It's possible to collect facial scan data and perform gait analysis without an enrollment process. You would use cameras to observe subjects from a distance and collect data passively.

You need a formal enrollment process for fingerprints, retinas, irises, and palm vein methods.

Retina and iris scans need to be very close to the eye and very obvious.

Palm vein methods require users to place their palm on a scanner.

While it's possible to collect fingerprints passively, you still need an enrollment process.

This is using one-factor authentication = something your know. The application uses the username for identification and the password for authentication. Note that even though the application is logging the location using GPS, there isn't any indication that it is using this information for authentication.

Dual-factor authentication requires another factor of authentication such as something you are or something you have.

Something you are authentication factor refers to biometric authentication methods.

The something you have authentication factor refers to something you can hold, such as a smart card.

A Time-based One-Time Password (TOTP) meets the requirements of two-factor authentication (2FA). A user logs on with regular credentials (such as a username and password), and then must enter an additional one-time password.

Some smartphones apps use HOTP and display a new password every 30 seconds.

An HMAC-based One-Time Password (HOTP) creates passwords that do not expire until they are used. Short message service (SMS) is sometimes used to send users a one-time use password via email or a messaging app, but these passwords typically don't expire until at least 15 minutes later.

Kerberos uses tickets instead of passwords.

A lower crossover error rate (CER) indicates a more accurate biometric system. The false acceptance rate (FAR) and the false rejection rate (FRR) vary based on the sensitivity of the biometric system and don't indicate accuracy by themselves.

A higher CER indicates a less accurate biometric system.

A vein scan implemented with a palm scanner would be the best solution of the available choices. The patient would place their palm on the scanner for biometric identification, or if the patient is unconscious, medical personnel can place the patient's pal on the scanner.

None of the other biometric methods can be easily performed on an unconscious patient.

Gait analysis attempt to identify someone based on the way they walk.

A retina scan scans the retina of an eye, but this will be difficult if someone is unconscious.

Voice recognition identifies a person using speech recognition.

Push notifications are user-friendly and non-disruptive. Users receive a notification on a smartphone and can often acknowledge it by simply pressing a button. An authentication application isn't as user-friendly as a push notification. It requires users to log on the smartphone, find the app, and enter the code. A Trusted Platform Module (TPM) provides full drive encryption and would protect the data if someone accessed the laptop, but it doesn't prevent access.

A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers. Neither a TPM nor a HSM is relevant in this question.

Time-of-day restrictions should be implemented to ensure that temporary workers can only access network resources during work hours. The other answers represent good practices, but don't address the need stated in the question that "personnel need access to network resources, but only during working hours"

Account expiration should be implemented if the organization knows the last workday of these workers.

Account lockout will lock out an account if the wrong password is entered too many times.

Password recovery allows users to recover a forgotten password or change their passwords.

Password history remembers previously used password and helps prevent users from using the same password.