REQ.231 Define biometric verification component
Systems with critical information must define a component for biometric verification during authentication process.
HIPAA Security Rules 164.312(d): Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
HIPAA Security Rules 164.310(a)(2)(iii): Access Control and Validation Procedures: Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
OWASP-ASVS v3.1-2.31 Verify that users can enrol and use TOTP verification, two-factor, biometric (Touch ID or similar), or equivalent multi-factor authentication mechanism that provides protection against single factor credential disclosure.