Skip to main content

Implement a biometric verification component


Systems with critical information must implement a component for biometric verification during the authentication process.


Biometric authentication relies on the unique biological characteristics of an individual and serves as an additional security measure for identity assertion. Critical systems must have specially restrictive access controls. Therefore, they should include a biometric verification component to increase the security of the authentication process. This component, however, should not be the only identity assertion mechanism in place, but rather only be a secondary factor.


  • CWE-308: Use of Single-factor Authentication: The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.

  • GDPR. Recital 64: Identity verification: The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.

  • HIPAA Security Rules 164.310(a)(2)(iii): Access Control and Validation Procedures: Implement procedures to control and validate a person's access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.

  • HIPAA Security Rules 164.312(d): Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

  • NIST 800-63B 5.2.3 Use of Biometrics: Biometrics SHALL be used only as part of multi-factor authentication with a physical authenticator (something you have).

  • NIST 800-63B 5.2.3 Use of Biometrics: An authenticated protected channel between sensor (or an endpoint containing a sensor that resists sensor replacement) and verifier SHALL be established and the sensor or endpoint SHALL be authenticated prior to capturing the biometric sample from the claimant.

  • OWASP Top 10 A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.

  • OWASP-ASVS v4.0.1 V2.8 Single or Multi Factor One Time Verifier Requirements.(2.8.7): Verify that biometric authenticators are limited to use only as secondary factors in conjunction with either something you have and something you know.

  • PCI DSS v3.2.1 - Requirement 6.5.10: Address common coding vulnerabilities in software-development processes such as broken authentication and session management.