In the age of information technology, more and more people—young and old alike–don’t have problems sharing their personal information online, sometimes, even private ones. And it seems like there’s no big deal when it comes to biometric identity, either.
Every day, people from all over the world use facial or fingerprint recognition to unlock phones and log in to apps and games. They also want to be tagged in friends’ photos, enabled by identification algorithms used by Facebook and Google.
From employee IDs to national IDs, to digital and airport security, biometric identification and authentication are proliferating. The biometric signatures of a person characterize their physiological or behavioral characteristics. Some of the most recognized biometric data include fingerprint, voice, retinas or irises, DNA sequences, and facial features.
Convenience and Huge Potential
Biometric technology offers very compelling identification and personal verification solutions. These modern authentication methods satisfy the consumers’ desire for both convenience and security, primarily when they transact online. Compared to the usual identification and verification methods that use personal identification numbers (PINs) or passwords, biometric technologies offer many advantages.
A biometric signature is no doubt convenient since it requires no IDs or codes to remember. In addition, biometric technologies are becoming more accurate and sophisticated. Apple, for example, has a facial recognition technology on its iPhone X that projects 30,000 infrared dots onto a user’s face to authenticate the user by pattern matching. Apple says the chance of mistaken identity is one in a million.
Biometric technology has also been responsible for speeding up lines in airports worldwide, as passengers simply have to walk into a booth and look into a camera where their eyes and irises are scanned and matched to their details and cross-checked with the database. CCTV cameras are being used for law enforcement purposes, as they help police fight crime through video surveillance.
For governments, businesses, banks, hospitals, and other institutions, biometric technologies are very useful in protecting sensitive documents and quickly confirming a user’s identity with confidence.
In marketing, discussions have focused on leveraging the potential of facial recognition not only to improve the customer experience but also to upgrade marketing campaigns. The technology can be used to study and influence consumer behavior effectively. Cameras scanning customers’ faces can determine age and gender, and the algorithm can consider time, date, and purchases.
Security Risks and Identity Theft
Increased exposure to biometric technology continues to shape the way people interact online. But while most laud the technology for its simplicity, convenience, and performance, stakeholders are raising valid issues about how it opens opportunities for privacy to be under attack in an unprecedented way.
Biometric data is easy to hack—and the consequences of its misuse could be incredibly dangerous. At the forefront is how private information is increasingly being collected, stored, and transmitted by IoT devices and services in the cloud, making them more vulnerable to identity theft.
Unlike codes and encryption keys, biometric technology capture a single unique identity that can never be changed. This static nature of biometric data makes it prone to identity-based threats. Compromised biometric data is an easy target for hackers. With access to biometric data, hackers can easily steal someone’s identity or even use and tamper the private information that could be detrimental to someone’s life.
The security issues regarding biometric data focus on how sensitive information is captured, stored, processed, transmitted, and accessed. There are many ways by which biometric data can be used and accessed, with little to no attention to its sensitivity and immutability. Today’s modern mobile phones, tablets, and cameras capture some biometric data and store it even if it is not used to authenticate or authorize.
Virtual assistants in several devices store your unique vocal patterns and process in the cloud. CCTV cameras being used to track individuals using facial recognition technology raises serious concerns about the blurring boundaries between security and surveillance.
The system uses a central storage database that becomes home to a broad and comprehensive set of information. The moving data must be encrypted on its way to store and secure. In both transit and storage, the data becomes vulnerable. Hackers target this database, breaching the system, and stealing data that is not secured adequately.
Spoofed sensors, sensor inaccuracy, host system misconfigurations, and other fraud capabilities can also compromise biometric indicators. One such incident happened in 2015 when the US Office of Personnel Management was hacked. Cybercriminals got away with the fingerprints of 5.6 million government employees, leaving them vulnerable to identity theft.
More recently, a report by security researches Noam Rotem and Ran Locar at Vpnmentor published in August 2019 reveal a major breach found in a biometrics system used by the UK Metropolitan Police, banks, and defense contractors. The report said facial recognition records, fingerprints, log data, and personal information of over a million people had been found on a publicly accessible database.
Protect Against Threats through Technology and Discipline
What we need to address is the lack of sufficient oversight and security to keep biometric data obtained from advanced authentication technology safe. Joseph Atick, one of the scientists who helped build the technology that innovated the ability of computers to recognize facial features, calls for special safeguards, and more societal sensitivity to privacy considerations to help prevent the abuse of biometric technologies.
He had also said that there are legitimate uses for the proper use of biometric technology, but there must also be checks and balances—a framework that shows that there are certain things that you just can’t do with this technology.
These automated technologies may be invading privacy, but ironically are the same tools that people can use to deter identity theft and combat fraud. The solution lies in the discipline to exert greater control over how personal data is accessed and used. Investments must be put into educating people and organizations about how their biometric data is processed and stored.
Businesses must also step up and apply IT security solutions that can make a user’s identity unintelligible during data collection, making the biometric system safer and more efficient. They can implement a strategy of using multiple authentication and security measures to prevent fraud and keep consumers’ data safe from threats.
ImageWare’s GoVerifyID, for example, is a Software-as-a-Service (SaaS) function that ensures each person’s biometrics are encrypted, anonymously stored in the cloud, and retrieved to use in real-time verification. The technology does not use traditional passwords. Those using GoVerifyID can access secured data through fast and convenient methods like taking a self-portrait or speaking a phrase on a mobile device.
Each business determines the situations and events that trigger requests for biometric verification. Such requests are sent to the user’s mobile device, and he or she can then capture the required biometrics that is compared to enrolled data in GoVerifyID. This way, businesses get instant, anonymous, and secure verification in real-time.
The Future of Biometric Technology
The question of whether biometric technologies can ever be full-proof remains unanswered. Nevertheless, it will continue to revolutionize the ways we do online transactions. These automated solutions will see widespread adoption primarily because of their speed and convenience.
The risks to security and privacy will increase as people continue to give away biometric information to multiple platforms and providers. The fact remains that biometric technologies still operate on a centralized database, and any hacker with malicious intent can find ways to steal data from a computer network. With hackers stepping up their game and changing tactics, we need better and more sophisticated security services.
To prevent identity theft and protect against fraudulent acts, heightened education, and awareness about how biometric data is processed and stored are needed. Globally, nations are moving to put regulations in place as more stakeholders recognize biometric technology’s immense potential.
These regulations note that for biometric security to work, people’s rights must be protected adequately and that their data in the hands of both private and public organizations are managed carefully and sensibly.
Some notable examples include the Commercial Facial Recognition Act of 2019 introduced by the United States Congress. The bill seeks to ensure that companies are obliged to get consent before tracking individuals using facial recognition technology and processing the data for surveillance or profiling.
In the European Union, several laws are giving citizens more control over their personal and biometric data. The EU data privacy law defines biometric data as “special categories of personal data” and prohibits its “processing.” It protects EU citizens and residents from having their information shared with third parties without their consent.
The General Data Protection Regulation (GDPR) for member states includes measures aimed at boosting enterprise security. It ensures that companies who experience a data breach must inform the authorities within 72 hours of discovery. Companies managing biometric information could also be hit with massive penalties if they do not make efforts to secure data. It is expected to reach 20 million euros or 4% of the annual worldwide turnover.
These global movements show that biometric technologies are advancing rapidly, and regulations need to keep up. The complex technical, people, process, and policy challenges must be addressed to secure digital data and ensure that biometric technology will effectively shape human identity authentication applications.