Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

How Can Organisations Safely Implement Biometrics As Part Of Their Digital Security Framework?

By Andrew Peel, is an identity and access management expert at PA Consulting, the global innovation and transformation consultancy

Biometrics technology can only be an effective part of any organisation’s digital security approach if implemented as part of a wider and coherent framework. Such a framework would consist of three key elements: consistent identity management (knowing who has access and what they are entitled to do), a risk-based approach to authenticate the identity of the person attempting to access a system and thirdly, effective authorisation to provide appropriate access to the resources to which that person is entitled.

The rapid adoption of biometric technology in our daily lives through platforms such as mobile phones has created a widespread familiarity, acceptance and comfort with using fingerprints or faces for everything from accessing an app to approving a financial transaction.

The existence of robust and trusted biometric authentication mechanisms – that are based on open standards and carried around in our pockets – provide opportunities for organisations to move away from insecure passwords or clumsy hardware fobs to authenticate users accessing their services.


Although biometric authentication can reduce risk, improve user experience and provide an organisation with greater assurance as to the identity of the person attempting to access its resources – that’s as far as it goes.

Biometric verification on its own doesn’t determine, for example, if the account being used is still valid, nor does it provide the ability to control what the user can and cannot do once they’ve been authenticated, or even monitor and audit such access.  An organisation consequently continues to be exposed to the increased risk of a security breach and data loss.

Whilst biometrics should be a key tool in any organisation’s digital security approach, they can only be truly effective if implemented as part of a wider coherent identity and access management framework composed of, and enforced by, policies, technology, procedures and processes.

Such a framework consists of three elements that together enforce an organisation’s information and security policies: identity management, authentication and authorisation.

Establish a consistent approach to managing identities – knowing who has access and what they are entitled to do

Although the power of biometric authentication is its ability to verify that the person using an account is indeed who they say they are, its effectiveness is determined by the accuracy of the underlying identity information of the associated account.

The accuracy of the identity information determines both the authentication decision (i.e. whether the account is still valid) and what happens once that decision has been made – determining who the user is, what access and services they are entitled to, when and how they should be provided -and then removed in a timely manner when no longer required.

The framework needs to employ an approach for maintaining accurate identity information through a combination of effective processes and procedures enforced by enabling technology, including standardised Joiners, Movers and Leavers (“JML”) and recertification and approval processes automatically fed by accurate and trusted sources of data (such as HR systems).  This ensures approved stakeholders are provided with timely and appropriate access to systems and resources, and that their access is updated or removed when they change roles, no longer require access or leave. It also ensures provision of a single accurate and traceable view of who has access to which resources.

Establish a risk-based approach to authenticate the identity of the person attempting to access a system

The use of biometrics to verify the identity of somebody attempting to access an organisation’s resources will be determined by the authentication approach defined within the framework.

Even here, the use of biometrics should only be one of a toolkit of adaptive authentication mechanisms used to verify an identity –determined by the perceived risk of the connection based on factors such as the location, time, device, and the sensitivity of resources the user is attempting to access.

An adaptive authentication approach will utilise this perceived risk to determine which authentication mechanisms should be employed, with a higher risk potentially requiring a multi-factor approach composed of multiple mechanisms, including biometrics.

Ensure effective authorisation to provide appropriate access to the resources to which they are entitled.

Finally, biometric authentication provides greater confidence in the identity of the person attempting to access resources.  The authorisation element of the framework then ensures these verified users are only provided with appropriate access to the resources and services they are attempting to use.

Although the authorisation decision itself may be taken by the local resource, it is reliant upon the accuracy of the identity information provided  – such as who the individual is, what they’re allowed to do, where, and when – with access potentially determined by a user’s role, their individual attributes, or even the context of their access e.g. location or device.

Ultimately, maintaining an effective authorisation mechanism combines technology and robust controls. With a coherent identity and access management framework in place, organisations can harness the benefits of biometric authorisation to reduce risk and improve user experience.