Anti-Spoof Selfie Verification: How Klees Detects Photo-of-Photo Fraud
Selfie clock-in is only useful if it can't be fooled by a printed photo or a phone screen. Here's the anti-spoof model inside Klees PinShot.
TL;DR
- A selfie at clock-in is only useful if it can’t be fooled by a printed photo of a coworker or a phone screen showing a saved selfie.
- Klees PinShot runs an anti-spoof score on every capture using texture, depth, and motion signals.
- The system catches three real attack patterns: printed photos, phone-screen replay, and 3D mask attempts.
- Borderline scores route to supervisor review; the worker isn’t blocked at the gate.
- Anti-spoof is standard on Klees Pro at $48/mo + $9/user.
The first question every operator asks about selfie verification at clock-in is the right one: what stops a worker from holding up a printed photo of a colleague to the front camera and beating the system?
If the answer is “nothing,” then selfie verification is theater. The whole point of moving past a four-digit PIN is to close the identity gap. A clock-in flow that any 19-year-old with a printer can defeat is not closing anything.
This is the post we should have written a year ago. Here is exactly how the anti-spoof layer inside Klees PinShot works, what it catches, and what the false-flag rate looks like in real production.
The three attack patterns we actually see
Before we get to the model, the attack surface. After two years of PinShot in production across construction and cleaning customers, the buddy-punching attempts we see cluster into three patterns:
- Printed photo attack. A worker holds up a printed photo of a colleague to the front camera. Easy, cheap, surprisingly common in the first week of any selfie rollout.
- Phone-screen replay. A worker holds up a second phone screen displaying a saved selfie of the colleague — sometimes a screenshot from a group chat, sometimes a saved camera roll image.
- 3D mask attempts. Rare, but they exist. A printed photo glued to a piece of cardboard, cut around the face shape, held a few inches from the camera to give the depth illusion.
The first two account for roughly 95% of attempts in our data. The third is a curiosity that shows up once or twice per quarter across the customer base.
What the anti-spoof model checks
PinShot is not running a face-recognition match (which is a different problem with different regulatory baggage — see the Illinois BIPA statute for why this matters). It is running a liveness and spoof-detection check on the captured image.
The signals the model evaluates:
- Texture and micro-detail. Printed photos have a paper grain. Phone screens have a pixel grid and refresh-rate artifacts. Real faces have skin texture that neither of those reproduces under front-camera capture.
- Depth signal. On phones with a front-facing depth sensor (most iPhones, several Android flagships), the model uses the depth map to flag flat objects. On phones without depth, the model uses a software-only check against single-plane scenes.
- Motion micro-signals. A real person’s face has small involuntary motion between the moment the camera frames and the moment the shutter fires. Printed photos do not. The model evaluates a short burst of frames, not a single still.
- Reflection patterns. Phone screens producing a replay attack have a recognizable reflection signature off the second device’s display.
- Geometric consistency. The face geometry must be consistent with a human held at typical phone-arm distance.
Each signal produces a sub-score; the sub-scores combine into a single anti-spoof confidence value attached to the time entry.
What happens when the model flags an attempt
Anti-spoof is not a hard gate. A binary block at the time clock would create operational chaos — a real worker in unusual light, holding the phone awkwardly, or wearing a respirator would get blocked at the gate and stranded.
The flow we actually use:
- High-confidence real face: Clock-in proceeds normally. Worker sees a confirmation, moves on.
- Borderline score: Clock-in proceeds, but the entry is flagged for supervisor review in the dashboard. The supervisor sees the image and the score and can approve or void with one tap.
- High-confidence spoof attempt: Clock-in is held in pending state, the dispatcher gets a real-time push, the worker sees a “verification needed” screen. The dispatcher resolves in seconds via a Live Map prompt.
This three-tier flow is the difference between an anti-spoof system that protects payroll and an anti-spoof system that the foreman shuts off in week two because it blocked too many real workers.
False-flag rates in production
The honest numbers from our customer base, averaged across construction and cleaning crews:
| Attempt type | Volume / month / 100 workers | Anti-spoof catch rate |
|---|---|---|
| Real worker, clear conditions | ~3,800 | 99.7% pass |
| Real worker, dim or harsh light | ~280 | 96.1% pass |
| Real worker, with PPE / respirator | ~95 | 91.4% pass |
| Printed photo attack | ~6 | 100% caught |
| Phone-screen replay | ~4 | 98% caught |
| 3D mask | <1 | 100% caught (small sample) |
The borderline cases that get routed to supervisor review run roughly 1-2% of total captures. Supervisor resolution time is typically under 30 seconds per flag. That overhead is the cost of running the model in non-blocking mode rather than hard-gating real workers.
How this maps to a Department of Labor audit
The defensive value of PinShot anti-spoof is the audit trail. When the U.S. Department of Labor investigates wage and hour records, the employer carries the burden of producing accurate timekeeping. The records the investigator wants to see:
- Who clocked in
- When they clocked in
- Where they clocked in
- Proof the person on the payroll was the person who clocked in
A GPS coordinate answers the first three. A PinShot capture with anti-spoof score answers the fourth — and produces a record that survives the audit.
Our compliance angle on buddy punching and the cleaning ghost-shift article cover the broader compliance posture. This post is the technical deep-cut.
What anti-spoof does not solve
Worth being honest about the limits.
Anti-spoof verifies that the person in front of the camera is a real face, not a printed or screen-replayed one. It does not, by itself, verify that the face belongs to the worker named on the payroll record. That verification comes from the combination of:
- The phone is registered to that worker’s account
- The geofence places them at the expected job site
- The anti-spoof score confirms a real human capture
- Foreman or supervisor visual reference if needed
The fraud pattern we cannot fully eliminate with image analysis alone: a worker giving their phone to another worker who looks similar enough that the foreman doesn’t notice. The defense for that is operational — Crew Clock with the foreman confirming the full crew at the gate, and the audit log showing the device, the geofence, the face. We have not seen this pattern beat the combined defense at production scale.
Pricing — where anti-spoof lives in the Klees plan
| Plan | Monthly base | Per user | Anti-spoof |
|---|---|---|---|
| Standard | $32 | $7 | No |
| Pro | $48 | $9 | Included |
| Enterprise | $600 flat / 100 seats | — | Included + custom thresholds |
PinShot and the anti-spoof layer are bundled on Pro and Enterprise. Operators with sensitive compliance posture (post-construction GC contracts, multi-state janitorial, prevailing-wage public work) should be on Pro or above.
FAQ
Does PinShot work on older phones?
Yes. The model runs on any phone the Klees app supports (iOS 14+, Android 9+). Devices without a depth sensor fall back to the software-only spoof checks, which still catch the printed photo and phone-screen replay patterns at the rates in the table above.
Is anti-spoof a face-recognition match?
No. PinShot does not perform biometric face matching. It runs liveness and spoof detection on the captured image. That distinction matters for state biometric privacy statutes like Illinois BIPA — Klees operates outside their scope by default.
What if a worker’s selfie gets flagged unfairly?
Borderline flags route to supervisor review, not a hard block. The worker continues their shift. The supervisor resolves the flag in 30 seconds via the dashboard, usually with one tap of approve.
How long are the captured images stored?
Image retention is configurable. Standard retention is 90 days. Enterprise customers can shorten or extend retention per their compliance policy.
Can we turn anti-spoof off?
You can run PinShot in capture-only mode without anti-spoof scoring on Standard and Pro. We do not recommend it. The whole point of selfie verification is the anti-spoof layer; without it you have a photo log, not a verification system.
Want to see anti-spoof in action on your own crew? Book a Klees demo or start a trial and run PinShot on a single site for two weeks.
Leads field-ops migrations at Klees. 12 years rolling out time tracking and dispatch systems for construction and janitorial crews across the Americas.
Connect on LinkedIn →Related reads
The True Cost of Buddy Punching: A Calculator for GCs and Cleaning Owners
How to calculate the actual dollar cost of buddy punching for your crew, with formulas, illustrative scenarios, and what to do once you have the number.
How to Stop Buddy Punching in a Cleaning Crew (Without Killing Morale)
Buddy punching costs commercial cleaning operators thousands per month. Here is the verification stack that ends it without alienating honest cleaners.
Cleaning Crew Ghost Shifts: How PinShot Catches Them
Ghost shifts on overnight cleaning crews cost commercial operators thousands per month. Here is how PinShot selfie verification and geofencing shut the pattern down.