QuickBooks Time (formerly TSheets) recently estimated that buddy punching--when one employee clocks in for a coworker who is late for work--costs U.S. companies more than $373 million annually. Put another way, buddy punching on average costs $298 per employee per year. The study also found that 16 percent of employees surveyed admitted to clocking in for a colleague.
Back in 2009, Nucleus Research, a global IT services firm, reported that three out of four companies experience loss from buddy punching.
The Nucleus study found that biometric time clock software--systems that use our physical characteristics such as a fingerprint, eye, face or voice to authenticate identify--reduces buddy punching and payroll error.
The major benefits of biometric time clocks are convenience and accuracy--it's hard to fake a person's unique characteristic. "Biometrics do away with the need to remember passwords, and you don't have to worry about losing or forgetting badges," says Elizabeth Counts, COO of LightWork Software, an HR software developer. "Most important, its accuracy in identifying the person using the device eliminates buddy punching."
Biometrics aren't for every business. Read on for information on cost, security, implementation, user resistance, and what to look forward to.
Biometric identification systems can be costly depending on the type of device, Counts says. Besides software, you need to consider hardware costs. Ian Paterson, CEO of Plurilock, agrees. "Fingerprints require fingerprint readers, facial recognition requires special infrared cameras to work well, and retinal scans are even more cumbersome," he told SecurityWeek.
But the underlying technology has steadily fallen in price. A 2015 study by Carnegie Research estimates that the cost of a single fingerprint sensor for use in a smartphone will fall from $5.50 in 2014 to $2 by 2020.
Some time clock systems, like TSheets or Buddy Punch, reduce cost further by using your existing webcam or smartphone camera for flat image facial recognition. But are certainly less accurate than using infrared cameras.
While biometrics can have significant upfront costs, savings add up over time. Although seemingly simple, alphanumeric passwords are surprisingly costly to maintain. A 2015 study by Forrester research estimated that password reset requests cost organizations $168 per employee per year. And that figure may not fully capture the cost of lost productivity.
Biometrics naturally offer savings over access cards as well. A 2016 Samsung analysis finds that the annual cost of maintaining a smart card id system ranges from $55 to $95, whereas the comparable range for a biometric system is $2 to $3. "There will be significant savings in the long run," Counts says.
Everybody hates passwords. They're a pain to remember, and security best practices are virtually impractical without a password manager. Although repeatedly warned, most people reuse passwords or use common passwords, such as "123456" or "password". This puts business and personal information at risk.
Side rant: Even when well-aware of the risks, I've found most people--despite my best efforts to convince otherwise--won't even try a password manager.
Like any other sensitive data, you should be aware of how biometric readings are stored. Biometric data is susceptible to the same breach risks as any other data type--passwords, credit cards, social security numbers. We can change our credit card numbers after a breach, but changing our faces or fingerprints is another story.
In July 2017, for example, Avanti Markets, which offers fingerprint scanning for self-checkout in company break rooms across America, was compromised by malware designed to extract credit card information from point-of-sale devices. The company admitted that biometric data might also have been compromised.
It's impossible and unrealistic to expect any system to be 100% secure from any threat. Any security ID method can be spoofed or hacked with varying degrees of difficulty.
Data owners just need to find an acceptable level of risk, cost, and convenience trade off for the information they're protecting. If security is the utmost concern, most experts agree layering or multi-factor is best--using combinations of passwords, facial recognition, fingerprints, etc.
Single-factor biometric time clocks provide enough security for most businesses. And they're safer (for the most part) and more convenient than passwords or security cards.
Biometric devices may entail specific setup and usage challenges. It's important to consider how biometric hardware will integrate with existing payroll or HRMS software.
"It's easy enough to get hold of biometric hardware but that's where the real challenges begin," says Aniruddh Nagodra, CEO of factoHR, a human resource and payroll software provider. "There are numerous factors responsible for an unambiguous, easy and accurate payroll processing solution. It begins with the selection of a robust, versatile and innovative biometric time-attendance system and ends with technologically progressive HR and payroll software."
For industrial applications, companies should consider the environment where biometric technologies will be implemented. "In manufacturing plants where there is a lot of dust and dirt, it can be difficult for the reader to get the proper image to authenticate the user," LightWork's Counts says. But workarounds don't have to be complicated or expensive. "A plastic case for the time clock helps avoid this as a potential issue," she says.
In complex environments such as airports and restricted-access facilities, the logistics of biometric scanning become an important concern. Dubai International Airport, for example, has presented a concept for a "virtual aquarium tunnel," fitted with 80 hidden cameras, that recognizes passengers who have pre-registered by visiting one of the airport's 3D face scanning kiosks. However, to be effective, all airlines must commit to using it at all gates. At Dubai, the busiest airport in the world, biometric data would need to be collected at 230 different places.
Companies should develop plans to address employee and customer security and privacy concerns.
"In some organizations, there is a resistance to providing a handprint or fingerprint, as some employees find this invasive and feel this is intruding on their rights," Counts says. Complicating this issue is a misunderstanding of what data is being collected. "Biometric clocks do not take actual fingerprints or handprints," she says, "they only capture certain points on the employee's hand or finger."
Gradual exposure might be the key. Previous biometric id users often approve of its use. In 2017, passengers on flights from Gatwick to Dubai were surveyed after using biometric id trial systems. Eighty-two percent said they were comfortable with having biometric information captured, and 68 percent said using biometrics in an airport setting wasn't intrusive.
In a 2016 survey, 52 percent of consumers said they would like biometrics to replace passwords. Eighty percent believed biometrics would be more secure than passwords.
Education also helps to overcome employee resistance. Companies should point out the benefits, such as improved location tracking and faster response in the event of an emergency. Workplace concerns, such as whether their fingerprints will be turned over to law enforcement, should be addressed.
Expect scanner costs and availability to come down. I'd also expect more time clock software providers to use built-in biometric features on consumer mobile devices.
According to the tech-industry consultancy Juniper Research, more than 600 million mobile devices will be equipped with biometric recognition technology by 2021, including finger, face and voice scanning.
However, most biometric readers on smartphones and tablets are designed for single person per device use. Meaning your iPhone can't use Face ID for multiple people.
Several apps like TSheets, or Buddy Punch get around user limitations by implementing their own flat image facial recognition software. This allows them to offer on-site tablet kiosks for multiple employee punch-in. However, it's less accurate and secure than if they leveraged Apple's Touch ID, Face ID, or Samsung's Pass system.
I'd expect more time clock systems to offer support for Face ID and Samsung Pass. Fingercheck was the only time clock app we found that uses built-in biometrics.
Tsheets study found that 'buddy punching' costs averaged $5.74 per employee, per weekly timesheet. $5.74 × 52 weeks = $298.48.