Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Why can strong authentication still be a poor…
Governance, Ownership & Risk

Why can strong authentication still be a poor attendance-control design?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026 Domain: Governance, Ownership & Risk

Because authentication and attendance solve different problems. A FIDO2 key can prove that a person authenticated, but it does not automatically prove time worked, shift eligibility, or compliance with labour rules. If those distinctions are not documented, organisations risk turning a secure login event into an over-claimed source of truth.

Why This Matters for Security Teams

Strong authentication is valuable, but it only answers one question: who signed in. Attendance-control systems need a different set of facts, including shift assignment, physical presence, approved time windows, break rules, and exceptions. When teams let a login event stand in for attendance, they collapse identity proof, timekeeping, and policy enforcement into a single signal. That creates audit risk, payroll disputes, and weak evidentiary records. NIST’s control structure in NIST SP 800-53 Rev 5 Security and Privacy Controls treats identification, access, and accountability as separate concerns for a reason. The same separation shows up in NHIMG guidance on identity governance in the Ultimate Guide to NHIs — Standards, where lifecycle control and verification are distinct operational problems. The practical mistake is assuming that a secure authentication event is automatically authoritative for attendance. It is not. A person can authenticate early, late, remotely, or outside an authorised shift and still produce a valid login. If that login is then reused as attendance proof, the organisation may create a false record with real legal and financial consequences. In practice, many security teams encounter this only after a payroll exception, labour complaint, or timecard audit has already exposed the gap.

How It Works in Practice

A better design treats authentication as one input into a broader attendance workflow, not the record itself. The system should combine identity proof with context that attendance genuinely requires. That usually means policy checks against scheduled shift data, device or badge correlation, location or clock-in constraints where legally permitted, and explicit exception handling for leave, overtime, and remote work. Operationally, teams should separate three layers:
  • Authentication: confirm the person or account is genuine.
  • Authorisation: confirm the person is allowed to clock in for that shift.
  • Attendance record: confirm the event satisfies the organisation’s timekeeping rules.
This is where ISO/IEC 27001:2022 Information Security Management is useful as a management reference: it pushes organisations to define control objectives, ownership, and evidence handling instead of assuming that one control covers the whole business process. For identity-heavy environments, NHIMG’s Ultimate Guide to NHIs — Standards reinforces the same principle: strong identity signals still need lifecycle and policy context to be trustworthy. For attendance control, that means:
  • Define what counts as a valid clock-in before deployment.
  • Log the policy decision, not just the authentication result.
  • Keep tamper-evident audit trails for exceptions and overrides.
  • Reconcile time records against schedules and approvals on a routine basis.
NHIMG’s research also shows why overtrust is dangerous in identity systems generally: 97% of NHIs carry excessive privileges, and 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. The lesson transfers cleanly here. A strong proof of identity does not automatically prove the legitimacy of the action attached to it. These controls tend to break down in hybrid workplaces with flexible scheduling and shared kiosks because context becomes harder to verify consistently.

Common Variations and Edge Cases

Tighter attendance controls often increase employee friction and administrative overhead, so organisations must balance assurance against usability and privacy. That tradeoff becomes sharper in environments with union rules, cross-site staffing, night shifts, or remote workers, where a rigid “authentication equals attendance” rule can create false rejects and labour relations problems. Current guidance suggests the strongest designs use different evidence standards for different attendance scenarios. For example, on-site roles may rely on badge plus biometric or device-bound authentication where lawful, while remote roles may need VPN context, manager approval, or task-based validation. There is no universal standard for this yet, so policy clarity matters more than any single technology choice. Edge cases are especially important:
  • Shared devices can produce accurate authentication but misleading attendance attribution.
  • Delegated logins and shared credentials undermine the integrity of time records.
  • Offline or fail-open modes may preserve operations but weaken evidence quality.
  • Geofencing can help, but it is not definitive and may be inappropriate in some jurisdictions.
The key distinction is evidentiary purpose. Authentication proves a subject is allowed into a system; attendance proves a work event occurred under the organisation’s rules. NHIMG’s broader identity guidance in the Twitter Source Code Breach illustrates how quickly access signals can be misread when control boundaries are unclear. For attendance, the control boundary must be explicit, documented, and reviewable.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Authentication must be separated from attendance authorization and evidence.
NIST SP 800-63IAL2Strong authentication does not by itself establish the business truth of attendance.
OWASP Non-Human Identity Top 10NHI-01Identity proof and action proof are different control problems.
CSA MAESTROM1Policy-driven authorization should evaluate context at the time of the event.
NIST AI RMFGOVERNClear accountability is needed when authentication is repurposed into operational records.

Treat authentication logs as evidence of access, not as authoritative evidence of work performed.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org