Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
ManagementPhysicalTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceAccess ManagementIdentity ManagementPhysical Security

Biometric Data: Increased Security and Risks

By Lenildo Morais
biometrics
May 6, 2020

In recent years, we have seen an explosion in the use of biometrics, in a wide variety of situations in which the use of biometric identification techniques is already possible. Usability is a very relevant factor. Another is privacy. There is a natural opposition to the possibility of creating an extensive centralized personal database. Companies need to be careful about how they implement their biometric authentication systems to prevent breaches of employee or customer privacy or the inappropriate exposure of confidential information. After all, while it is easy to issue a new password when the old one is compromised, it is impossible to give someone a new look.

Biometric authentication uses human physical or behavioral characteristics to digitally identify a person to grant access to systems, devices or data. Examples of such biometric identifiers are fingerprints, facial patterns, voice or typing cadence. Each of these identifiers is considered unique to the individual and can be combined with other means of authentication to ensure greater accuracy in identifying users. Because biometrics can provide a reasonable level of confidence in a person's authentication, it has the potential to dramatically improve security. Computers and devices can automatically unlock when they detect the fingerprints of an authorized user. The doors to the server room can open when they recognize the face of trusted system administrators. Help desk systems can automatically extract all relevant information when they recognize an employee's voice on the helpline.

Most companies classify biometric authentication as "effective" or "very effective" to protect identity data stored on-premise and claim it is effective in protecting data stored in a public cloud. Most companies are already using biometric authentication and the rest plan to implement it in the coming years.

 

Types of Biometrics

A biometric identifier is one that is related to intrinsic human characteristics. They fall into 2 categories: physical identifiers and behavioral identifiers. Physical identifiers are, for the most part, immutable and device-independent. Among them are:

 

  1. Fingerprints

Fingerprint scanners have become ubiquitous in recent years due to their widespread deployment on smartphones. Any device that can be touched, such as a phone screen, computer mouse or touchpad, or a door panel, has the potential to become an easy and convenient fingerprint scanner. According to Spiceworks, fingerprint scanning is the most common type of biometric authentication.

  1. Photo and Video

If a device is equipped with a camera, it can easily be used for authentication. Facial recognition and retinal exams are two common approaches.

  1. Physiological Recognition

Facial recognition is the third most common type of authentication. Other image-based authentication methods include hand geometry recognition, iris or retina reading, palm vein recognition and ear recognition.

  1. Voice

Voice-based digital assistants and phone-based service portals are already using speech recognition to identify users and authenticate customers.

  1. Subscription

Digital signature scanners are already in general use at retail outlets and banks and are a good option for situations where users and customers already expect to sign their names.

  1. DNA

Today, DNA tests are used primarily in law enforcement to identify suspects. In practice, DNA sequencing has been too slow for widespread use. This is starting to change. There is already the possibility of doing a DNA match in a matter of minutes.

 

More Common Approaches

Behavioral identifiers are a more recent approach and, in general, are being used in conjunction with another method due to their low reliability. However, as the technology improves, these behavioral identifiers may have their use expanded. Unlike physical identifiers, which are limited to a certain fixed set of human characteristics, the only limits to behavioral identifiers are human imagination.

Today, this approach is often used to distinguish between a human and a robot. This can help a company filter out spam or detect brute force attempts to login and password. As technology improves, systems are likely to improve the accurate identification of individuals, but remain less effective in distinguishing between humans and robots. Here are some common approaches:

 

  1. Typing Patterns

Everyone has a different typing style. The speed at which we type, the time it takes to go from one letter to another, the degree of impact on the keyboard, all these are considered.

  1. Physical Movements

The way someone walks is unique to an individual and can be used to authenticate employees in a building or as a secondary layer of authentication for particularly sensitive locations.

  1. Navigation Standards

Mouse movements and finger movements on trackpads or touch screens are unique to individuals and relatively easy to detect with the software, without the need for additional hardware.

  1. Patterns of Engagement

We all interact with technology in different ways. How we open and use apps, the locations and times of the day when we're most likely to use our devices, the way we browse websites, how we tilt our phones when we hold them, or even how often we check our social network accounts are all potentially unique behavioral characteristics. Today these patterns of behavior can be used to distinguish people from bots. And they can also be used in combination with other authentication methods or, if the technology improves enough, as independent security measures.

 

How Reliable is Biometric Authentication?

Authentication credentials, such as fingerprint scans or voice recordings, can leak from devices, company servers, or software used to analyze them. There is also a high potential for false positives and false negatives. A facial recognition system may not recognize a user wearing makeup or glasses, or someone who is sick or tired. Voices also vary.

People look different when they wake up, or when they try to use the phone in a crowded public environment, or when they are angry or impatient. Recognition systems can be tricked with masks, photos and voice recordings, with copies of fingerprints or tricked by family members or trusted colleagues when the legitimate user is sleeping.

Experts recommend that companies use multiple types of authentication simultaneously and increase rapidly if they see scams. For example, if the fingerprint matches, but the face does not, or the account is being accessed from an unusual location at an unusual time, it may be time to switch to a backup authentication method or a second communication channel. This is particularly critical for financial transactions or password changes.

 

What are the Privacy Risks in Biometric Authentication?

Some users may not want companies to collect data about, say, the time of day and the places where they normally use their phones. If that information leaks, it could be used by stalkers or, in the case of celebrities, by tabloid journalists. Some users may not want their family members or spouses to know where they are at all times.

Information can also be abused by repressive government regimes or by criminal prosecutors pushing boundaries. Foreign powers can use the information in an attempt to influence public opinion. Unethical merchants and advertisers can do the same.

Any of these situations could lead to significant public embarrassment for the company that collected the data, regulatory fines or class action lawsuits. If DNA scans become widespread, they could give rise to a whole new area of ​​privacy concerns, including exposure to medical conditions and family relationships.

 

How Secure is Biometric Authentication?

The security of biometric authentication data is of vital importance, even more than the security of passwords, as passwords can be easily changed if exposed. A fingerprint or retinal scan, however, is immutable. Disclosure of this or other biometric information can put users at permanent risk and create significant legal exposure for the company that loses the data. In the event of a breach, it creates an enormous challenge because physical assignments, such as fingerprints, cannot be replaced. Biometric data in the hands of a corrupt entity also has very frightening but real implications. 

Ultimately, every company is responsible for its own security decisions. It is not possible to outsource compliance, but it can reduce the cost of compliance and the possible repercussions of a leak by choosing the right supplier. In addition, companies that do not maintain registered credentials have some legal protections. For example, many retailers can avoid substantial compliance costs by keeping their systems "out of scope." Payment information is encrypted directly at the payment terminal and passes directly to a payment processor. Raw payment card data never touches company servers, reducing compliance implications and possible security risks.

If a company needs to collect authentication information and keep it on its own servers, security best practices should be applied. This includes encryption for data at rest and data in transit. New technologies are available for runtime encryption, which keeps data encrypted even while in use. Encryption is not an absolute guarantee of security, of course, if the applications or users authorized to access the data are compromised. However, there are some ways in which companies can avoid keeping encrypted authentication data on their servers.

 

Local or Device-Based Authentication

The most common example of a local authentication mechanism is the hardware security module on a smartphone. User information, such as a fingerprint scan, facial image or voice impression, is stored inside the module. When authentication is required, biometric information is collected by the fingerprint reader, camera or microphone and sent to the module, where it is compared with the original. The module tells the phone whether or not the new information corresponds to what it had already stored. With this system, the raw biometric information is never accessible to any software or system outside the module, including the phone's own operating system. Today, smartphone hardware security modules are used to provide security as well as to authenticate third-party applications.

Companies can also use smartphone-based biometric readers whenever their users or customers have access to smartphones, without ever having to collect and store biometric identification information on their own servers. Similar technology is available for other types of devices, such as smart cards, smart locks or fingerprint scanners for PCs. Phone-based fingerprint recognition is the most common biometric authentication mechanism today. Smartphone-based authentication offers significant usability benefits. First, users tend to find out immediately if they have lost their smartphone, taking immediate steps to locate or replace it. If, however, they lose a badge that they only use to access a building during their off hours, they may not realize for a while that it is no longer in their possession. Smartphone makers are also in the middle of a race to make their technology better and easier to use. No other industry or individual company can match the scale of mobile investment or the usability and security tests that phones receive.

Finally, telephone authentication offers users maximum flexibility. They can opt for phones with facial identification, fingerprint scanners or voice recognition, or some other new technology that has not yet been invented, but that will dominate the market tomorrow. However, the use of a third-party mechanism, such as consumer smartphones, puts the authentication process beyond the company's control. Another downside of device-based authentication, in general, is that identity information is limited to that single device. If people use a fingerprint to unlock their smartphone, they also cannot use the same fingerprint to unlock the office door without separately authorizing the door lock or to unlock the computer without separately authorizing the computer's fingerprint scanner.

Companies that need to authenticate users or clients on multiple devices in multiple locations need to have some kind of centralized mechanism for storing authentication credentials or taking advantage of a device that the user carries with them at all times. For example, companies can place the authentication mechanism inside a smart seal that employees use in the office. They can also use a smartphone to authenticate the employee and then communicate identity verification to other devices and systems via Bluetooth, NFC, Wi-Fi or the Internet.

 

Tokenization or Encryption

Another approach to allow new devices to recognize authorized users is the tokenization, one-way encryption or hash function. Say, for example, that retina, voice or fingerprint identification is used to recognize and authenticate employees wherever they can go within a company, but the company does not want to have the image or audio files stored on servers where hackers or malicious employees may misuse them.

Instead, the company would use a device that, say, scans a person's face or fingerprint, converts that image into a unique code, and then sends that code to the central server for authentication. Any device using the same conversion method can then recognize the employee and the raw identification data will never be available on any system.

KEYWORDS: biometrics consumer protection cyber security data privacy

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Lenildo morais

Lenildo Morais has a Masters in Computer Science from the Center for Informatics at the Federal University of Pernambuco, Brazil. He is a Researcher at ASSERT - Advanced System and Software Engineering Research Technologies and Project Manager at Porto Digital de Pernambuco, Brazil. Find him on LinkedIn at https://www.linkedin.com/in/lenildo-morais-b36350108/
 

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Enterprise Services
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Cyber Tactics Column
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    New Security Technology
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Pills spilled

More than 20,000 sensitive medical records exposed

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Coding on screen

Research reveals mass scanning and exploitation campaigns

White post office truck

Department of Labor Sues USPS Over Texas Whistleblower Termination

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

September 29, 2025

Global Security Exchange (GSX)

 

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • healthcare-freepik1170x658v689.jpg

    Increased healthcare security risks due to Roe v Wade reversal

    See More
  • voting election

    Security risks surrounding the presidential election, and the importance of voter data protection

    See More
  • SEC0620-Edu-Feat-slide1_900px

    Data Privacy Law and Intellectual Property Considerations for Biometric-Based AI Innovations

    See More

Related Products

See More Products
  • 9780367259044.jpg

    Understanding Homeland Security: Foundations of Security Policy

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing