The emergence of biometric technologies is fueling the notable innovation in the security and usability of the authentication solutions. Consumer-grade, reliable and easy to use biometrics is facilitating the organizations to comply with the security standards by fulfilling requirements of authentication.
There was a time when biometrics required specialized and expensive hardware to operate and were limited to high-security amenities only. But now, most of the smart devices come with fingerprint sensors and cameras that are replacing passwords with fingerprints and face recognition. These innovations are raising a serious concern, i.e. data privacy and security.
Biometric Authentication and Data Privacy Concerns
Looking at biometrics with regards to authentication, the implications of using biometrics are significant. Rather than requiring a user to enter a password or token, biometrics empowers the devices to recognize and verify an individual. The efficient implementation of the biometric technology results in passwordless authentication experiences that are more convenient and reliable.
In cloud applications, where users demand instant access to applications and data, biometric solutions offer simplified real-time authentication ensuring data privacy and security. However, not all biometric solutions are the same; some biometric configurations can pose a significant threat in terms of privacy and security, in addition to regulatory challenges. It’s essential to address these risks to deploy biometrics in a secure and responsible way to comply with PII standards and other regulatory concerns.
The ways in which biometrics are being implemented today decide whether they are enhancing data privacy and security or detracting from it. Biometric data security is high-priority than traditional data records. The reason is, unlike passwords and tokens, biometrics can’t be changed or revoked if they are stolen or compromised.
The use of biometrics has been under a serious debate for years. Critics point out that like other electronic records, biometric data is vulnerable to theft and fraud; hence, questioning the ability to protect user’s personally identifiable information (PII). Vulnerabilities such as spoofing are resulting in the theft of PII. For instance, in 2015 the office of Personnel Management was compromised that exposed PII - including fingerprints - of every employee of the U.S. government.
This highlights the lack of proper authentication and storage protocols. Organizations need to implement effective storage-based strategies to protect the biometric data collected as a result of authentication. But the question is, what is the best way? Data encryption is the answer.
Securing Biometric Data
The evolution of organizations towards the digital sphere and immense data to deal with every day has attracted the attention of regulatory authorities. Protecting users’ PII is no more ethical decision but a legal obligation for every business. Every organization dealing with consumers’ data is liable to meet the compliance requirements to safeguard information.
Existing biometric authentication systems are not fulfilling the data privacy standards, the increasing number of data breaches is the solid evidence of that. Many international data protection commissioners have argued against the creation of voluminous central databases for storing biometric data. Moreover, they encourage the development and implementation of privacy-enhancing technologies (PETs). These technologies enable individuals to manage their personal information and minimize privacy risks at earlier stages.
The general data protection regulation (GDPR) requires organizations and data processors to implement proper technical and organizational procedures to keep data secure. One such procedure includes one-way coding. This process keeps the biometric templates secure by ensuring that the templates are not being reconstructed or reverse engineered.
Some critics have even argued to limit the design and operation of biometric solutions to protect privacy; for instance, limiting 1:1 authentication rather than 1:n identification purpose.
The privacy in biometrics information systems can be achieved in a way that contributes positive-sum results for all stakeholders. Biometric encryption - a particular PTE - is an effective way of achieving both privacy and security in a positive-sum model. The biometric systems especially one-to-one authentication systems are vulnerable to potential attacks; the protection of personal data being a significant threat.
The conventional cryptography uses encryption keys that are a long 128-bits string or even more which are an essential part of a cryptosystem. Such long keys are difficult to memorize, therefore the key is generated from a password that can be memorized. This password management is the most vulnerable point of any cryptosystem since they can be stolen through brute force attacks.
But if we talk about biometrics, they always have unique characteristics and the templates are variable in nature, therefore, they can’t be used as the cryptographic keys. This means that each biometric sample is different and conventional cryptography can’t tolerate error. Therefore, the obvious role of biometrics in cryptography is password management. The biometric templates or results stored in a database can be encrypted using conventional cryptography to improve system security and data privacy.
Through cryptography, the attacker would need to know the encryption key first to access the information hence reducing breaches. However, the privacy issues affiliated with voluminous databases are going to stay. The reason is the keys and biometric data both are controlled by the custodian having encryption keys.
A single typical biometric image contains thousands of bits of information and generating such a long encryption key isn’t possible. But what if the thousand-bits biometric information is bound to a 128-bit key to consistently regenerate a key? That’s what biometric encryption does. It securely binds the cryptographic key to biometrics so that nothing can be retrieved from the stored template. Moreover, the key is only recreated only if the real-time biometric verification is done in addition to liveness detection.