Biometric Screening vs. Biometric Identity Management: Get Your Facts Straight!

Having made its presence to mainstream identification and authentication applications, biometrics is no more a jargon. The word Biometrics is derived from Biometry, which is a branch of biology that studies biological phenomena and observations by means of mathematical and statistical analysis. Biometrics is technology assisted application in which biological (physiological and behavioral) patterns are mapped with the help of technology. These patterns are made identifiable by the computer programs that contain specific algorithms to recognize specific patterns. Information Technology greatly assists with mapping of these unique patterns as they can be too complex to capture and map manually.

There are numerous applications that have been deployed using biometrics. In some institutions and business outfits, biometric applications play a vital role in daily operations as well as security implementation. Facilities, where security requirements are very high, use biometrics to control physical and logical access to restricted area and resources, for example, Military Areas, Weapon Development Facilitates, R&D Labs, Bio-security Labs, Data Centers, etc. The good thing with biometric identification is that it can be used in conjunction with traditional means of proving identity like identity cards or ID / Passwords, etc. or a multi-modal approach can be taken, in which more than one biometric identifiers of an individual are used to establish or verify identity. For example using fingerprint recognition in conjunction with login ID and password to login to a data center server or using voice authentication along with iris recognition to verify personnel seeking access to a high security military area. Using multi-factor authentication or multi-modal implementation of biometric identification systems to elevate level of security is very common nowadays. From unlocking doors to unlocking phones, biometric applications are marking their presence in everyday life.

• Physical and logical access control, e.g. unlocking doors, PCs, smartphones, weapon safety, logging into accounts, logging check-in and check-out times, etc.
• Identification and authentication in payment cards, POS, Kiosks, ATMs, etc.
• National ID, biometric passports, civil enrolment, identification, verification and background check.
• Surveillance and national security.
• Criminal enrolment and identification.
• Crime scene investigations and forensics.

1. Establishing identity: Mapping one or more biometric traits and associate them with identity data of an individual (also called Enrollment). In some national security or surveillance applications, subject consent may not be taken to establish identity.
2. Verifying or authenticating identity: Verifying identity by re-scanning the biometrics of the individual at some point in the future (also called Verification or Authentication).

Wherever there is a need to verify identity, biometrics can help. Biometrics has already been implemented in a variety of applications, despite the fact; its new applications continue to emerge. Ever increasing numbers of biometrics applications have also introduced many technical jargons that often lead to confusion. Biometric Identity Management is one of the biometric applications which is often mistaken for biometric screening, which is an entirely different process. What do these applications consist of and how do they differ?

A biometric screening is a clinical process that examines key indicators to determine current health risks. CDC (Center for Disease Control and Prevention) glossary presents the following definition of biometric screening:

“A biometric health screening is defined as the measurement of physical characteristics such as height, weight, body mass index, blood pressure, blood cholesterol, blood glucose, and aerobic fitness tests that can be taken at the work site and used as part of a workplace health assessment to benchmark and evaluate changes in employee health status over time.”

Biometric Screening is an increasing trend among organizations to improve their current implementation of employee wellness program. As per the Willis Health & Productivity Survey of 2014, Biometric screening has been adopted by 74% employers in the United States to improve employee wellness at workplace and address rising cost of health plans. When offered with incentives, employee participation was observed increasing for biometric screening. The survey found that only fifteen percent employers do not provide any kind of incentive for biometric screening while others provided a wide range of offerings like premium contribution for medical plan, cash/gift cards, raffle for larger prices, etc.

Biometric screening is often considered better than HRA (Health Risk Assessment), which is also one of the types of employee wellness programs. A health risk assessment (HRA) is a common component of many wellness programs. The organizational data generated on an aggregate basis can help organizations better understand the health risks of their population, plan targeted programs, and serve as evaluation tools. Results of biometric screening are measured in lab unlike HRA, which is self-reported and leaves the results ripe for some degree of human error.

Biometric screening results come out of measurement of vitals, physical characteristics and laboratory testing of body fluids with standard methods, while health risk assessment is a list of question related with demographic characteristics, lifestyle, physiological data, family history and overall attitudes towards their wellness. HRA has its own significance in en employee wellness program and it does contribute to the objective, however, to make the most of health risk assessment, employee should have gone through biometric screening and should have results handy. Employee wellness programs contribute to employee health. Healthy employees cost less, are more productive and have less absenteeism than those employees who are unhealthy.

Identity Management is a computer security and business discipline to ensure that resources are accessed only by the right people, at the right time and for the right reasons. Enterprise level organizations’ network grows complex overtime and resources are accessed by several users and entities concurrently. Resources over an enterprise network can be very critical for business continuity so ensuring that resources are safeguarded against unauthorized access and hacking attempts becomes crucial. An incident of data breach or malware attack can adversely affect business operation and bring them to halt for several days, for example, a global malware attack in 2017 affected on Nuance Communication’s systems serving clients of healthcare sector across the globe. The incident adversely affected medical transcription services on company’s eScription software and took more than 2 weeks to restore.

Data breaches and other incidents of unauthorized access to an IT infrastructure are accomplished by exploiting system vulnerabilities and loopholes of a system. Sometimes, unavailability of a proper policy for usage of IT resources let users introduce malware or other potentially harmful programs to corporate network. For example, if users are allowed to access corporate network and resources with their person devices, they can open door for malware and other harmful programs. Personal devices may not be safeguarded as per corporate IT standards; they may either be insecure or have insufficient security measures. When such devices are granted access on an enterprise network, they can introduce malware to the resources accessed by the device, which can spread across the network infecting multiple devices and bringing down the resources.

A study, conducted by Stratecast (a division of Frost & Sullivan) in 2013, found that more than 80 percent of employees admit to using non-approved Software as a Service (SaaS) applications in their jobs. This trend was more apparent among IT professional than employees of other industries. This risky employee behavior is known as shadow IT. Installation of personal favourite application or pirated software is also a part of Shadow IT. Shadow IT can open door for Trojans and other malware that can spread on the network, making it hard to clean all the devices across the network.

Information security is probably going through its hardest time. Connectivity has become double edged sword, bestowing convenience with consternation. Threats from all directions are just waiting for a vulnerability to exploit. According to a report by Javelin Strategy & Research, 13.1 million identity frauds took place in 2015, incurring losses of $15 billion. Data breaches have also grown exponentially in last five year from 419 incidents in 2011 to 1093 incidents in 2016.

Identity Management powered by biometric authentication can address most of the challenges of information security in current scenario. Knowing users and entities accessing resources over a network is the key to security. Password based user/entity authentication only makes sure that password is authentic, not the user. A stolen or shared password will also let an unauthorized user access resources and perform transactions. Biometrically authenticated identity makes sure that only authorized user is accessing resources and not the possessor of the password or token. Biometric identity management practices eliminate the possibility of spoofing user identity as it is nearly impossible to do this on modern biometric equipment.

• User transparency throughout the network
• Recognition and elimination of active accounts that have no valid owner.
• Reduced help desk costs.
• Elimination of unapproved account configuration.
• Improved information security, reduced threats, hence reduced cost.
• Administrators have better knowledge of user accounts, their behaviour and patterns.
• Improved accuracy, faster than passwords based logins.

Biometric screening may sound like another application of taking an individual through biometric verification process, however, it is a quite different process to screen health status an individual by measuring his or her physical characteristics. Depending on what all tests a biometric screening program includes, sampling of blood, recording of vitals and body measurement are often taken from a person going through biometric screening. A biometric screening is run typically by an approved third party health service provider to run tests on blood pressure, cholesterol levels, blood sugar levels, disease risk, body mass index (BMI), triglycerides levels (the amount of fatty acids in the blood) and other measurements that the employer chooses to have included in the test.

On the other hand, biometric identity management is a computer security and business discipline to secure resources from unauthorized access that has ability to identify users with their physiological and behavioral characteristics. Traditionally, passwords have been used as a trusted tool for authentication, but with changing information security scenario and increasing threats from all corners, they are rapidly losing their significance. Biometric identity management can avoid pitfalls of a password based identity management. Making users and entities comply with identity management policies can make a difference in information security. Personal devices, for example, can be taken through corporate IT security screening or made comply with BYOD policy.

Despite being two different processes, Biometric Screening and Biometric Identity Management serve a common purpose: defending business interests.