Threats and vulnerabilitiesBeginner26 min read

What Is Piggybacking? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

Piggybacking happens when someone sneaks into a secure area by following closely behind a person who has permission to be there. In IT and security, it often refers to someone using your logged-in computer session without your knowledge. It can also describe a person tailgating through a door or using your network access. The key is that the unauthorized person gains entry because the authorized person unknowingly lets them in.

Commonly Confused With

PiggybackingvsTailgating

Tailgating is often used interchangeably with piggybacking, but some sources distinguish them. Tailgating is when the attacker follows an authorized person without their knowledge or consent, like slipping through a door before it closes. Piggybacking usually implies the authorized person is aware of the follower and either consents or is tricked into letting them in, such as by holding the door.

If you swipe your badge and a stranger sneaks in right behind you without you noticing, that is tailgating. If you see the stranger and hold the door for them because they look official, that is piggybacking.

PiggybackingvsShoulder Surfing

Shoulder surfing involves directly observing someone entering a password, PIN, or other sensitive information. Piggybacking does not require seeing any credentials. It uses the authorized person's already-established access. Shoulder surfing is about stealing information; piggybacking is about stealing access.

Looking over your shoulder as you type your ATM PIN is shoulder surfing. Following you into the bank lobby after you swipe your card is piggybacking.

PiggybackingvsImpersonation

Impersonation involves the attacker pretending to be someone else, often using falsified credentials or identity theft. Piggybacking does not require the attacker to pretend to be anyone. They simply use the access granted to the authorized person. Impersonation can be used to gain access, but it is a different method.

Wearing a fake security badge and walking through a door while saying 'I work here' is impersonation. Walking behind a real employee without any badge at all is piggybacking.

PiggybackingvsSession Hijacking

Session hijacking is a technical attack where an attacker intercepts and takes over an authenticated session between a user and a server, often using packet sniffing or token theft. Piggybacking can involve physical access to an unattended workstation, which is simpler and does not require network-level interception. Both involve using an active session, but session hijacking is technical, while piggybacking is often physical or social.

An attacker using a tool to steal your session cookie and then access your webmail is session hijacking. An attacker sitting at your desk after you walked away from your logged-in computer is piggybacking.

Must Know for Exams

For certification exams like CompTIA Security+, CISSP, and Certified Ethical Hacker (CEH), piggybacking is a specific concept you must know because it appears in at least three domains: social engineering, access control, and physical security. In Security+, you will see piggybacking listed alongside phishing, tailgating, shoulder surfing, and dumpster diving as a social engineering attack. The exam often asks you to distinguish between tailgating and piggybacking.

In the CompTIA Security+ SY0-601 and SY0-701 objectives, tailgating and piggybacking fall under the social engineering techniques domain. The difference is subtle but tested: tailgating is when the attacker follows an authorized person without their knowledge or consent, while piggybacking implies the authorized person knowingly or unknowingly allows the attacker to follow. However, many sources use the terms interchangeably, so you need to know how your specific exam defines them.

In the CISSP exam, piggybacking appears in the Physical Security domain. You will need to understand countermeasures like mantrap portals, security guards, CCTV, and access control vestibules. The exam tests whether you know that piggybacking is best prevented by layering physical controls with training.

For example, a question might describe a scenario where an attacker slips into a secure server room behind an employee. You must choose the best control, such as implementing a mantrap. For the CEH exam, piggybacking is part of the social engineering phase of an attack.

The exam will test your ability to identify that piggybacking is a method to gain physical access before performing network reconnaissance. In Microsoft Security exams like SC-900 or AZ-500, piggybacking is less direct but appears in the context of physical security controls for datacenters. Questions may ask about Azure datacenter security measures, and you must recognize that mantraps are used to prevent piggybacking.

In all these exams, piggybacking is usually a multiple-choice question where you identify the attack type or select the best mitigation. It is not a deep question, but it is a reliable one to get right if you know the definition and the control. Trap questions might include a scenario where the authorized user knowingly helps an unauthorized person enter.

Some exams call that collusion, not piggybacking. Watch for that distinction. You should also know that piggybacking does not necessarily require physical proximity. In some exam scenarios, an attacker piggybacks on a network session by using an unattended workstation.

That is why you must understand session lock policies as a control. Overall, piggybacking is a high-probability topic for Security+ and CISSP, and a supporting topic for other certs. Mastering this term will help you in multiple exam domains.

Simple Meaning

Imagine you live in an apartment building that has a locked front door. You use your key card to open the door and walk inside. As you walk through, a stranger slips in right behind you before the door closes.

You did not invite them, but you did not stop them either. That is piggybacking, someone riding on your permission to get into a place they are not supposed to be. In the digital world, piggybacking works the same way.

For example, you log into your work computer at a coffee shop and then step away to get your drink. While you are gone, a stranger sits down and uses your open session to check emails or steal files. They did not hack your password.

They just used the fact that you were already logged in. This is not the same as a hacker breaking into a system with advanced tools. Piggybacking relies on human behavior, trust, distraction, or politeness.

In offices, it often happens at security doors where people hold the door for someone they assume belongs there. In networks, piggybacking can mean an attacker connects to your Wi-Fi or VPN after you have already authenticated, essentially riding your valid session into the protected network. Security teams worry about piggybacking because it bypasses many technical defenses.

If an attacker can piggyback their way in, they do not need to crack a password or exploit a software bug. They just need to be near the right person at the right time. That makes piggybacking a social engineering threat as much as a physical security one.

Training people to be aware of their surroundings and to never share or leave sessions open is the main defense against piggybacking.

Full Technical Definition

In information security, piggybacking is an attack vector where an unauthorized entity gains access to a restricted system, network, or physical area by taking advantage of an authorized user’s authenticated session, credentials, or physical passage. It is classified as a social engineering technique because it exploits human behavior rather than technical vulnerabilities. In physical security, piggybacking (often called tailgating) occurs when an unauthorized person follows an authorized person through a secured entry point, such as a door requiring a badge or biometric scan.

This bypasses access control systems like keycards, proximity readers, or PIN pads because the system only registers one entry event, but two people enter. In network security, piggybacking can involve an attacker connecting to a trusted network after an authorized user has already established a VPN tunnel or authenticated into a wireless network. For example, if a user logs into a corporate Wi-Fi network using WPA2-Enterprise with 802.

1X authentication, the user’s device is authenticated by a RADIUS server. If the user’s device is compromised or if the attacker captures the session tokens, the attacker can piggyback on that authenticated session without needing their own credentials. In operating systems, piggybacking can refer to session hijacking, where an attacker takes over an idle but authenticated session on a shared workstation.

For instance, in a Windows environment, if a user locks their workstation but does not log off, an attacker who gains physical access to the machine can sometimes bypass the lock screen or use tools to dump the session. More commonly, piggybacking describes the scenario where an authorized user authenticates to a system, then walks away, allowing an unauthorized user to interact with the system while the session is still active. This is why security policies enforce automatic session locks after a period of inactivity and require users to log off or lock their workstations before leaving them unattended.

From a compliance standpoint, standards such as PCI DSS, HIPAA, and ISO 27001 require organizations to implement controls against piggybacking, including visitor management systems, mantrap portals, and security awareness training. The attack is differentiated from impersonation or credential theft because the attacker does not need to know the victim’s password or biometric data. The victim’s own legitimate access is the vector.

In exam contexts, piggybacking is often contrasted with social engineering attacks like phishing or shoulder surfing, but it is unique in that it relies on physical or logical proximity to an active authorized session rather than deception or information gathering. Professionals must understand that piggybacking threats exist at multiple layers: physical perimeter, network perimeter, and session management. Mitigation includes using two-factor authentication, zero trust architectures, mantrap entry systems, and strict session timeout policies.

Piggybacking is a core concept in the Security+ and CISSP exam domains related to access control and social engineering.

Real-Life Example

Imagine you are at a busy airport and you need to go through a security checkpoint to get to your gate. You have your boarding pass and ID ready. You scan your boarding pass at the automated gate, the doors open, and you walk through.

But as the doors close, a person you do not know slips in right behind you. They do not have a boarding pass. They just used your access to get past security. That is piggybacking in the physical world.

Now map that to IT. Think of your office building with a badge-scanning door at the entrance. You scan your badge, the door unlocks, and you walk in. If you hold the door for the person behind you without confirming they have their own badge, you have just let a potential attacker into the building.

This person could be a thief, a corporate spy, or someone with bad intentions. In the digital version, imagine you are working on a sensitive document in a shared space like a hospital nursing station. You authenticate to the computer with your smart card and password.

Then a nurse asks you a question, and you step away from the computer for a moment without locking the screen. A person who is not authorized walks by and sees your open session. They quickly type commands to access patient records or email themselves a copy of the document.

They did not steal your password. They did not hack the system. They simply piggybacked on your already authenticated session. In both cases, the root cause is the same: someone with permission opened a door, and someone without permission followed through.

The technical controls, badges, passwords, encryption, are useless if the human element fails. That is why piggybacking is such a persistent threat in IT security. It does not require advanced hacking skills.

It only requires being in the right place at the right time and a moment of inattention from an authorized user.

Why This Term Matters

Piggybacking matters because it directly undermines the entire concept of access control. Access control systems are designed to ensure that only authorized individuals can enter a space or use a resource. When piggybacking occurs, the system works correctly but the human using it bypasses the security.

That means all the money spent on biometric readers, VPN gateways, smart cards, and authentication servers can be rendered useless by a single moment of carelessness. In practical IT terms, piggybacking is a leading cause of data breaches in physical environments like data centers, research labs, and government facilities. Attackers know that it is often easier to follow a legitimate employee through a door than to crack a firewall or find a software vulnerability.

For IT professionals, understanding piggybacking is crucial because it changes how you design security policies. You cannot just focus on technical controls. You must also train users to challenge strangers, hold doors properly, and lock their workstations.

Many organizations use mantraps, small rooms with two doors where only one person can pass at a time, to physically prevent piggybacking. In network design, zero trust architecture assumes that no user or device is inherently trustworthy, which means even if an attacker piggybacks into the network, they still face authentication challenges for every resource they try to access. From a compliance perspective, standards like PCI DSS require organizations to implement physical security controls to prevent piggybacking.

For example, PCI DSS Requirement 9.1.1 states that organizations must use video cameras and access control mechanisms to monitor entry points. If you are an IT auditor or security professional, you need to test for piggybacking vulnerabilities during assessments.

That includes walking around buildings to see if employees hold doors for strangers and checking if workstations lock automatically. Piggybacking also appears in incident response. If an unauthorized person is found inside a secure area, you must trace how they got in.

Often, the answer is that they piggybacked behind an employee. This leads to retraining and sometimes disciplinary action. Piggybacking matters because it is a low-tech threat that can defeat high-tech defenses.

Ignoring it leaves your organization vulnerable to intrusion, data theft, and compliance penalties.

How It Appears in Exam Questions

On certification exams, piggybacking appears mainly in scenario-based multiple-choice questions. The most common pattern is a description of a person following an employee through a secured door without swiping their own badge. The question will ask you to identify the type of attack or the best countermeasure.

For example, a Security+ question might read: An employee holds the door for a person who claims they forgot their badge. The person gains access to the restricted area. Which type of social engineering attack is this?

The correct answer is piggybacking (or tailgating, depending on the exam). Another pattern involves an unattended workstation. A question might describe a user logging into a computer and then leaving the desk without locking it.

An unauthorized person uses the computer to access sensitive files. The question asks what security principle was violated. The answer is piggybacking or session hijacking. In CISSP, you may see a question about which physical security control prevents piggybacking.

The options might include a mantrap, access control list, firewall, or encryption. The correct answer is mantrap because it requires one person to pass through before the next door opens. Another common question type is a comparison.

The question lists two terms and asks which scenario represents piggybacking versus shoulder surfing or impersonation. For example: Which of the following describes piggybacking? Option A: looking over someone’s shoulder to see their password.

Option B: using a valid user’s open session on an unattended computer. Option C: calling a help desk and pretending to be an employee. Option D: sending a fake email to trick someone into revealing credentials.

The correct answer is B. In CEH, you might see a question about the reconnaissance phase where an attacker gains physical access by piggybacking. The question asks which attack vector is being used.

You must select social engineering. Some questions integrate piggybacking into a larger incident response scenario. For instance, a data breach occurred and the investigation found that an unauthorized person accessed the server room.

The logs show only one badge swipe at the time. The question asks what most likely happened. The answer is that the attacker piggybacked behind an authorized employee. In performance-based questions (PBQs), especially in Security+, you might be asked to drag and drop the correct countermeasure for each attack type.

Piggybacking would be paired with a mantrap or security awareness training. Sometimes questions will ask you to identify the most effective control from a list. The trick is to remember that technical controls like video cameras help detect piggybacking but do not prevent it.

Prevention comes from physical barriers like mantraps or turnstiles. Always read the question carefully to see if it asks for detection, prevention, or mitigation. Finally, watch for multi-step questions.

A scenario might describe an attacker who piggybacks into a building, then accesses an unattended workstation, then uses a privilege escalation exploit. The question might ask for the initial attack vector, which is piggybacking.

Practise Piggybacking Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Sarah works for a medical research company that has strict security policies. The building has a badge reader at every entrance. One morning, Sarah is carrying a large box of equipment to her lab.

She swipes her badge and pushes the door open with her shoulder. A man in a delivery uniform walks up quickly and says, I need to get in too, my hands are full. Sarah, wanting to be helpful, holds the door with her foot and lets him enter.

She assumes he is a legitimate delivery person. The man thanks her and walks toward the elevator. Later that day, the security team discovers that a confidential research file was accessed from a computer in the lab that has no badge log entry for that man.

The security cameras show that he piggybacked into the building behind Sarah. He then walked into an empty lab where an employee had left their computer unlocked. He sat down, opened the file system, and copied the data to a USB drive before leaving.

No badge was swiped. No password was guessed. The only failure was that one employee held the door open for a stranger. In this scenario, the technical controls, badge readers, cameras, and encryption, did not stop the breach.

The human behavior of being polite overrode the security protocol. This is a classic piggybacking attack. Sarah was not malicious. She was just not trained to verify that the person behind her had their own badge and was authorized to be in the building.

The attacker exploited her willingness to help. If Sarah had been trained to never hold the door for anyone without verifying their credentials, or if the organization used a mantrap that only allows one person to enter at a time, the attack would have failed. This example shows why security awareness training is just as important as technology.

For the exam, remember that piggybacking exploits trust and politeness, not technical vulnerabilities.

Common Mistakes

Thinking piggybacking is the same as hacking or cracking passwords.

Piggybacking does not involve breaking any password, encryption, or technical security measure. It relies on using someone else's legitimate access, either physically or logically. Hacking involves exploiting technical vulnerabilities, while piggybacking exploits human behavior.

Understand that piggybacking is a social engineering attack, not a technical exploit. It happens when someone follows an authorized user without needing to bypass any digital security controls.

Confusing piggybacking with shoulder surfing.

Shoulder surfing involves looking over someone's shoulder to see their password or PIN. Piggybacking involves following someone into a restricted area or using their active session. They are both social engineering, but they work differently. Shoulder surfing steals credentials; piggybacking steals the access itself.

Remember that shoulder surfing captures information, while piggybacking uses the authorized person's existing access without needing their credentials.

Believing that holding the door for someone is always safe if you work in a friendly office.

Even in a familiar workplace, you cannot be sure the person behind you currently has authorization. They might be a visitor who checked in earlier but now is unescorted, or an ex-employee who still has a badge. Holding the door bypasses the access control system and can allow malicious actors into secure areas.

Always require everyone to use their own badge, even if you recognize them. If they forgot their badge, they should go to security. Never hold the door unless you are certain they are authorized for that specific area.

Assuming that piggybacking only happens in physical security contexts.

Piggybacking also applies to digital sessions and networks. For example, an attacker can piggyback on an authenticated VPN session or use an unlocked workstation. Many exam questions focus on the digital variant, where an attacker uses an active session left open by a legitimate user.

Study piggybacking in both physical and digital contexts. Know that an unattended logged-in computer is a prime target for digital piggybacking.

Comparing piggybacking to tailgating and thinking they are always identical.

Some exam sources differentiate tailgating (attacker follows without consent) from piggybacking (attacker follows with the authorized user's implied consent, like holding the door). Other sources use them interchangeably. Using them as identical without knowing your exam's definition can cause you to miss a question.

Check the glossary of your specific exam. For CompTIA Security+, be aware of the distinction: tailgating is without consent, piggybacking involves the authorized person knowingly or unknowingly allowing access.

Exam Trap — Don't Get Fooled

{"trap":"The authorized person holds the door for someone they know is not authorized. Many learners might call this piggybacking, but some exams classify this as collusion or unauthorized assistance, not piggybacking.","why_learners_choose_it":"Learners see a scenario where an unauthorized person enters a secure area behind an authorized person, which fits the common definition of piggybacking.

They do not notice the nuance that the authorized person knew the person was not allowed in and deliberately helped them.","how_to_avoid_it":"Read the scenario carefully. If the authorized person knowingly allows an unauthorized person to enter despite knowing they should not, this is often called collusion or malicious assistance.

Piggybacking typically implies either the authorized person is unaware they are being followed or they are tricked into allowing access. If the question uses the term 'knowingly allowed,' do not select piggybacking."

Step-by-Step Breakdown

1

Step 1: Identify Target

The attacker selects a secured location or system they want to access. This could be a server room, a building floor, a network, or a specific computer. The target must have an access control mechanism that requires authentication, and there must be a flow of authorized users entering or using the resource.

2

Step 2: Observe Authorized Users

The attacker positions themselves near the entry point or resource and watches for an authorized user. They look for someone who is about to authenticate, such as swiping a badge, typing a password, or unlocking a workstation. The attacker waits for the right moment when the authorized user is ready to gain access.

3

Step 3: Opportunistic Approach

When the authorized user authenticates and gains access, the attacker moves quickly to follow them. In physical scenarios, the attacker may walk close behind, pretend to be on a phone call, or carry items to appear harmless. In digital scenarios, the attacker positions themselves at the unattended workstation immediately after the user leaves.

4

Step 4: Gain Entry or Access

The attacker enters the restricted area or uses the authenticated session before the door closes, the session times out, or the workstation locks. They do not need to provide their own credentials because the authorized user’s authentication is still valid. The system sees the authorized user’s access and does not detect the extra person or session user.

5

Step 5: Exploit the Access

Once inside, the attacker performs their intended action. This could be stealing data, installing malware, planting a listening device, or conducting reconnaissance. Because they entered using legitimate access, their activities may blend in with normal traffic, making detection harder. The attacker then leaves, often during a busy time, to avoid suspicion.

6

Step 6: Cover Tracks (Optional)

If the attacker wants to avoid being identified, they may close programs, delete log entries if possible, or leave the workstation exactly as they found it. This step is not always necessary if the attacker simply leaves the area and relies on the fact that no badge or password was recorded for them.

Practical Mini-Lesson

Piggybacking is a security threat that every IT professional must understand because it directly targets the human element of security. In practice, piggybacking can happen in several ways, and each requires a different mitigation strategy. Let's start with physical piggybacking.

In any building with badge readers, the door control system logs every swipe. But if two people enter on one swipe, only one person is logged. Security cameras can catch the act, but they are a detective control, not a preventive one.

The best prevention is a mantrap: a small room with two doors. The first door opens only after authentication, and the second door will not open until the first door is closed and the person is alone. This forces single entry.

Other physical controls include turnstiles that block two people from passing, and security guards who challenge anyone not badging in. For digital piggybacking, the main control is automatic session timeout. Every operating system and application should be configured to lock the screen after a set period of inactivity, typically 5 to 15 minutes.

Group Policy in Windows or screensaver settings in macOS can enforce this. In environments with high security, users are required to lock their workstation manually before stepping away, using the Windows Key + L shortcut. Another digital piggybacking risk involves VPN and network access.

If a user leaves their VPN client active while stepping away, an attacker at the same location could use that VPN session. This is especially dangerous in public places like coffee shops or airports. The mitigation is to use VPN clients that require frequent re-authentication or that detect changes in network location.

In zero trust architectures, every request is re-authenticated regardless of the user's previous session, which eliminates the value of piggybacking on a session. What can go wrong? If users are not trained, they will hold doors for strangers.

If workstations are not configured to lock, attackers can walk up and use them. If mantraps are not installed, piggybacking at entry points is easy. In penetration testing, piggybacking is one of the first techniques testers try because it often works.

As a professional, you should include piggybacking testing in your security assessments. Walk through your building and note how many times you can enter a secure area without badging. Check if there are policies against holding doors and if they are enforced.

Also, review your organization's incident logs for any entries where physical access was granted without a badge swipe. That is a red flag for piggybacking. Finally, remember that piggybacking can also occur virtually, such as when an attacker uses a shared computer that a previous user did not log off.

In healthcare, this is a HIPAA violation. In finance, it can lead to regulatory fines. The lesson is clear: technical controls like encryption and firewalls are important, but they do not stop someone from holding the door for a stranger.

That is why security awareness training must emphasize not just policy, but practical habits like locking screens and challenging unknown people.

Memory Tip

Think of a toddler 'piggybacking' on a parent, the parent does all the work, the toddler just holds on. In security, the attacker holds on to your access without doing the authentication work themselves.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

Is piggybacking the same as tailgating?

Many sources use the terms interchangeably, but some certifications distinguish them. In general, tailgating is when an attacker follows an authorized person without their knowledge, while piggybacking implies the authorized person knowingly or unknowingly allows access, such as holding the door. Check your exam's specific definitions.

Can piggybacking happen over a network?

Yes. Digital piggybacking occurs when an attacker uses an authenticated session left open on an unattended computer or piggybacks on a VPN or network session after the authorized user has authenticated. The attacker does not need their own credentials.

What is the best way to prevent piggybacking?

There is no single control. The best approach combines physical controls like mantraps, technical controls like automatic screen locks and session timeouts, and human controls like security awareness training that teaches employees to never hold doors for strangers and to always lock their workstations.

Why is piggybacking considered a social engineering attack?

Because it exploits human psychology, trust, politeness, or distraction, rather than technical vulnerabilities. The attacker manipulates the authorized person into granting access, either by following closely without being challenged or by being helped through a door.

Does piggybacking require the attacker to be physically close?

In most cases, yes. Physical piggybacking requires being near the authorized person at the entry point. Digital piggybacking on an unattended workstation also requires physical proximity to the computer. However, network-level piggybacking might involve being on the same network segment as the victim.

Will multi-factor authentication stop piggybacking?

Multi-factor authentication (MFA) can help with digital piggybacking if the session requires re-authentication frequently, but it does not stop physical piggybacking through a door. MFA reduces the risk by making it harder for an attacker to use a session for extended periods without a second factor.

Is piggybacking a common topic on the Security+ exam?

Yes. Piggybacking and tailgating are listed in the social engineering techniques section of the Security+ objectives. You can expect at least one scenario question asking you to identify the attack or select the best countermeasure.

Summary

Piggybacking is a social engineering attack where an unauthorized person gains access to a restricted area, system, or network by following an authorized user or using their active session. It bypasses technical access controls because the attacker does not need to authenticate. Instead, they exploit human behavior, politeness, distraction, or carelessness.

In the physical world, this often happens when an employee holds a door for a stranger. In the digital world, it happens when a user leaves a workstation unlocked or an authenticated session open. The threat is significant because it can lead to data breaches, physical theft, and compliance violations.

For IT professionals, preventing piggybacking requires a combination of physical barriers like mantraps, technical controls like automatic screen locks, and continuous security awareness training. For certification exams, particularly CompTIA Security+, CISSP, and CEH, you need to understand the definition, recognize it in scenarios, and know the key countermeasures. Watch out for exam traps that distinguish piggybacking from tailgating and collusion.

Also remember that piggybacking is not a hacking technique, it is a human manipulation technique. By mastering this term, you demonstrate an understanding that security is not just about firewalls and encryption, but also about how people behave. The key takeaway for the exam and for your career is simple: never hold the door for someone you do not know, and always lock your screen.