4 key differences between consumer and enterprise biometrics (Part 2)

Biometrics used to feel like fiction – we’d see it in spy movies and think that it was something that was only easily accessible in a cinematic universe. But now, nothing could be further from the truth. Biometrics are used everywhere, from logging into our phones with a face scan to activating personal assistants with a voice.

But just because biometrics are ubiquitous doesn’t mean all methods come with the same promise of security. Consumer biometrics have a poor track record when it comes to security, so it’s important for enterprises to rely on enterprise biometric solutions that come with a higher degree of security. This is especially true for healthcare, where biometrics play a key role in enabling and validating the digital identity of clinicians and patients, allowing for high-trust, secure, and convenient access to PHI.

In our last post, we discussed two key differences between consumer and enterprise biometrics: accuracy and anti-spoof detection. In this post, we’ll talk about two more: security and assurance, and portability and enterprise management.

Security and assurance

Have you ever needed to prove that you were, well, you? At its core, that’s what biometrics aim to do: provide a high level of assurance that you are you. But consumer-based biometrics – like the ones on your phone – don’t provide that high level of assurance. Consumer biometrics:

  • Often have lower accuracy and anti-spoofing capabilities than enterprise biometrics (in fact, hackers have proven that to be true time and time again)
  • Don’t have a controlled biometric enrollment process, meaning anyone can enroll multiple people on their device

That’s not to say consumer biometrics don’t offer any security or assurance at all, but they certainly aren’t as secure as enterprise biometrics. For clinical applications, the usage of biometrics must align with stringent digital identity standards such as NIST 800-63-3 and the DEA’s rules for electronic prescriptions for controlled substances (EPCS).

Another example is the NIST IAL2 (where IAL stands for “Identity Assurance Level”) Standard, a common identity assurance level that enterprises rely on. A credential that meets IAL2 requirements for enrollment and identity proofing provides “evidence [that] supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity.”

Big picture: biometrics are only as trustworthy as the processes in place around them. You need a high level of assurance to be able to trust in the security of your biometrics. For enterprise, the level of assurance, and therefore trust, is much higher than for consumer.

Portability and enterprise management

Consumer biometrics have gotten us all used to near-instant access: when using your face to unlock your phone, for example, it happens in the blink of an eye. But when you use an enterprise-grade solution, the process is noticeably slower.

Why is that? For consumer-based biometrics the processing all happens on the device, while enterprise-grade biometrics often leverage a mix of on- and off-device processing, often adding a one to five second delay. Cloud-based processing can introduce some complexity, but it also provides flexibility; something that’s especially useful in healthcare.

Complexity is added due to:

  • All of the different network layers and components involved in processing the biometric
  • The need for security, as myriad measures must be taken to ensure the biometric is encrypted and transported securely for processing, which is key to preventing attacks and preventing exposure of personally identifiable information (PII)

So, if it’s more complex, why do we do it? One key benefit is portability; the ability to use the same biometric in multiple environments or on different devices. In healthcare, users often use shared mobile devices. Without portability, every user would need to enroll their biometric on each device they used. If that doesn’t sound onerous enough, some devices only hold up to five different enrollment templates. With server-hosted biometrics and portability, a user can seamlessly move from device to device without the need to enroll every time. Access to shared mobile devices is possible thanks to this portability. Another benefit of hosting biometrics off-device is that it becomes easier for enterprises to manage them and integrate them into multiple systems. Because enterprises manage the biometric, in many cases, the biometric technology can be seamlessly upgraded to take advantage of the latest biometric matching, anti-spoofing, and usability improvements.

Enterprise biometrics enable digital identity management

The concepts of portability and enterprise management are key to balancing security and convenience. Many Imprivata solutions rely on biometrics for access and authentication, of both care providers and patients.

To learn more about digital identity, and where Imprivata sees assurance, access and authentication standards, and portability playing a role in its future, check out our whitepaper, “Envisioning the future of digital identity in healthcare.”