Jim Courtwood
Author of the Time & Attendance Consultant's Guide Series

Biometric Time Clocks - Are they secure?

From time to time, there are concerns in the media regarding the security or lack thereof of a biometric system. Here are some of the potential security risks of biometrics but also how they don't apply to time and attendance.

Stolen biometric data: Like any other personal data, biometric data can be stolen or compromised. If biometric data is hacked or leaked, it could lead to identity theft or fraudulent activities. However, Employee biometric templates whether they are fingerprints of facial recognition, are generally stored on the timeclock and in a proprietary format that is of no use to any other system.

False positives and false negatives: Biometric systems may fail to correctly identify a person, resulting in either a false positive or false negative. This could potentially allow unauthorized access or deny access to authorized users.

A false negative just means that an employee can't clock in and will need to get their supervisor to register them again, taking more care when doing so. A better registration template will improve recognition in the future.

A false positive is exceptionally unlikely (about 1 in 10,000). Even In an access control system where entry to secure areas was concerned, this would be so unlikely it is barely worth considering.

Spoofing attacks: Attackers could create fake biometric data to fool the system into granting access to an unauthorized person. For example, facial recognition systems can be fooled using a high-quality printed photograph of a face.

This is possible in lower quality biometric time clocks, and again, if access control was involved, then it is possible a thief would invest in that strategy. In time and attendance, it would be unlikely that a coworker would risk dismissal by attempting to clock a coworker in using a picture of their friend.

Physical coercion: An attacker could physically force someone to provide biometric data, such as a fingerprint or facial recognition scan, to gain access to a secure system.  Again, this is an issue that relates to access control and not time and attendance.

Centralized databases: If biometric data is stored in a centralized database, it could be vulnerable to hacking or other cyber attacks. A breach of this database could lead to widespread identity theft.

As mentioned above, biometric data is usually stored on the clock, and those biometric templates are of no use to any other system.

Privacy concerns: Biometric data is considered highly sensitive personal information. The collection and storage of such data could lead to privacy concerns, particularly if it is not properly secured or handled. 

The biometric information stored on employee time clocks is a mathematical representation of the employee's fingerprint or face. That representation bears no resemblance to the actual face or finger of the employee and cannot be used by other applications and a method of identification.

 In summary, the security concerns associated with biometric data do not apply to time and attendance. However, many of these issues do apply to access control applications.

Jim Courtwood

Time & Attendance Consultant