Skip to content
Menu
menu

Illustration by iStock

How to Overcome Employee Resistance When Adopting Biometric Access Control

What would you do for a $5 coupon? Many consumers would happily hand over a variety of personally identifying information (PII), including their biometric data, if it saved them a couple of bucks on a purchase or got them into a reward-based loyalty program. But when their workplace requires their biometrics for access and identity management, many employees balk.

How can security leaders leverage people’s appetite for convenience or a bargain to increase biometric buy-in in the workplace?

“When it’s something that’s a benefit to me at the end of the day, most people are willing to opt in,” says Jon Polly, PSP, chief solutions officer at consultancy ProTecht Solutions Partners, LLC, and chair of the ASIS International Emerging Technologies Community. “That’s a lot easier than if they are at a company that says ‘hey, this is a requirement.’ I guess we’re all rebels at heart.”

This follows prior resistance around bring-your-own-device (BYOD) policies that allowed or required employees to use their personal smartphones for work applications while also giving employers the right to wipe that device when the employee left the organization. Although smartphone applications were quickly adopted and were in high demand, the perceived imposition of employer-required device use put employees off. In some cases, it even delayed adoption—even if the app would have made it easier for employees to do their jobs.

Similarly, consumers are quick to adopt biometric-based systems that save them money or time, such as fingerprint or facial recognition to unlock smartphones, or signing up for facial recognition-linked rewards programs at grocery stores. Many even embrace using biometrics in payment systems at retail shops. But something about using biometrics for security purposes or at work puts people on edge, says Mohammed Murad, vice president of global sales and business development at iris recognition technology company Iris ID.

“Biometrics is becoming a normal, common use technology,” he says. “It’s not as much sci-fi now, but it becomes a privacy question as we are getting inundated by these privacy issues all over the place. People are concerned about that, ‘Hey, is this going to open another door of people invading my privacy?’”

Resistance to Change

Resistance from employees in the face of change is hardly unique to biometric use. People notoriously resist change, especially when they feel the person or organization driving change is asking too much of them or not listening to their concerns.

“The literature suggests that more than two-thirds of change implementation efforts fail,” according to a 2021 study published in Frontiers in Psychology. “One of the most critical failures to change is employees’ attitudes toward change. Unaware of the potential benefits associated with the organizational change, employees often develop a sense of fear and perceive the introduction of change as an unfair act.”

Although employees’ resistance to change can slow down or derail projects, “most of the time, management does not consider employees’ perception about stress or uncertainty associated with the change process, which becomes a major cause of resistance and may lead the change implementation effort to failure,” the study said. “Hence, to make change process a success, the management must not see resistance as a mere obstacle but an opportunity to learn and subsequently reduce it.”

When it comes to biometric access control and security solutions, organizations need to do a lot of advance work before even selecting a system. This includes gauging employees’ perceptions around biometric use at work, nailing down the scope of the program, and developing a communications plan that will clearly lay out the benefits to the business and to individual employees.

Slow Down for Conversations

Expect that future users will have some misgivings and misconceptions about any new technology being put in place. Be ready to listen to their concerns and address them tactfully and honestly, Murad adds.

Don Zoufal, CPP, safety and security executive at CrowZ Nest Consulting, says one of the ways to address concerns is to focus on what it really means to opt-in to a biometrics solution.

The terms and conditions of how you’re going to utilize that biometric should be spelled out to the individual who’s granting you the right to use that biometric,” Zoufal says.

This means clarifying that the biometric would only be used to gain access through facility doors, not for other uses like timekeeping or surveillance. The organization would also need to clearly spell out what it will do with the biometric data when an employee leaves the company or when there’s no longer a need for the data.

“There are ways to demystify it and clarify it, but it goes to the issues of enrollment and making sure that people understand the deal they’re getting when they opt in, or the requirements associated with the use of the biometric at the company,” Zoufal explains.

Those requirements can include compliance with technology laws, such as the European Union’s Artificial Intelligence Act, and regulations in some U.S. states, like Illinois’s Biometric Information Protection Act (BIPA) and Texas’s Capture or Use of Biometric Identifier Act—both of which have been at the center of significant lawsuits in recent years. A major stumbling block under these regulations is consent; organizations must ensure that users permission for their PII to be used in a specific way and that the organization does not stray outside those parameters. Regulators strike back (often expensively) if PII is misused, but when it comes to buy-in, gaining consent requires employees to trust that their organization will abide by those rules and act in their best interest when protecting and using biometric data.

“Any way you shake it, you’ve got a data security issue,” Zoufal says. “I think the big problem with biometrics is it gets conflated with general surveillance, especially facial biometrics, that people are going to be watching me and monitoring my every move, and I didn’t really give consent to be enrolled in this program, and all those sorts of things. But with access control it’s a controlled use for a limited purpose, where you consented to providing this information.”

Murad adds that, “Education needs to be laid out very clearly and regularly that, ‘Look, biometrics is not an invasion of privacy. It’s providing an envelope of security for your privacy, it’s protecting it.’ I think that message is getting there, but it’s taking time.”

Once Bitten, Twice Shy

In some cases, Murad says, security leaders and consultants are also battling past experiences with early biometric solutions. In the late 1990s, biometrics solutions were being more readily introduced into the security market, but “people sold the technology promising more than the technology could deliver,” he says. “That’s what gave [biometrics providers] a real black eye… At the time, we all knew that it cannot deliver, but the normal customer did not know. They just went by what they had heard about the promise of the technology. That really hurt, overall, the adoption of the technology.”

Early adopters dealt with slow, glitchy systems and often just turned them off. Now, camera optical technology has vastly improved, enabling faster iris recognition and facial recognition at longer distances, but some organizations are still skeptical. Security teams should be prepared to thoroughly test systems and determine which one is best for user experience, as well as their security levels.

In addition, users are also wary of trusting biometric technology providers because of cases of misused or overapplied mass surveillance with biometric elements.

In this area, security leaders and change agents can help by differentiating between mass surveillance applications and strict authentication tools that have a much more limited scope. Murad recommends acknowledging past biometric misuses when an employee brings them up, and then tactfully walking users through how those cases differ from the application being deployed.

Communicators should also be ready for more skeptical or creative questions from stakeholders, many of whom have seen Hollywood movie methods of tricking biometric systems (Minority Report comes to mind, or Mission Impossible) or have concerns about whether physical changes to their appearance would affect their ability to access sites.

When it comes to spoofing, security teams can point out the biometric system’s presentation attack detection (PAD) functionality. Some systems use specialized cameras to detect the depth of field or thermal signatures to authenticate that a person isn’t wearing a mask or holding up a photo of a legitimate user.

But be prepared for the funny guy in your audience. “We keep preaching that iris recognition is just taking a picture of your eyes,” Murad says. “In many cases people ask jokingly, ‘What happens if somebody takes my eye?’ I think you’re going to have bigger problems if someone takes out your eyes than biometric access.”

Usability is another key query to prepare for.

Although most people will be able to use biometric access systems readily, there are always exceptions to the rule, Polly says. Some people with a rare genetic condition are born without fingerprints, making fingerprint-scanning biometrics impossible to use. In other cases, blunt force trauma or other sudden incidents could change facial structure or even iris patterns, complicating facial and iris recognition. Having backup systems for these unusual cases can provide both inclusive support for individuals who need it and reassurance for those who are leery of biometrics that other options still exist.

“The biggest issue is education, education, education,” Murad says.

Define the ‘Why’ as Well as the ‘How’

Organizations can also clearly communicate with employees about why biometrics are being adopted and where, especially when applied in layers of security.

In a data center, the front door might have a regular proximity or PIN-based access control system. But when venturing further into the building and accessing more sensitive areas, biometrics will be added to ensure a more secure layer of authentication, Polly says.

Organizations will need to balance defense-in-depth principles with employees’ experience when selecting where to add biometrics. For instance, a manufacturing facility that needs 5,000 workers to come onto a factory floor every eight hours could maintain a simple badge-based solution to ensure ease of entry. But biometric solutions often take a little more time to authenticate users, especially if employees need to respond to a prompt or remove glasses or hats for their identity to be verified. Applying this high-security solution at the front door would slow down throughput and impede the user experience, but it could be worthwhile at a high-risk facility.

“There is no panacea, there’s no one-stop-shop that does it all,” Polly says. The best technology in the world applied in the wrong use case is suddenly the wrong technology, he adds. Technology needs to be selected carefully based on the use case and then supported by effective policies that users comply with, he adds.

But no matter which solution is selected, security leaders should be ready to be transparent and frank with employees about what was installed, why, and who will be required to use it, as well as the benefits to the user.

Consider Apple’s biometric-based iOS password management and FaceID, which allows users to unlock their phone or authorize payments using facial recognition. Previous functions used fingerprint recognition for similar uses. Consumers rapidly adopted these functions because they could clearly see the benefits—faster, frictionless access to devices and services; a reduced need to carry alternative payment methods; and additional security at the device level, reducing others’ ability to unlock their phones and access their information.

“These companies have done a fantastic job laying out the vision that this is for your convenience rather than overall security,” Murad says. “Yes, there is an element of the conversation about security, but it’s mostly convenience.”

To earn even a fraction of this buy-in for a work-based application, security leaders must clearly articulate the micro-benefits of using biometrics.

At an airport, for instance, “the cost of running a badging operation is extraordinarily expensive,” Zoufal says. Not only does the organization have to buy and produce physical identity credentials (and replace them when they get lost), but individual employees must go through a time-consuming badging process. Even though biometric solutions are often more expensive for organizations to implement, their total cost of ownership can be lower because of time savings, simplified credentialling processes, and more secure access. In addition, employees can grasp returns on using the system in time saved going to HR or badge offices to get signed up and then fumbling for a badge at the door multiple times a day.

“There are advantages,” Zoufal says. “Again, a coupon is all about advantages—I get a coupon, I get something of benefit.”

Similarly, security teams can communicate that one-to-one tradeoff of biometric access control and time savings or convenience, clarifying the advantage for users and incentivizing participation.

 

Claire Meyer is editor-in-chief for Security Management. Connect with her on LinkedIn or via email at [email protected].

 

arrow_upward