through the door without listening to me. Give me a gold star." – PyRulez Nov 19 '18 at 23:12

score 7 · Answer 7 · answered Nov 16 '18 at 20:09

There's a lot of value to a sign, at least relative to its literal and sociological costs, but I would assume that the text matters.

Any variation of You/Everyone must swipe in at this door will set up a rule which an intruder might choose to break. It doesn't set up an expectation of rule-compliant people to enforce the rule on their peers or strangers. Even more precisely, it doesn't reassure rule-compliant people that their peers won't perceive them as uptight for enforcing the rule.

I would suggest something like
Make sure everyone entering with you swipes in. Listen for the beep indicating that their badge is valid/up-to-date.
If I'm entering the building with someone, then I know that they've seen the sign that says that I have to ask them to swipe in.

Joel Coehoorn · Answer 8 · 2018-11-20T16:41:03.183

If the situation really matters that much, you station a security person at every entrance whose entire job is to challenge people who enter without swiping — even people known to them, since access can be revoked suddenly. Then you back this up with security camera spot checks, where the job of the cameras is allowing a supervisor to verify the guards are doing what they are supposed to, in addition to keeping records of entrances/exits.

Eventually, I expect computer vision technology to evolve to the point where a camera can be smart enough to do most of the job of the guard. It doesn't have to identify people or do facial recognition... the camera only needs to detect the number of total people vs the number of distinct swipes, and you can use infrared in addition to visible light to make it difficult to fool the camera.

Another option is the door fob only rings an alert in the security office, where it's up to a security officer there to unlock the door based on how the camera feed correlates to the fob logs. That can be much cheaper than stationing a guard at every door, while still providing most of the same security against tailgating.

They have been that smart for a few years now, and are already used in this capacity, although you only really see them in really high profile buildings like major data centers, expect this technology to become a lot more common place in the next few years. — Nosajimiki, Nov 17 '18 at 07:30

score 5 · Answer 9 · answered Nov 18 '18 at 10:31

Once I got a tour by the CEO of ADB through one of their factories. Before we could enter there were 2 control posts. To enter the parking lot you had to go through an ID verification. If you walked to the building you came by this post also.

The second verification you had to go through was at the entrance. All employees, visitors,... must enter through this entrance. After the door closed you were locked in a grey zone. After you passed another ID verification you received your badge to enter the building. There is no other way in or out. If you left you had to go through the same verification.

Another example of this technique is used by a company that I used to work for. They buy/sell gold in large quantities. If you wanted to enter the building, you had to push a button, then state your business and name while looking into a camera. If the door opens and you enter the building you are locked in a small room where ID verification happened. And your bags are checked everytime you enter or leave. Even people that worked there 5+ years had to go through all those security steps. I never saw anyone with bad intents get further than the first door. If the situation is fishy the person stays locked in that room, the security takes away this person for further investigation. Never I have seen this system fail.

score 4 · Answer 10 · answered Nov 17 '18 at 05:08

This is hard and you need to think about the tradeoff it implies. Most tailgaters should be allowed into the building-they really do have a beneficial purpose there. My company had multiple buildings with doors that only permitted one person through, but I could swipe my badge and let anybody in, then swipe again and go in myself. (I used to joke I should get double pay because there were two of me at work.) Visitors were supposed to check in with reception, but that was in another building and they still needed me to swipe them in-they were not given badges that would swipe.

You have a choice between a serious effort to prevent tailgating and viewing your access controls as the first step of a defense in depth. If you really want to prevent tailgating, you need to accept that beside the personnel cost for monitoring you will slow everything down. Copy machines will not get repaired as promptly, so meetings will not be as efficient. Some meetings with outsiders will not happen because it is just too much trouble. Maybe one of those held the secret to the ultimate success of your company.

How bad is it if an unauthorized person gets in? Will they be challenged if they are just wandering around unescorted? Is it worth the cost to really prevent, as opposed to just making it a bit difficult? I started with "this is hard".

Clearly this is not an answer to the question as asked, but it seems there is an underlying assumption that we need to prevent tailgating. That is true in some situations, but not all.

You appear to use the 1 unique building that you experienced as a general state & that is not at all correct or useful as an example. "Copy machines will not get repaired as promptly, so meetings will not be as efficient."? The logic here escapes me. Neither the copy machine/meeting diad nor the "you must allow tailgating for repair people" conclusion. "Some meetings with outsiders will not happen because it is just too much trouble."? I have never, in all my career, felt or experienced others expressing that a meeting could/should not happen because visitors needed to go to reception. — schroeder, Nov 27 '18 at 21:04
@schroeder: the general idea is that if you make it harder for people that you want in the building to get in, including preventing tailgating, some of them will not come in and whatever good they were going to do will not get done. I don't think that is specific to any one situation. "It's just too much trouble" carries a lot of weight. — Ross Millikan, Nov 27 '18 at 21:46
Going to reception is normal, standard, and expected from all possible parties. It is also a requirement in many situations for basic physical security of the premises, information, and the people. — schroeder, Nov 27 '18 at 21:49

score 3 · Answer 11 · answered Nov 20 '18 at 04:31

A lot of good answers already, I'd add just one bit:

People counter. These range from really dumb (single photointerruptor) to pretty neat (oveahead multisegment infrared -- cheap and effective, sometime prone to hats) to AI that tracks people in the video stream. Perhaps couple that with an access card and block access / sound alarm / turn on floodlights if number of presented access tokens is less than number of people detected.

The point is that "good" actor will not be allowed to enter if "bad" actor is present. This helps solve the social problem: "Please let me in, I'm xxx of yyy." is met with the response of "I'd love to but I physically cannot, and now because of you, I can't get in either".

If that were to be deployed, then there has to be a secondary manned entry point, because one day an employee/resident shows up with a kid, a disabled person, accompanied by a camera crew, police, firefighters, etc. Thus, in effect, the automated system takes the load off the manual system.

https://en.wikipedia.org/wiki/People_counter

score 3 · Answer 12 · answered Nov 20 '18 at 13:33

When dealing with someone who is tailgating me, I use the 'U-turn and wait' method. So for example, if I'm about to approach a locked door and I think someone is following me to get past, I will simply U-turn (not even opening the door) and then move towards a bench, seat or spot where I can pretend busy myself.

If the person is legitimate, they'll haul out their own credentials and go inside. If they're not legitimate they're faced with the awkward prospect of standing there looking like a dope at the door or also doing a U-turn (which is a big giveaway they were indeed tailgating).

I make sure I'm busy looking enough to make asking me difficult, and if they do ask if I'll let them in, I'd simply say 'Sorry, I'm not allowed, company policy'. Then I either wait for them to go away, or an opportunity to slip inside where I can go in and close the door before they can react.

Of note, this same behavior is common of tailgaters too. Often a tailgater will appear busy outside of a secure door, and then just follow the first careless person in. This is an effective strategy because people are less likely to "interrupt" you with questions if you tailgate while looking busy on your phone. — Nosajimiki, Nov 21 '18 at 18:19

score 2 · Answer 13 · answered Nov 21 '18 at 15:01

I used to work in a high security office that had very strict controls on who went where within the building. They had standard rules like everyone had to have their pass on display on a lanyard around their neck. There was secuirty patrolling that would stop anyone without a lanyard and you could lose your job if stopped.

To stop any tailgating, the entire office operated airlock style doors. You swipe your pass to unlock the first door, enter the 'airlock' which was only big enough for one person and close the door. Once the first door is closed you can swipe your pass inside the airlock to open the other door and be let through. That door then needs to close before anyone else can use the system. They had cameras inside all of the 'airlocks' and you would ofcourse be fired for trying to get 2 people inside one, not to mention that it would be very awkward and intimate to do so. These doors were on every enterance and exit to any room, and to the building as a whole. This means that even if someone were to get in, they would not be able to move around or leave the building again.

While there were sometimes queues to get through certain doors, and all conversations had to be paused while you went through these doors, they never really caused any issues and I never heard of anyone managing to sneak through the system so I would say it was pretty good.

score 1 · Answer 14 · answered Nov 20 '18 at 23:52

1

The security process at Apple makes this simple: if there is a badge reader, you are required to badge in for access. No exceptions. At very busy doors, like the ones headed into (and out of) the cafeteria, there is a security guard who verifies that you've badged in -- no unlock noise, no entry. Otherwise, every single person is required to badge in, one at a time, to enter any secured area, which is pretty much every interior space.

All employees and contractors know the rules; there was never any "I don't recognize you" awkwardness because we knew we all had to have our badge and had to always use it, and we all knew that proper process was to wait until everyone had their badge before starting in.

Breaking the rules was a firing offense, so you didn't break them. And before you ask, I don't know if Steve Jobs had to badge in or not.

answered Nov 20 '18 at 23:52

Joe McMahon

491
3
4

What happened if someone lost the badge or it was damaged, and the place where it could be replaced was only reachable through locked doors? Where there security personnel who were allowed to escort people without badges? – vsz Nov 23 '18 at 07:26
Managers had spare badges available, signed out to them, so you called your manager to have them come down and let you in. You could exit without a badge, but you couldn't get in without one, so you called your manager (and waited outside if they were in a meeting) and they came out with the temp badge, and left it with them at the end of the day. Badge replacement was available during working hours at a specific location, but you only did that if you'd really lost your badge, – Joe McMahon Nov 24 '18 at 02:39

score 0 · Answer 15 · answered Nov 20 '18 at 13:35

0

My bank has an "airlock". A (presumably very toughened) glass corridor with automatic sliding doors at both ends. It is impossible for both to be open at the same time. I presume that in the event of a bank robbery a button gets pressed while the robbers are exiting, and they are then trapped between the two doors until the police arrive.

I have never seen this arrangement with the security desk on the other side of the wall of the glass corridor, but that ought to offer maximum deterrence. Your tailgater will see that there is a very real risk of being held until the police or security heavies arrive, and go somewhere else?

I did once visit a very security-minded establishment where after security, you were channelled into a visitors-only lift (elevator) with its destination floor chosen by the security desk (no buttons in that lift except "Emergency"). "OK, I'll send him up ...". I had brief visions of a dungeon in the fifth basement, or in the first circle of hell.

answered Nov 20 '18 at 13:35

nigel222

219
1
4

You described the same thing as the accepted answer just with different material. – schroeder Nov 20 '18 at 13:56
@schroeder Not exactly. It's possible to tailgate through a turnstile unless it is operated strictly one-at-a-time, which is perceived as unfriendly. Whereas an "airlock", with or without a security desk in the middle, allows multiple visitors to present themselves at the same time, while exerting maximum psychological deterrence on a tailgater. Yes, it's defeated by a sufficiently confident and brazen tailgater, but most(?) will see the arrangement, and try their luck elsewhere. Depends on the threat, I guess. – nigel222 Nov 20 '18 at 14:07
Turnstiles are meant to be one at a time, else what's the point? You cannot tailgate through them at all (unless you are tiny and can fit in the segment with someone else. Your description does not include the fact that multiple people can enter at once. I would add that part. In your deadman's trap, the tailgater would have to be trapped along with someone else, which limits the deterrent because the attacker knows there is only so much that can be done if an innocent is trapped, too. – schroeder Nov 20 '18 at 14:29
You can tailgate a turnstile by tagging behind someone authorized and hoping that the turnstile operator assumes you are together. If it's token or card operated past the security desk you can try to blag a visitor card by tailgating a large group of visitors. The "airlock" operates before the security desk or as part of it. As for creating a hostage scenario ... as I said, it depends on the threat profile. Is violent escalation likely? As always, security and usability/friendliness are at odds. – nigel222 Nov 20 '18 at 15:10
What is "blag"? And I never said hostage scenario, I'm saying that whatever happens in your big glass cage has to be reasonable for everyone in it, including the innocent, which lowers its threat. – schroeder Nov 20 '18 at 15:16
"blag" is UK slang, more or less equivalent to "con" or "trick". – nigel222 Nov 20 '18 at 17:11

score 0 · Answer 16 · edited Nov 21 '18 at 09:51

Where I work, there is an outer door and inner door, and a turnstile in between. Behind the sluice we are two separate companies, so in theory there can be people inside the turnstile who are not supposed to get through the inner door. We have signs posted that say "It is not impolite to ask: 'Can I see your card' ", so we are actively encouraged to ask to see others' cards. If I am being followed, I sometimes walk slower, so that my tailgater will have to open the door, or if I opened the outer one, wait for him/her to open the inner door. Other than that, people must wear badges visibly, so it's often easy to see if people belong. (ofc you can fake a badge, but I gather that this is not a part of the question here).

score 0 · Answer 17 · answered Nov 22 '18 at 05:07

I worked somewhere that had high security aria and had a few of the solutions already suggested, primarily an air lock and turnstile (it let anyone in or out). It also had it so that to be let out you have to have tapped in, because of if someone tried to tailgate everyone seeing and hearing it would know that they were up to no good.

So having it so they would have to tailgate both in and out would change how people behave with tailgaters. If the company feared a backlash they could frame it for fire safety.

The biggest downfall of it is that you end up getting lines to tap in and out especially if you also have to put a pin in.

score -1 · Answer 18 · answered Nov 17 '18 at 03:58

-1

Face recognition technology is about ready for that, and can easily handle large masses of people simultaneously, without the need for badges or turn styles.

For example, the Orlando airport is being converted to use face recognition instead of passport controls (supposedly still to go live in 2018). You will just walk by, and be automatically identified.

answered Nov 17 '18 at 03:58

Aganju

351
2
7

4

How easy is this to fool by wearing a mask or something? You can't really do that at an airport - too many people around and it would be suspicious, but what about an office building at a quiet hour or even few minutes - you put the mask on, get in, take it off when nobody is around to question you? How easy is it to get a false negative, either - if somebody grew a beard or maybe had a face injury, would they be denied access? That's lower risk than a false positive but still something to keep in mind. – VLAZ Nov 17 '18 at 08:44
I have my doubts too... but they seriously do that in the airport, and they should know what they do. – Aganju Nov 17 '18 at 12:56
2

@Aganju Especially in the USA, airport security is a big theater with very little purpose. They do not know what they are doing. – Luc Nov 20 '18 at 12:07
1

@vlaz. Those are common misunderstandings about the AI behind facial recognition. A face mask can prevent you from being IDed in a public place like an airport, but in a secure place, you are looking for negatives not positives. Facial ID software also places emphasis on what it less changing; so, if you shave your beard, or put your hair up in a ponytail, the AI does not care, because it can still id you based on eye shape, cheekbones, etc. AI is actually better at discriminating these variances better than most people are. – Nosajimiki Nov 21 '18 at 18:08
Thanks @Nosajimiki - I was genuinely curious and the answer had no real detail to go on. – VLAZ Nov 22 '18 at 03:48

score -2 · Answer 19 · answered Nov 16 '18 at 20:48

-2

If you have the budget for it, use high resolution cameras with facial recognition. Security will be alerted even if some well meaning do-gooder holds the door open for them when they enter an unauthorized area.

answered Nov 16 '18 at 20:48

Nosajimiki

1,799
6
13

1

Unless they duck, or face the other way... Technology is not a panacea. – wizzwizz4 Nov 17 '18 at 18:08
This comes down to what level of security you are trying to enforce. Many can be configured to alert you to an unrecognized person; so, obscured faces can create false positives, but false negatives are nearly impossible. Even if you have a bag over your head, it will still mark you as an unknown person alerting security to your presence. Also, the facial recognition software that comes with them typically use machine learning; so, they learn your whole facial profile over time such that false positives become pretty rare after it's seen you a few times. – Nosajimiki Nov 19 '18 at 15:03
This many not be a good course of action for a building where you have a lot of "unknown" people coming and going, but in general, if you are worried about tailgating as a serious security concern, you are probably talking about somewhere that unknown people should not be to begin with. – Nosajimiki Nov 19 '18 at 15:06
I've experience with fooling _automatic doors_; even that's not hard. So fooling a much more complex system? A commando-roll could well be enough. And remember; if the system's too sensitive, it won't be long before positives are ignored. – wizzwizz4 Nov 19 '18 at 17:43
1

High sensitivity is only needed with very large population pools. If your "building" has 500,000 people in it, then this is a problem, but low sensitivity on 50-200 people will create very few false negatives and a tailgater would still have to be a pretty good look-alike to an actual employee to slip by. Even at low sensitivities, modern AI has a similar facial recognition ability to a human being who actually knows every single person who's supposed to be there. Most of the stories you hear about with false positives come from using giant facial databases. – Nosajimiki Nov 19 '18 at 18:19
Fair... It's a good auxiliary measure, but shouldn't be your primary mechanism. – wizzwizz4 Nov 19 '18 at 18:27
1

Neither should a turngate, or card reader, or training, or any other method here listed. Security is always best when layered, but in most cases, I believe this method to be best if you had to only choose one because it minimizes the human altruism factor. – Nosajimiki Nov 19 '18 at 18:34
2

This should at least be combined with a physical defence, like a turnstile. – wizzwizz4 Nov 19 '18 at 18:36

Defence methods against tailgating

19 Answers19