Biometric Authentication: The Good, the Bad, and the Ugly

TV and movies introduced biometric identification as a futuristic concept ages ago. Security on Star Trek was cutting edge with voice ID making sure the right personnel were in command of the Enterprise. Facial recognition, retinal scans, DNA identification were used prominently in fantastical movies like the Terminator series, Blade Runner, and many others.

Fast forward to present day, industry and high-security settings are turning to these identification technologies to provide increased security, speed, and convenience. However, this advance in security controls does not come without unique risk to users and companies. With biometric authentication, the risk of a bad actor gaining access to user systems and information decreases when used as part of a multi-factor authentication strategy. The following highlights benefits, precautions, and strategies for protecting data subjects and biometric data.

Benefits of biometric authentication

• Higher security – Enabling biometric authentication helps thwart bad actors’ ability to gain unauthorized access; hackers are adept at breaking knowledge-based authentication such as those using passwords and security questions.
• User experience – With advances in technology, efficiency and a high-level of accuracy are expected. User experiences need to be sleek, quick, and painless for a company to not be held back by its own security practices. Biometric authentication can make the sign-in experience instantaneous.
• Non-transferrable – People can share passwords, and even have other overlapping personal identifying information but unique biometrics like fingerprints and iris scanning are more challenging to replicate with current technology.

Precautions when using biometric authentication

• False negatives – Disruption and unsafe conditions may result when a biometric system fails to recognize an authentic individual and blocks access. The rate of false negatives when seeking to log into a platform using biometric authentication can be high and depends on several factors. To preserve the security benefits, systems administrators should take care in selecting authentication sensors and in calibrating the biometric points of reference in its process to strike the right balance of security and accuracy.
• Privacy and security risks – Organizations collecting biometric information for authentication need to balance between enabling quick and secure access to services and systems and intruding on individuals’ privacy. Take the COVID-19 pandemic for example; cities sought to use geolocation data to aid contact tracing and crowd density efforts for the safety of individuals and in the name of public safety. Focus groups tell us that people want to see a direct personal benefit and understand how their personal data will be used and protected before feeling comfortable with companies—including their employers—and government entities using their personal data. Legislative bodies recognize this and are increasingly providing individuals with protections as seen with the California Consumer Privacy Act/California Privacy Rights Act and Illinois with the Biometric Information Privacy Act. It is becoming the norm that individuals must be provided with the opportunity to opt out and that companies secure consent before their biometric data may be collected or used.
• Misuse of data – Another risk with biometric authentication is the risk of misuse. While data and systems may be better protected with biometric identification, when biometric data is accessed and misused, the damage may be severe. Take for example a password. When a password is compromised, the user merely needs to change a password. When biometric data is compromised, there is no option to reset an immutable characteristic of an individual. A company system that stores biometric data of its employees may be a treasure trove for hackers in the case of a successful security breach.
  • Spoof attacks are becoming more common. With developing technology, use of high-resolution video and audio clips and even deep-fakes like 3D masks must be mitigated. While hackers can try creative workarounds to clear biometric authentication, technology in the form of “liveness detection” helps address this risk.
  • Information can be abused by repressive government regimes or companies alike. Personal information of this sensitivity can lead to biases, unconscious or not, when put into the wrong hands. Data Protection Impact Assessments, policy, and technical safeguards are required by a variety of privacy regulations (like the EU General Data Protection Regulation) to identify and mitigate the risk of misuse.

Strategies to protect data subjects and biometric data

The following strategies can help to minimize the risks associated with the use of biometric data:

• Require multi-factor authentication.
• Utilize software that automatically encrypts the stored data.
• Consider solutions that perform authentication using and storing identification points on the biometric print and not the actual biometric data.
• Implement appropriate notice, consent, and security protocols when collecting and using biometric data to avoid private rights of action (expensive lawsuits).
• For users who fear biases, abuse of data, or misuse via fraud or spoof attacks, only share data that you are comfortable being made public. Read the terms and conditions and privacy policies of the organizations that you share this data with, and ensure that their practices are secure before sharing your biometric information.

The views and opinions expressed in this article represent the view of the author and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is intended to be a substitute for professional legal advice.