Back to journal
Attendance trust5 min read

How to reduce buddy punching without making field work painful

A practical framework for combining selfie evidence, local biometric approval, approved devices, and manager review without slowing employees down.

By Onsight Editorial · Workforce intelligence team/

Buddy punching is the oldest payroll leakage problem in field operations. One employee taps in for a colleague who is late, absent, or off-site, and the timesheet records both as present. The cost is rarely a single shift. It compounds across weeks, normalises into a culture, and slowly erodes the integrity of every report you pull.

The instinct is to layer in stricter rules: face scans, fingerprint readers, surprise audits. But field teams are not warehouse floors. Workers are mobile, networks are patchy, and the people you are trying to protect are also the people you are asking to comply. Make controls too painful and you trade fraud for refusal — employees stop checking in at all, and the data you wanted gets worse, not better.

The framework below is what we recommend to operations leaders who want to close the buddy-punching gap without breaking the field experience.

The four layers that actually work

Most fraud-resistant attendance systems combine four layers. None of them is sufficient alone. Together they make impersonation expensive enough that it stops being a habit.

1. Bind the check-in to a person, not a credential

Passwords and PINs are shareable. Selfies and on-device biometrics are not — at least not at the scale and speed buddy punching depends on.

A selfie captured at the moment of check-in serves three purposes:

  • It creates visual evidence that survives long after the shift ends.
  • It introduces social friction — most employees will not photograph themselves committing fraud for a colleague.
  • It produces a reviewable artefact for HR and compliance when an exception is flagged.

Pair the selfie with the device's local biometric (Face ID, fingerprint) as the approval gesture. This keeps the biometric template on the device — you never store a face vector on your servers — while still requiring the employee's actual presence to complete the action.

2. Bind the check-in to a place

A selfie taken in the wrong location is still evidence of fraud. Geofencing turns location into a precondition: the check-in button does not appear, or appears in a warning state, when the device is outside the approved boundary.

The important detail here is precision. A geofence drawn too wide accepts check-ins from the car park down the road. A geofence drawn too tight produces false rejections on rainy days when GPS drifts. The right default is a 50–80 metre radius for most worksites, with named adjustments for large facilities (hospitals, construction sites, distribution centres).

3. Bind the check-in to a device

A given employee should be checking in from a known device — usually their personal phone, registered on first use. When a check-in arrives from a different device, that is a signal worth surfacing.

You do not have to block it. A first-time device on a Monday morning is often just a replaced phone. But the system should:

  • Flag the check-in as a device exception.
  • Require manager review before the timesheet entry is finalised.
  • Prompt the employee to re-register the new device with an additional approval step.

This single control kills the most common buddy-punching pattern: one employee, two phones, two check-ins.

4. Make exceptions visible, not hidden

The fourth layer is organisational. If selfies, geofences, and device signals all live inside a system nobody reviews, they do nothing. The point is not to collect evidence. The point is to act on it.

A weekly attendance exception report — five minutes for a supervisor to scan — should surface:

  • Check-ins outside the geofence
  • Check-ins from a new or unapproved device
  • Selfies that failed verification
  • Manual overrides by managers

Make the review part of the operating rhythm. Make sign-off auditable. Buddy punching collapses quickly when employees understand that someone actually looks.

What to skip

Several controls sound good in slide decks but cause more friction than fraud they prevent.

Continuous tracking. Recording location every five minutes throughout a shift is rarely necessary, often illegal under local labour law, and almost always corrosive to trust. Capture location at check-in and check-out. That is enough for compliance.

Server-side face matching at scale. Sending every selfie to a face-recognition API is expensive, slow, and creates a new privacy surface. Use the selfie as evidence, not as the primary authentication. Reserve face matching for exception review, not the default path.

Hard biometric enforcement. Requiring fingerprint on every check-in produces failure rates that frustrate workers with worn or wet hands. Use local biometrics as the approval gesture for the check-in, not as the check-in itself.

Punitive defaults. A system that blocks attendance on any anomaly punishes employees for poor signal as much as for fraud. Default to capture and flag, not to block. Let humans resolve ambiguity.

The rollout sequence that holds

In our experience helping teams roll this out, the order matters as much as the controls.

  1. Week 1–2. Turn on geofencing and selfie capture as required fields. No enforcement yet. Watch the data.
  2. Week 3. Identify your three or four highest-anomaly sites and have supervisors review the exception report together with their teams. The point is education, not discipline.
  3. Week 4–6. Enable device binding. New devices generate exceptions; managers review and approve.
  4. Week 7+. Move from review-only to enforced policies on the categories you trust the data on. Keep the rest in review mode.

The teams that succeed treat this as an operations project, not an IT project. The technology is the easy part. The operating rhythm — who reviews, when, with what authority — is what makes the controls real.

What "good" looks like

A mature field attendance programme should be able to answer three questions on any given day:

  • For every shift recorded, who checked in, where were they, and on what device?
  • Of the exceptions raised, how many were resolved, by whom, and with what outcome?
  • Across sites and teams, where is anomaly rate trending up — and what changed there?

If you can answer those three questions without exporting to a spreadsheet, you have moved past attendance tracking. You have an attendance integrity programme. That is the goal.

Keep reading

Attendance trust

Beyond the biometric turnstile: why office-gate attendance no longer fits how work happens

Fingerprint readers and ID cards at the office entrance solved a 2005 problem. Hybrid schedules, client sites, and remote days have outgrown them. Here is what to use instead — and how to migrate without breaking trust.

Geofencing

Geofencing attendance is not a map feature. It is compliance evidence.

The real value of geofencing is not the circle on the map. It is the record that connects person, place, time, policy, device, and exception state.

Turn the article into an operating policy.

Onsight can help you define geofences, trust controls, exception flows, and reporting rules around your real workforce.

Walk through your rollout

Bring your site structure, employee groups, and compliance concerns.

Book demo