How ABM Industries leveraged facial recognition to securely authenticate workers

Seasoned CISOs understand that supporting business objectives securely and effectively is a top priority — a close second is to do so without frustrating users. That was the case when Stephanie Franklin-Thomas was asked to enable a shifting host of more than 100,000 frontline cleaning, parking, and building maintenance workers to clock in at global client sites and access work resources.

As senior vice president and CISO for facilities services contractor ABM Industries, she decided to focus on three priorities for the gargantuan project: Make access secure, meet business requirements, and make it easy to use. The result was a simple system for frontline workers who scan QR codes on a shared Android device located at the client site, look at the camera, and turn their heads from side to side to complete facial biometric authentication. The QR codes, issued at employee orientation, are printed on badges and will not work without live facial recognition. It was an elegant solution to a potentially massive roadblock to efficiency that was central to the company’s becoming a CSO 50 2023 honoree.

Franklin-Thomas says that getting to this stage didn’t come without trial and error. Nor was it without help. Her senior director of information security, Danyel Anderson, led the day-to-day efforts of the transformation alongside her, planning, deploying, troubleshooting, and then “coming up with a new plan” when the first test pilot proved too cumbersome for frontline team members.

A big authentication plan to meet big business requirements

As part of ABM’s digital transformation, two teams — the strategy and transformation team and the technology team — came up with an idea they called Team Connect so that all employees, regardless of where they’re working, can access timecards and other digital resources. During planning, they brought the cybersecurity team to the table and asked about the requirements to support this access.

“Sometimes it amazes me when I hear security leaders are still saying no to innovation when they should be enabling it,” Franklin-Thomas says. “When ABM came up with the Team Connect concept, we said absolutely. Just have multifactor authentication. They thought they couldn’t do it under the constraints we have, but then we showed them how.”

Since workers would be most affected by their security solutions, Franklin-Thomas and Anderson began by gathering input from those on the front lines who would use the application in the field. “ABM is largely a service company — janitorial, parking and transportation, landscaping, facilities engineering,” Franklin-Thomas says. “The frontline team members at these sites are the center of what we do. They need secure access to their digital resources — time sheets, training, messaging, and more.”

The solution has been so successful that it generated wider recognition — Team Connect is currently being piloted at a large healthcare organization’s headquarters, two distribution facilities for a large e-commerce brand, a large airport facility, and the headquarters of a leading equipment company.

Use of company-owned devices for authentication

Franklin-Thomas and Anderson quickly realized that these workers did not want to use their own phones for this access. “These are hourly employees, and they’re not going to be able to use the app on their own personal devices,” Anderson says.

“Some don’t even have smartphones, they still had flip phones. And in some jurisdictions, such as California, if they use their own personal device for work access, we have to reimburse them for their phone service. Once we understood this, the Innovation Team decided to use ABM-owned devices that they could share at their worksites.”

A major issue uncovered during the first pilot was that employees couldn’t remember passwords, or mistyped usernames and passwords, causing delays for workers who need to just punch in and start doing their jobs.

These workers are paid by the hour and time is money. So, the security team returned to the drawing board, realizing they would need secure multifactor authentication that would do away with all that typing and streamline the process of clocking in and getting to work — all from a shared Android phone at their client sites. In case there’s no internet connection, workers need to be able to clock in and authenticate offline, which meant the application had to operate locally on the device when offline, then sync with the back end once service is restored.

Geofencing was also a critical requirement, Franklin-Thomas adds. “What if someone takes the shared ABM device offsite?  If you are offsite, it would not authenticate you because you are outside of the geofence.”

Funding a project by eliminating of wasted security spending

To fund the project, Franklin-Thomas did something she says has gained her some fame within the company: She eliminated technical bloat and waste and capitalized on the results. Savings from stopping license renewals for unused security technologies were enough to fund the pilots.

After the first pilot with usernames and passwords proved too cumbersome for users, it was decided to implement an authentication solution that wouldn’t require users to type anything — it had to work on a shared device, and it had to be multifactor. Ultimately, they found their vendor, Denver-based authID, at a Gartner conference where the company’s chief product officer, Jeremiah Mason, was presenting. After the conference, they reached out and they laid out their requirements.

Mason suggested using different types of identifiers to replace the username and after discussions with the ABM team chose QR codes. He notes that the QR code is one of many identifiers the authID application supports. The QR code is generated during employee onboarding. When the team member logs into their resources remotely, authID’s cloud-based system retrieves the worker’s biometric profile as the user looks into the phone camera for positive biometric verification. The next worker uses the same device, scans their own QR code, performs their biometric verification, and gets access to the application.

Facial biometrics offer a solution to a big identity and access challenge

“Facial biometrics makes it certain that you can’t share the QR code, because the minute you scan the code, it will look for the facial biometric that’s been bound to the user account associated to that code. If it doesn’t match, it won’t grant access,” says Thomas Szoke, authIDs founder and chief technology officer. “By turning on the camera, you can always ensure that the credentials being used to access an application have not been compromised and utilized by a bad actor.”

Anderson adds that the facial biometric solution also reduces labor losses for ABM because it prevents remote employees from “buddy punching,” in which they give their badges to fellow employees to clock in for them.

Using an ABM-owned device at client sites reduces the risk of violating employee privacy laws. But, Rob Smith, founder of Delaware-based Lionfish Tech Advisors, argues that organizations must be careful what data is on that QR code and how it is secured in the cloud. He also advises organizations to get signed consent for facial recognition.

Managing user data through QR codes can trigger privacy concerns

Smith recalls dining at a Michelin star restaurant in Amsterdam that used QR codes to confirm reservations and have the customer’s favorites on the ready when they arrived. The obvious risk is to the person’s privacy if that data were exposed. The other, bigger concern, he says, is consent to the use of human faces for monitoring and authentication. “I’m an American, but I am also British — and I live in the European Union. So, I am well aware of GDPR. To avoid violations, you must make sure you have direct, signed employee approval for doing tasks like these when using European employees,” he says. “Make sure you are not violating local privacy and labor laws. And be sure to vet such solutions with any unions, work councils, and other key stakeholders.”

If using the employee’s own devices for access to corporate resources, he also advises following national, state, and international laws for business use of employee devices — something ABM’s Anderson and Franklin-Thomas are aware of as they plot the future expansion of the Team Connect application. Access from employee-owned device access is on their wish list, but they are deploying in stages that are firmly based on end-user feedback.

“Instead of focusing entirely on risk, focus on what you can do to mitigate the risk. The business should be able to tell you what they want and the technical security team to show them how they can do it safely while providing a good user experience,” Franklin-Thomas says. “You will go through a few iterations before you find what works best. That’s all part of the process.”