Biometric data has become the preferred standard for identity verification. Amazon recently made headlines by rolling out biometrics-based passkeys that let users access accounts and services by simply showing their face. This eliminates the need to remember cumbersome passwords.
Moreover, biometrics are nearly impossible to subvert, especially now that they are often accompanied by liveness detection capabilities that can distinguish between a picture and a real person’s face, thus helping to thwart imposters.
Biometrics promise to improve security and drastically improve the user experience. According to one of our recent surveys, more than half of consumers would rather sign up for a new product or service using biometrics and this easy verification makes them more likely to continue using the product or service.
Despite the benefits, organizations should consider some important factors for successful biometric implementation:
- Offer Opt-In/Opt-Out choices: Give users control over their biometric data usage and offer alternatives for those unwilling to provide biometrics. Various studies suggest that Americans are quite willing to use biometrics. However, their trust and comfort levels are heavily dependent on the context in which biometrics are implemented. While consumers are often more trusting of biometrics in financial services, they are less trusting of their use by big tech and social media companies. Ethically, we can make all users comfortable by offering clear OptIn/OptOut procedures, which gives users complete control over how their biometric data gets used. If a person does not wish to provide his or her biometric data, organizations should always offer an alternative means for verifying identity. In the vast majority of cases, the desire for convenience will win out and most people will choose the biometric method. An excellent case in point: airports around the country have noted that by using biometrics, they can board flights in a fraction of the time it takes using standard identification documents.
- Avoid bias: Choose algorithms trained on diverse global datasets to minimize bias. In recent weeks, there’s been a lot of news about bias in biometrics. When looking at all the biometric options available in the market, there’s often a big discrepancy in terms of various algorithms’ ability to achieve demographic neutrality and equity, thus treating all individuals equitably. Therefore, to eliminate bias based on age, gender or race, make sure the algorithm selected has been trained on extremely diverse data sets from around the world.
- Make sensible investments: SaaS products allow affordable implementation for businesses of all sizes. Leverage existing infrastructure when possible: From a technical perspective, only large, established companies could afford to implement biometrics in the past because of the heavy up-front investment of time and work required. Today, smaller organizations have the opportunity to implement SaaS-based biometric offerings ideal for businesses of any size and immediately functional. Additionally, in physical access control applications (ensuring authorized individuals can access a facility), there’s great news in that in many cases, organizations don’t have to add new infrastructure (like cameras or readers) or replace existing infrastructure. They can leverage the equipment they already have along with the bring-your-own-device (BYOD) trend. Biometrics combined with BYOD automatically offers the superior security levels associated with multi-factor authentication (MFA). In short, when evaluating biometric offerings, it’s important to always consider how much money, time and resources the company has available to get an application up and running. Avoid “ripping and replacing” as much as possible, as this generates waste.
- Practice transparency: Clearly explain biometric data collection, transfer, retention and deletion protocols. Use encryption and anonymization techniques. Never store biometrics with PII. Also, when implementing biometrics, organizations must stay fully transparent in terms of how the data gets collected, transferred for processing and retained; and how and when it’s discarded. Specifically, organizations will want to highlight the added protections put in place; and the extent (if any) to which biometric data is shared with third-parties.
How should teams collect and retain all the biometric data?
Regarding collection, there are techniques security teams can use to ensure biometric data (a fingerprint serving as a passkey) never leaves the device that captures it. Regarding transfer, use traditional encryption for data-in-transit and organizations handling the data should always follow best practices, like using a VPN.
On the data retention front, organizations are adopting a variety of innovative approaches, including the “cancellable biometric” where a distorted biometric image derived from the original is used for authentication. For example, instead of enrolling with a true finger (or other biometric), the fingerprint gets intentionally distorted in a repeatable manner and a new print is used. If, for some reason, the old fingerprint is "stolen," it’s possible to issue a "new" fingerprint by simply changing the parameters of the distortion process.
Additionally, there’s a new technique that breaks biometric templates down into anonymized bits. This approach makes it virtually impossible for a hacker to access complete biometric templates, in the rare event that a hacker can access the network. Other protections for biometric data in storage include data erasure at regular intervals; and never storing biometric data alongside personally identifiable information (PII), so in the unlikely event biometric data gets accessed by a hacker, it has no value.
While the advantages and benefits of biometrics are vast, there are important ethical and technical matters to consider before implementation. Clear, concise consent procedures, avoidance of bias, sensible investment, and thorough articulation of data safety and security protocols are all vital to the success of any biometrics initiative.
Dr. Mohamed Lazzouni, chief technology officer, Aware