This chapter covers tailgating and piggybacking, two physical security attacks that exploit human trust and access control weaknesses. For the CompTIA A+ 220-1102 exam, these topics fall under Domain 2.0 (Security) and specifically Objective 2.5, which requires you to explain common social engineering attacks and physical security controls. Approximately 5-10% of exam questions touch on social engineering or physical security, with tailgating and piggybacking being frequently tested as distinct attack types. Understanding the difference between them and knowing prevention methods like mantrap, access control vestibules, and security awareness training is critical.
Jump to a section
Imagine a secure office building with a single turnstile entrance. Each employee must swipe their badge to enter, and the turnstile rotates exactly once per swipe, allowing only one person through. This is the intended mechanism. However, consider a scenario: Employee A swipes their badge and enters. As the turnstile is still rotating or before it fully locks, Employee B, who has no badge or a stolen one, slips through right behind A before the turnstile resets. This is tailgating — B follows A without authorization. Piggybacking is a variation: Employee A swipes their badge and deliberately holds the door or turnstile for Employee B, who may have forgotten their badge, but B is not authorized. The turnstile mechanism is bypassed by exploiting the human element — either the momentum of the turnstile (tailgating) or the courtesy of A (piggybacking). In both cases, the physical access control system fails because it cannot distinguish between one authorized entry and two bodies passing through. The solution is a mantrap: two interlocking doors that require one authorization per door cycle, ensuring only one person per authentication. This mirrors network access control where one set of credentials should map to exactly one session.
What Are Tailgating and Piggybacking?
Tailgating and piggybacking are physical security attacks that bypass access control systems by exploiting authorized individuals. In tailgating, an unauthorized person follows an authorized person through a secured entrance without the authorized person's knowledge or consent. The attacker simply walks closely behind the legitimate user as they enter, often using a distraction or pretending to be in a hurry. In piggybacking, the unauthorized person gains entry with the explicit or implicit consent of the authorized person. For example, an employee might hold the door for someone who claims to have forgotten their badge, or a friendly employee might let someone in without verifying credentials. Both attacks target the weakest link in physical security: human nature.
Why They Exist and Why They Are Dangerous
Physical access control systems like keycard readers, biometric scanners, or PIN pads are designed to authenticate individuals. However, once a door is opened for one person, it remains open for a brief period (typically 2-5 seconds) before relocking. This window allows an attacker to slip through. Tailgating and piggybacking exploit this timing gap and the social convention of holding doors open. The danger is that an attacker gains access to restricted areas — server rooms, wiring closets, or executive offices — without any authentication. This can lead to data theft, equipment sabotage, or further social engineering attacks. For the 220-1102 exam, you must know that these are social engineering attacks, not technical hacking.
How They Work Internally: The Mechanism
Let's step through a typical tailgating scenario at a facility with an electronic card reader:
Authorized user approaches door — The user swipes their badge or enters a PIN. The access control system verifies the credential against its database (often an LDAP or Active Directory sync).
Door unlocks — The system sends an electric signal to the door strike, releasing it. The door is unlocked for a predetermined duration, typically 3-5 seconds. A green LED indicates the door is unlocked.
User enters — The user pushes or pulls the door open. The door may have a magnetic sensor that detects when it is opened.
Attacker follows — The attacker walks closely behind the authorized user, often within 1-2 feet. The door is still open or unlocked. The attacker passes through before the door relocks.
Door relocks — After the timeout or when the door closes, the strike re-engages. The system logs one entry event, but two people entered.
In piggybacking, the authorized user may hold the door open for the attacker, or the attacker may engage the user in conversation and walk through together. The access control system still logs only one credential use.
Key Components, Values, and Defaults
Door Strike Timeout: The duration the door remains unlocked after credential validation. Defaults vary: 3 seconds (common for card readers), 5 seconds (for PIN pads). Adjustable in access control software.
Access Control System (ACS): Software that manages credentials and door locks. Examples: Lenel, Honeywell, Brivo. Logs all access attempts.
Mantrap: A small room with two interlocking doors. Both doors cannot be open at the same time. Requires one credential per person. Often used in high-security areas.
Security Awareness Training: The primary defense — teaching employees not to hold doors for strangers and to challenge anyone without a visible badge.
CCTV: Cameras positioned at entrances to record tailgating incidents. Often used for post-incident analysis.
Configuration and Verification
While CompTIA A+ does not require deep configuration of physical access systems, you should understand how software settings can mitigate tailgating:
Set door unlock timeout to minimum — Reduce the window from 5 seconds to 2 seconds where possible.
Enable anti-passback — A feature that prevents a credential from being used to enter twice without an exit. For example, if a badge is used to enter, it cannot be used to enter again until it is used to exit. This forces one-in-one-out. However, anti-passback can be bypassed by tailgating because the authorized user's badge is still logged as having entered.
Use mantrap — Requires separate authentication for each door. The first door must close and lock before the second door can be opened.
Interaction with Related Technologies
Biometrics: Fingerprint or retina scanners reduce piggybacking because the authorized user must physically interact with the scanner, making it harder to hold a door. However, tailgating is still possible if the door is held open by the user after authentication.
Turnstiles: Full-height turnstiles physically prevent more than one person from passing per rotation. Optical turnstiles use sensors to detect multiple people and trigger an alarm.
Visitor Management Systems: Require visitors to sign in and be escorted. Escorts must remain with the visitor at all times.
Common Trap Patterns on the Exam
Confusing tailgating and piggybacking: The exam expects you to distinguish them. Tailgating is without consent; piggybacking is with consent.
Thinking a technical control like anti-passback prevents tailgating: Anti-passback prevents credential reuse, not physical following.
Believing that CCTV alone prevents tailgating: CCTV is a detective control, not a preventive one. It records incidents but does not stop them.
Assuming that a simple keycard system is sufficient: Keycards do not prevent tailgating; they only authenticate the first person.
Summary of Prevention Methods
Mantrap / Access Control Vestibule: Physical barrier that traps tailgaters.
Security Awareness Training: Teach employees to be vigilant and not hold doors.
Receptionist or Security Guard: Human verification at entry points.
Turnstiles: Physical barrier that allows one person per authentication.
CCTV: Deterrent and evidence collection.
Alarms: If a door is held open too long, an alarm sounds.
For the exam, remember that the most effective control is security awareness training because it addresses the human factor directly.
Authorized user presents credential
The authorized user approaches a secured door and presents their credential — typically a proximity card, smart card, or PIN. The access control reader sends the credential data to the access control panel, which queries the database for authorization. If valid, the panel sends a signal to the door strike to unlock. This process takes 200-500 milliseconds. The user hears a click or sees a green LED indicating the door is unlocked. The door strike is a solenoid that retracts a metal bolt, allowing the door to be opened.
Door unlocks for a set duration
The door strike remains retracted for a configurable timeout, typically 3-5 seconds. During this window, the door can be opened without additional authentication. The access control system starts a timer. If the door is not opened within the timeout, the strike re-engages automatically. If the door is opened, a door position sensor (magnetic reed switch) detects the change in state and may extend the timeout or trigger an alarm if the door is held open too long (e.g., 30 seconds).
Authorized user opens and enters
The user pushes or pulls the door open. The door position sensor sends an 'open' signal to the access control panel. The panel logs the event: user ID, timestamp, door ID, and event type (entry). The door is now physically open. At this point, the access control system cannot distinguish between one person entering or multiple people. The door is open, and the strike is disengaged. Any person can walk through.
Unauthorized attacker follows closely
The attacker, who may be waiting nearby, walks through the open door immediately behind the authorized user. This is tailgating if the user is unaware; piggybacking if the user holds the door or invites the attacker. The attacker does not present any credential. The access control system logs only the authorized user's entry. The door may close behind both, or the attacker may hold it for others. The attack is successful because the system cannot count bodies, only credential uses.
Door closes and relocks
After the authorized user and attacker have passed, the door closes. The door position sensor detects the closed state and signals the panel. The panel commands the strike to re-engage, locking the door. The system logs a 'door closed' event. The access control log now shows one entry event for the authorized user, but two people are inside. This discrepancy may be detected later through CCTV review or by comparing badge counts with headcounts.
Enterprise Scenario 1: Data Center Access Control
A large financial institution operates a data center with multiple access zones. The outermost door uses a card reader with a 5-second timeout. Despite anti-passback enabled, tailgating incidents occurred frequently during shift changes. The solution was to install a mantrap (access control vestibule) with two interlocking doors. Each door requires a separate authentication. The first door opens, the user enters a small room (about 6x6 feet), the first door closes and locks, then the second door unlocks. This prevents tailgating because only one person can be in the vestibule at a time. The system uses optical sensors to detect if more than one person enters. If so, an alarm triggers and both doors lock, trapping the individuals until security arrives. The mantrap is configured with a 10-second timeout for the interior door; if not used, the system resets. Performance considerations: the mantrap creates a bottleneck during peak hours, so the organization added a second mantrap and used security guards during high-traffic periods. Misconfiguration: if the door sensors are misaligned, the system may falsely detect multiple people, causing false alarms and frustration.
Enterprise Scenario 2: Office Building Lobby
A technology company with open-plan offices uses optical turnstiles at the main lobby. Employees swipe their badges, and the turnstile allows one person to pass. The turnstile uses infrared beams to detect if multiple people attempt to pass. If a tailgater tries to slip through, the turnstile alarms and locks, and the security desk is notified. The system logs each entry attempt. However, the turnstile cannot prevent piggybacking if an employee holds the gate for someone. To mitigate, the company enforces a policy that all employees must badge in individually, and security guards monitor the turnstiles. The turnstile software is configured with a 2-second delay between rotations. Common issue: employees with large bags or backpacks may trigger the alarm, requiring manual override. The company also uses CCTV with analytics to detect tailgating patterns.
Enterprise Scenario 3: Hospital Restricted Areas
A hospital restricts access to medication storage rooms and operating theaters. The access control system uses biometric palm scanners with a 3-second door timeout. Tailgating is a concern because staff often enter together. The hospital implemented a policy that only one person may enter per scan, and any individual holding the door for another will be subject to disciplinary action. Additionally, the doors are equipped with alarms that sound if the door is held open for more than 10 seconds. The system logs all door events and is reviewed weekly. The hospital also uses security guards to patrol sensitive areas. Despite these measures, piggybacking occurs when a nurse asks a colleague to hold the door while carrying supplies. The hospital addresses this through ongoing security awareness training and by providing hands-free badge holders that allow staff to badge in without using their hands.
What the 220-1102 Exam Tests
The CompTIA A+ Core 2 exam (220-1102) covers tailgating and piggybacking under Objective 2.5: 'Explain common social engineering attacks, threats, and vulnerabilities.' Specifically, you need to:
Differentiate between tailgating and piggybacking.
Identify prevention methods: mantrap, access control vestibule, security guards, CCTV, and security awareness training.
Recognize that these are physical security attacks that exploit human behavior.
Understand that tailgating is without consent, piggybacking is with consent.
Common Wrong Answers and Why Candidates Choose Them
'Anti-passback prevents tailgating' — Candidates confuse anti-passback (which prevents credential reuse) with physical body counting. Anti-passback does not prevent a person from following; it only prevents the same badge from being used twice to enter. The correct answer is that anti-passback is a logical control, not a physical barrier.
'Biometrics prevent piggybacking' — Biometrics authenticate the user, but if the user holds the door for someone else, the biometric does not stop the second person. Biometrics reduce piggybacking because the user must physically interact with the scanner, but it is not foolproof.
'CCTV prevents tailgating' — CCTV is a detective control, not a preventive one. It records incidents but does not stop them. The exam expects you to know that CCTV is used for identification after the fact.
'Tailgating and piggybacking are the same' — The exam explicitly tests the difference. Tailgating is without the authorized person's knowledge; piggybacking is with their consent (explicit or implicit).
Specific Numbers and Terms That Appear on the Exam
Mantrap: Also called an 'access control vestibule' or 'interlocking door system.'
Door strike timeout: Typically 3-5 seconds.
Security awareness training: The most effective prevention method for the human element.
Social engineering: Tailgating and piggybacking are categorized as social engineering attacks.
Edge Cases and Exceptions
Tailgating with a distraction: Attackers may carry boxes or appear to be in a hurry to gain sympathy. The exam may describe a scenario where an attacker asks the user to hold the door while carrying a heavy load. This is piggybacking if the user agrees.
Tailgating through a garage gate: Vehicles can tailgate through a gate that opens for one car. The same principles apply.
Tailgating via a service entrance: Often less monitored, making them vulnerable.
How to Eliminate Wrong Answers
If the answer mentions a technical control that does not involve a physical barrier, it is likely wrong for prevention. Look for mantrap, turnstile, or security guard.
If the scenario describes the authorized person being unaware, it is tailgating. If the authorized person is aware and consents, it is piggybacking.
If the question asks for the 'best' prevention, choose security awareness training because it addresses the root cause: human behavior.
Remember that physical security controls like locks and fences do not prevent tailgating because they rely on the door being closed.
Tailgating is unauthorized entry without the authorized person's knowledge; piggybacking is with their consent.
The most effective prevention is security awareness training for employees.
A mantrap (access control vestibule) physically prevents tailgating with two interlocking doors.
Anti-passback does not prevent tailgating; it only prevents credential reuse.
CCTV is a detective control, not a preventive control, for tailgating.
Door strike timeouts are typically 3-5 seconds; reducing the timeout can mitigate tailgating.
Turnstiles with sensors can detect multiple people passing and trigger alarms.
These come up on the exam all the time. Here's how to tell them apart.
Tailgating
Occurs without the authorized person's knowledge or consent.
Attacker follows closely behind as the door opens.
Often relies on the door's unlock timeout window.
The authorized user is not complicit.
Example: A person slips through a door after an employee badges in.
Piggybacking
Occurs with the authorized person's explicit or implicit consent.
Authorized person holds the door or invites the attacker in.
Exploits social norms like politeness or helpfulness.
The authorized user is complicit, even if unknowingly.
Example: An employee holds the door for someone claiming to have forgotten their badge.
Mistake
Anti-passback prevents tailgating because it stops the same badge from being used twice.
Correct
Anti-passback prevents the same credential from being used to enter twice without an exit. It does not prevent a different person from following an authorized user through an open door. Tailgating exploits the physical door being open, not the credential reuse.
Mistake
A simple keycard door lock is sufficient to prevent unauthorized entry.
Correct
Keycard locks authenticate the person who swipes the card, but they cannot detect if multiple people enter during the unlock period. Tailgating bypasses the lock entirely by using the authorized user's entry.
Mistake
Biometric scanners eliminate tailgating because they are more secure.
Correct
Biometrics authenticate the user, but once the door is unlocked, any number of people can walk through. Biometrics may reduce piggybacking because the user must physically interact, but tailgating is still possible if the user does not ensure the door closes behind them.
Mistake
Tailgating and piggybacking are the same attack with different names.
Correct
The key difference is consent. Tailgating occurs without the authorized person's knowledge. Piggybacking occurs with their consent, either explicit (holding the door) or implicit (not challenging the person). The CompTIA exam tests this distinction.
Mistake
CCTV cameras prevent tailgating because attackers will see them and be deterred.
Correct
CCTV is a deterrent and detective control, but it does not physically prevent tailgating. An attacker may still tailgate if they believe they can avoid detection or if they are desperate. The only preventive controls are physical barriers like mantraps or security guards.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Tailgating is when an unauthorized person follows an authorized person through a secured entrance without the authorized person's knowledge or consent. Piggybacking is when the authorized person knowingly or unknowingly allows the unauthorized person to enter, often by holding the door. The key distinction is consent. On the exam, if the scenario says the authorized person was unaware, it's tailgating; if they held the door or allowed it, it's piggybacking.
A mantrap is a small room with two interlocking doors. Only one door can be open at a time. To enter, a person must authenticate at the first door, enter the room, then authenticate again (or the second door unlocks automatically after the first closes). This ensures only one person can pass per authentication. If a tailgater tries to enter with the authorized person, optical sensors detect multiple people and trigger an alarm, trapping them.
No. Anti-passback prevents the same credential from being used to enter twice without an exit. For example, if a user badges in, they cannot badge in again until they badge out. However, tailgating does not involve using the same credential twice; it involves a second person passing through the same door. Anti-passback is a logical control, not a physical barrier.
The best prevention is security awareness training that teaches employees to never hold doors for strangers, to challenge anyone without a visible badge, and to report suspicious behavior. Additionally, physical controls like turnstiles or mantraps can enforce one-person-per-authentication. However, because piggybacking relies on human behavior, training is the most direct countermeasure.
Yes, tailgating is a social engineering attack because it exploits human behavior and social norms (e.g., not wanting to appear rude or suspicious). It is classified under physical security and social engineering in the CompTIA A+ objectives. Other social engineering attacks include phishing, vishing, and shoulder surfing.
The door unlock timeout is the duration (typically 3-5 seconds) that a door remains unlocked after a valid credential is presented. A longer timeout increases the window for tailgating. Reducing the timeout to the minimum practical value (e.g., 2 seconds) can help mitigate tailgating. However, too short a timeout may frustrate users and cause them to hold the door, inadvertently enabling piggybacking.
Turnstiles physically allow only one person to pass per rotation. Optical turnstiles use infrared beams to detect if more than one person attempts to pass; if so, they trigger an alarm and lock the turnstile. Full-height turnstiles are like revolving doors that cannot be bypassed. They are effective because they enforce one-person-per-authentication mechanically.
You've just covered Tailgating and Piggybacking Prevention — now see how well it sticks with free 220-1102 practice questions. Full explanations included, no account needed.
Done with this chapter?