Biometric Data: Increased Security and Risks
In recent years, we have seen an explosion in the use of biometrics, in a wide variety of situations in which the use of biometric identification techniques is already possible. Usability is a very relevant factor. Another is privacy. There is a natural opposition to the possibility of creating an extensive centralized personal database. Companies need to be careful about how they implement their biometric authentication systems to prevent breaches of employee or customer privacy or the inappropriate exposure of confidential information. After all, while it is easy to issue a new password when the old one is compromised, it is impossible to give someone a new look.
Biometric authentication uses human physical or behavioral characteristics to digitally identify a person to grant access to systems, devices or data. Examples of such biometric identifiers are fingerprints, facial patterns, voice or typing cadence. Each of these identifiers is considered unique to the individual and can be combined with other means of authentication to ensure greater accuracy in identifying users. Because biometrics can provide a reasonable level of confidence in a person's authentication, it has the potential to dramatically improve security. Computers and devices can automatically unlock when they detect the fingerprints of an authorized user. The doors to the server room can open when they recognize the face of trusted system administrators. Help desk systems can automatically extract all relevant information when they recognize an employee's voice on the helpline.
Most companies classify biometric authentication as "effective" or "very effective" to protect identity data stored on-premise and claim it is effective in protecting data stored in a public cloud. Most companies are already using biometric authentication and the rest plan to implement it in the coming years.
Types of Biometrics
A biometric identifier is one that is related to intrinsic human characteristics. They fall into 2 categories: physical identifiers and behavioral identifiers. Physical identifiers are, for the most part, immutable and device-independent. Among them are:
Fingerprint scanners have become ubiquitous in recent years due to their widespread deployment on smartphones. Any device that can be touched, such as a phone screen, computer mouse or touchpad, or a door panel, has the potential to become an easy and convenient fingerprint scanner. According to Spiceworks, fingerprint scanning is the most common type of biometric authentication.
- Photo and Video
If a device is equipped with a camera, it can easily be used for authentication. Facial recognition and retinal exams are two common approaches.
- Physiological Recognition
Facial recognition is the third most common type of authentication. Other image-based authentication methods include hand geometry recognition, iris or retina reading, palm vein recognition and ear recognition.
Voice-based digital assistants and phone-based service portals are already using speech recognition to identify users and authenticate customers.
Digital signature scanners are already in general use at retail outlets and banks and are a good option for situations where users and customers already expect to sign their names.
Today, DNA tests are used primarily in law enforcement to identify suspects. In practice, DNA sequencing has been too slow for widespread use. This is starting to change. There is already the possibility of doing a DNA match in a matter of minutes.
More Common Approaches
Behavioral identifiers are a more recent approach and, in general, are being used in conjunction with another method due to their low reliability. However, as the technology improves, these behavioral identifiers may have their use expanded. Unlike physical identifiers, which are limited to a certain fixed set of human characteristics, the only limits to behavioral identifiers are human imagination.
Today, this approach is often used to distinguish between a human and a robot. This can help a company filter out spam or detect brute force attempts to login and password. As technology improves, systems are likely to improve the accurate identification of individuals, but remain less effective in distinguishing between humans and robots. Here are some common approaches:
- Typing Patterns
Everyone has a different typing style. The speed at which we type, the time it takes to go from one letter to another, the degree of impact on the keyboard, all these are considered.
- Physical Movements
The way someone walks is unique to an individual and can be used to authenticate employees in a building or as a secondary layer of authentication for particularly sensitive locations.
- Navigation Standards
Mouse movements and finger movements on trackpads or touch screens are unique to individuals and relatively easy to detect with the software, without the need for additional hardware.
- Patterns of Engagement
We all interact with technology in different ways. How we open and use apps, the locations and times of the day when we're most likely to use our devices, the way we browse websites, how we tilt our phones when we hold them, or even how often we check our social network accounts are all potentially unique behavioral characteristics. Today these patterns of behavior can be used to distinguish people from bots. And they can also be used in combination with other authentication methods or, if the technology improves enough, as independent security measures.
How Reliable is Biometric Authentication?
Authentication credentials, such as fingerprint scans or voice recordings, can leak from devices, company servers, or software used to analyze them. There is also a high potential for false positives and false negatives. A facial recognition system may not recognize a user wearing makeup or glasses, or someone who is sick or tired. Voices also vary.
People look different when they wake up, or when they try to use the phone in a crowded public environment, or when they are angry or impatient. Recognition systems can be tricked with masks, photos and voice recordings, with copies of fingerprints or tricked by family members or trusted colleagues when the legitimate user is sleeping.
Experts recommend that companies use multiple types of authentication simultaneously and increase rapidly if they see scams. For example, if the fingerprint matches, but the face does not, or the account is being accessed from an unusual location at an unusual time, it may be time to switch to a backup authentication method or a second communication channel. This is particularly critical for financial transactions or password changes.
What are the Privacy Risks in Biometric Authentication?
Some users may not want companies to collect data about, say, the time of day and the places where they normally use their phones. If that information leaks, it could be used by stalkers or, in the case of celebrities, by tabloid journalists. Some users may not want their family members or spouses to know where they are at all times.
Information can also be abused by repressive government regimes or by criminal prosecutors pushing boundaries. Foreign powers can use the information in an attempt to influence public opinion. Unethical merchants and advertisers can do the same.
Any of these situations could lead to significant public embarrassment for the company that collected the data, regulatory fines or class action lawsuits. If DNA scans become widespread, they could give rise to a whole new area of privacy concerns, including exposure to medical conditions and family relationships.
How Secure is Biometric Authentication?
The security of biometric authentication data is of vital importance, even more than the security of passwords, as passwords can be easily changed if exposed. A fingerprint or retinal scan, however, is immutable. Disclosure of this or other biometric information can put users at permanent risk and create significant legal exposure for the company that loses the data. In the event of a breach, it creates an enormous challenge because physical assignments, such as fingerprints, cannot be replaced. Biometric data in the hands of a corrupt entity also has very frightening but real implications.
Ultimately, every company is responsible for its own security decisions. It is not possible to outsource compliance, but it can reduce the cost of compliance and the possible repercussions of a leak by choosing the right supplier. In addition, companies that do not maintain registered credentials have some legal protections. For example, many retailers can avoid substantial compliance costs by keeping their systems "out of scope." Payment information is encrypted directly at the payment terminal and passes directly to a payment processor. Raw payment card data never touches company servers, reducing compliance implications and possible security risks.
If a company needs to collect authentication information and keep it on its own servers, security best practices should be applied. This includes encryption for data at rest and data in transit. New technologies are available for runtime encryption, which keeps data encrypted even while in use. Encryption is not an absolute guarantee of security, of course, if the applications or users authorized to access the data are compromised. However, there are some ways in which companies can avoid keeping encrypted authentication data on their servers.
Local or Device-Based Authentication
The most common example of a local authentication mechanism is the hardware security module on a smartphone. User information, such as a fingerprint scan, facial image or voice impression, is stored inside the module. When authentication is required, biometric information is collected by the fingerprint reader, camera or microphone and sent to the module, where it is compared with the original. The module tells the phone whether or not the new information corresponds to what it had already stored. With this system, the raw biometric information is never accessible to any software or system outside the module, including the phone's own operating system. Today, smartphone hardware security modules are used to provide security as well as to authenticate third-party applications.
Companies can also use smartphone-based biometric readers whenever their users or customers have access to smartphones, without ever having to collect and store biometric identification information on their own servers. Similar technology is available for other types of devices, such as smart cards, smart locks or fingerprint scanners for PCs. Phone-based fingerprint recognition is the most common biometric authentication mechanism today. Smartphone-based authentication offers significant usability benefits. First, users tend to find out immediately if they have lost their smartphone, taking immediate steps to locate or replace it. If, however, they lose a badge that they only use to access a building during their off hours, they may not realize for a while that it is no longer in their possession. Smartphone makers are also in the middle of a race to make their technology better and easier to use. No other industry or individual company can match the scale of mobile investment or the usability and security tests that phones receive.
Finally, telephone authentication offers users maximum flexibility. They can opt for phones with facial identification, fingerprint scanners or voice recognition, or some other new technology that has not yet been invented, but that will dominate the market tomorrow. However, the use of a third-party mechanism, such as consumer smartphones, puts the authentication process beyond the company's control. Another downside of device-based authentication, in general, is that identity information is limited to that single device. If people use a fingerprint to unlock their smartphone, they also cannot use the same fingerprint to unlock the office door without separately authorizing the door lock or to unlock the computer without separately authorizing the computer's fingerprint scanner.
Companies that need to authenticate users or clients on multiple devices in multiple locations need to have some kind of centralized mechanism for storing authentication credentials or taking advantage of a device that the user carries with them at all times. For example, companies can place the authentication mechanism inside a smart seal that employees use in the office. They can also use a smartphone to authenticate the employee and then communicate identity verification to other devices and systems via Bluetooth, NFC, Wi-Fi or the Internet.
Tokenization or Encryption
Another approach to allow new devices to recognize authorized users is the tokenization, one-way encryption or hash function. Say, for example, that retina, voice or fingerprint identification is used to recognize and authenticate employees wherever they can go within a company, but the company does not want to have the image or audio files stored on servers where hackers or malicious employees may misuse them.
Instead, the company would use a device that, say, scans a person's face or fingerprint, converts that image into a unique code, and then sends that code to the central server for authentication. Any device using the same conversion method can then recognize the employee and the raw identification data will never be available on any system.