One of those terms (or sets of terms) that never seems to have a clear response from security analyst to security analyst within the community is what the difference between piggybacking and tailgating is.
Let’s take a quick step back and make sure that we all know what we are talking about. If you are not a security analyst, you have undoubtedly seen either both or one of these terms used in security awareness training. Most people, including some security experts, think that both terms are synonymous and mean the same thing, for an unauthorized person to follow an authorized person into a secure space. That secure space could be an entire building or grounds, or just a room. As you may have guessed, by the virtue of a post on the matter, they are not one and the same terms.
It is important to know that the terms apply to physical security scenarios and not system or logical access. Someone that uses another’s credentials to access a system is simply an unauthorized user.
In both tailgating and piggyback cases we are speaking specifically of an access action that is happening upon a secured space. That means being polite and holding a publicly accessible door open for someone at the mall, church or even a business does not apply here. That changes if the entry point is designed to be secured with any mechanism, lock and key, proximity badge, one person pass devices like rotating doors or turnstiles, or even if it is unlocked and there is a sign announcing that only employees or authorized parties are permitted entry.
In the process of tailgating or piggybacking, a person follows an authorized individual into the secure or restricted spaces. The authorized individual is always either presenting a security credential or can present some evidence of authorization. The second person cannot present a credential that authorizes their access to the spaces. And now is where the difference between the two terms plays in.
Tailgating is when an unauthorized person follows an authorized person into the secure or restricted area WITHOUT the consent of the authorized person.
Piggybacking is when an unauthorized person follows an authorized person into the secure or restricted area WITH the consent of the authorized person.
How do I remember this as it is confusing? Simply this. When someone tailgates you (or if you like NASCAR, drafting) while driving, it is without your consent. However, if you give someone, like a child, a piggyback ride, it is generally with your consent. Maybe that little trick will help you (it helps me) remember the difference between the two.