Biometric authentication: the good, the bad and the ugly | Clark Hill PLC


TV and movies introduced biometric identification as a futuristic concept long ago. Security on Star Trek was state of the art with voice identification ensuring the correct personnel were in command of the Enterprise. Facial recognition, retinal scans, DNA identification have been widely used in fantasy movies like Terminator series, Blade Runner and many more.

Fast forward to today, industry and high security environments are turning to these credential technologies to provide increased security, speed and convenience. However, this advancement in security controls does not come without unique risks for users and businesses. With biometric authentication, the risk of a malicious actor gaining access to systems and user information is reduced when used as part of a multi-factor authentication strategy. The following highlights the benefits, precautions, and strategies for protecting data subjects and biometric data.

Benefits of Biometric Authentication

  • Increased Security – Enabling biometric authentication helps thwart the ability of malicious actors to gain unauthorized access; hackers are adept at breaking knowledge-based authentication, such as those using passwords and security questions.
  • User Experience – With advances in technology, efficiency and a high level of accuracy are expected. User experiences need to be sleek, fast, and painless so that a business isn’t held back by its own security practices. Biometric authentication can make the login experience instantaneous.
  • Non-transferable – People can share passwords and even have other personal identifying information that overlaps, but unique biometrics like fingerprints and iris scanning are harder to replicate with current technology .

Precautions when using biometric authentication

  • False negatives – Disruptions and unsafe conditions can occur when a biometric system fails to recognize a genuine person and blocks access. The false negative rate when trying to connect to a platform using biometric authentication can be high and depends on several factors. To preserve the security benefits, system administrators must carefully choose authentication sensors and calibrate biometric reference points in its process to strike the right balance between security and accuracy.
  • Privacy and security risks – Organizations that collect biometric information for authentication must balance between enabling fast and secure access to services and systems and intruding on the privacy of individuals. Take the COVID-19 pandemic for example; cities have sought to use geolocation data to aid in contact tracing and crowd density efforts for the safety of individuals and in the name of public safety. Focus groups tell us that people want to see a direct personal benefit and understand how their personal data will be used and protected before they feel comfortable with companies, including their employers, and government entities using their personal data. . Legislative bodies recognize this and are increasingly providing individuals with protections as demonstrated by the California Consumer Privacy Act/California Privacy Rights Act and Illinois’ Biometric Information Privacy Act. It is becoming the norm that individuals must be given the opportunity to opt out and companies obtain consent before their biometric data can be collected or used.
  • Misuse of data – Another risk with biometric authentication is the risk of misuse. While data and systems can be better protected with biometric identification, when biometric data is accessed and misused, the damage can be severe. Take for example a password. When a password is compromised, the user only has to change the password. When biometric data is compromised, there is no option to reset an immutable characteristic of an individual. A business system that stores biometric data of its employees can be a treasure trove for hackers in the event of a successful security breach.
    • Spoofing attacks are increasingly common. With the development of technology, the use of high resolution video and audio clips and even deep fakes like 3D masks should be mitigated. While hackers can try creative workarounds to erase biometric authentication, technology in the form of “liveness detection” helps address this risk.
    • The information may be misused by repressive government regimes or corporations. Personal information of this sensitivity can lead to bias, unconscious or otherwise, when it gets into the wrong hands. Data protection impact assessments, policies and technical safeguards are required by various privacy regulations (such as the EU General Data Protection Regulation) to identify and mitigate the risk of use abusive.

Strategies for the protection of data subjects and biometric data

The following strategies can help minimize the risks associated with the use of biometric data:

  • Require multi-factor authentication.
  • Use software that automatically encrypts stored data.
  • Consider solutions that perform authentication by using and storing identification points on the biometric fingerprint and not the actual biometric data.
  • Implement appropriate notification, consent, and security protocols when collecting and using biometric data to avoid private rights of action (expensive lawsuits).
  • For users who fear bias, data abuse, or misuse through fraud or spoofing attacks, only share data that you are comfortable making public. Read the terms and conditions and privacy policies of the organizations you share this data with and make sure their practices are secure before sharing your biometric information.

Comments are closed.