Time & Attendance TutorialBy: Brian Rhodes, Published on Jul 18, 2013
Access Control is useful for more than unlocking doors. One of the best features is also rarely used: Time and Attendance logging. However, selecting the 'same old' door readers for can open several vulnerabilities to abuse. In this note, we look at Time & Attendance Readers for Access Control, describe what features they should have, and what problems arise if they are not properly implemented.
Time Logging is Central
One of the most powerful features of EAC is the time/date stamp associated with every event in a system. Not only do systems log when door opens, they also record whose credential was used to open them, typically down to the second.
Time Logging makes it possible to 'track' a user's movement through a system, and provide a concrete record of where a person was at a given time. These logs have even been used to solve murders and otherwise establish presence at certain times with high precision.
Time Clock Function
With relatively minor adjustments, most EAC systems can use 'time logging' with time clocks.
Many workers are paid an hourly wage. Clearly establishing when they start their job and when they stop working is crucial, as 'time' is indeed 'money'. Capturing this time has traditionally been the function of precise clocks, where workers insert cards to have a the time indelibly punched out on a given day. Indeed, "punching the timeclock" is a common saying.
However, the method is not problem free. First and foremost, abuse is a risk, where an employee punches more than only his/her card. This type of fraud is at the forefront of many HR and Corporate issues. Many seek to eliminate this risk/temptation entirely. While time clocks are primarily intended to protect the employer, the employee also benefits from having a clear record of attendance to lean on when calculating paid vacation days, sick days, or overtime pay.
Using the EAC system for Time & Attendance often means setting aside separate readers for the sole purpose of recording 'In' and 'Out' entries in the system. Once a pay period closes, a report is created listing activity on these two readers, summing the 'In' periods and subtracting the 'Out' intervals leaving an accurate record of attendance.
Multi Factor Makes Sense
In order to avoid the pitfall of 'buddy punching' (a risk EAC systems normally call 'passback'), Time and Attendance readers should feature multiple authentication factors, including fingerprint or palm readers. This 'extra authentication' ensures that no one can casually misrepresent themselves as another person.
Most modern EAC Time & Attendance readers feature biometrics, typically resembling the examples below:
These style of readers are sometimes sold as 'standalone' timeclock systems that require no EAC system interface, but this increases cost when connecting them with access headends. EAC systems simply need an interface to collect this data. General biometric access readers can be used in this role successfully (e.g., see our 3M/Cogent's MiY Touch note for example).
When EAC platforms market 'time and attendance' function, this is frequently more than generating custom reports. Many EAC systems will format data so it can be manually exported into payroll systems like Kronos or Sage. However, this is typically a manual process, and accounting or payroll staff require instruction on the access platform to collect reports. The screenshot below show shows Paxton's default export screen of Time and Attendance data:
In other cases, 'Time & Attendance' function may be based in the Access Platform, but an additional 'payroll module' is added to the platform for direct integration. This additional software becomes the default payroll platform, so adoption in large systems may need approval from 'non-security' stakeholders.
Common enterprise-grade platforms offer additional 'software module' solutions, including:
Readers: You could simply use a regular card reader but if you want to avoid buddy punching, time and attendance biometric readers range between ~$300 and ~$2000 each, with high-accuracy optical fingerprint readers costing around $700 each. (See our report on fingerprint readers for more detail.) Multiple readers may be required for large sites, and expanding the EAC system often includes adding controllers or interfaces to support those readers.
Basic Software: General costs to add a Time and Attendance module range from 'free' upwards of ~$3000. Many platforms offer a 'no additional cost' timeclock functionality to their basic system, but the data must be manually incorporated into a payroll platform.
Advanced Software: 3rd Party software / integration module provides more automated interface, but typically costs between ~$500 and ~$3000, generally depending on the size of a company's employee roster and number of sites data is collected. For most enterprise access systems, these modules cost about ~$1,000 each.
What are the Risks?
While using EAC to host time clock function can be advantageous, it is not without risks:
- Clock Drift: In effect, the EAC system clock serves as the payroll clock. While a variety of solutions for syncronizing/standardizing time exist, such as NTP Servers and central data clocks, differences between EAC and other timepieces can create significant problems. When EAC is used for Time and Attendance, keeping system time in sync with the local standard time is vital.
- Single System Breakage: Or rather 'Putting all your Eggs in One Basket'. As a matter of redundancy, if your EAC system drops offline, so does your Time Clock. Why hiccups in granting access through offline doors can often be solved by issuing mechanical keys, no simple solution exists for Time and Attendance failover. You might want to have an older manual timeclock as a backup, just in case, and for the time the system is offline, manually reconcile the timeclock entries.
- Passback Conflicts: For access systems using 'Anti-Passback' controls, logic discrepancies can cause low-level conflicts with Time Clock readers. If an employee 'scans In' to the timeclock, and then immediately 'scans In' to a normally secured door, the EAC system may generate an alarm or deny access unless the timeclock reader is isolated from passback rules. Given the large number or doors across multiple sites, or large populations of employees in a single system, these sort of errors can be common and hard to troubleshoot.
What are the Benefits?
However, it makes good business sense to use EAC to host 'Time and Attendance' function, including:
- Less to Buy, Maintain: While a single system can be a weakness, it can also be efficient. Many facilities prioritize the upkeep of facility access systems, and issuing a credential for access also means it can be used for payroll. The investment in one facility system can be leverage by another.
- Expanded Security Controls: In normal use, if an employee has a security credential revoked in an EAC system, they immediately become invalid in the payroll system. In addition, tying the two systems together can prevent an unauthorized employee from gaining access to an 'Time In' reader before an allotted shift and help manage overtime payouts, and payroll hour allocations are enforceable by physical access controls.
Related Reports on Tutorials
Most Recent Industry Reports
The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.