Biometric Authentication, a Catch-22
By Aditi Bhat
Biometric authentication is now a universal security measure, with worldwide adoption and large-scale applications by the government and private entities alike. The enhanced security quotient of biometrics has enabled it to make inroads into government identification systems such as Aadhaar, immigration screenings at airports, authenticating medical records at hospitals, and identification in office buildings. While biometrics brings forth a host of reliable security solutions, there are some aspects which warrant a careful introspection.
Considering the ease with which traditional data security measures such as passwords and keys can be broken into, biometrics is a significant game-changer. It offers a scalable and reliable solution to the security industry by covering all key elements of security; authentication, access control, data confidentiality, integrity, and non-repudiation. The need for a user’s physical presence during authorization covers most of these elements. It also eliminates security loopholes such as forgotten password or keys, simple password, unaccountable access through password-sharing and so on.
The simplicity of biometric authentication also adds great value through convenience to commercial entities. You no longer need to remember your password or type it in front of others to access your smartphone; a simple finger touch is enough to unlock it. In addition, the increasing popularity of biometric security systems is making it affordable for businesses to implement it with the same ease, if not easier, as traditional systems.
Despite its obvious benefits, biometrics brings in an array of security and privacy concerns to both consumers and businesses. One of the biggest concerns lies in the storage and usage of biometric data that consumers willingly or unwillingly share. Data theft or its misuse forms the basis of ongoing debates related to risks of biometric usage for authentication.
For biometrics to be reliable and convenient, any entity using the data should store such data in a central database. And databases with sensitive information pose a juicy target to hackers and data-aggregators. For instance, in 2015, a US government agency, Office of Personnel Management experienced a massive data breach, which included the theft of 5.6 million fingerprints.
Closer home, the Unique Identification Authority of India (UIDAI) recently came under the scanner for its data breach controversy. The Tribune in its expose reported that it was able to get access to Aadhaar details of people by investing just Rs.500 and 10 minutes of their time. The incident created an uproar with the UIDAI denying any loss of data or any incidence of a data breach. Amidst all the speculations and allegations, what needs to be kept in mind is that data theft is a huge concern today and preventive steps need to be taken to keep data secure.
The risk associated with compromised biometric data is incomparable to that of traditional data theft. Unlike traditional passwords and keys, if your biometric data is compromised, it is compromised for the rest of your life. You cannot change or re-issue your fingerprint or facial traits. Your stolen data can then be misused for fraud, identity theft or drain out your bank account. This could prevent you from purchasing a mortgage, getting insurance, or creating a new bank account. It can take up to three years to fix the damage caused by an identity theft.
Another major concern with biometric data is its intentional misuse. Considering the current high value of big data sales, companies get financial incentives to gather as much data about their consumers as possible. Facebook’s photo-tagging feature, for example, uses facial recognition technology to link users to their pictures.
A person’s physiological and behavioral characteristics coupled with predictive analytics gives great insights into one’s future. With this, companies can accurately predict what kind of diseases you are likely to have or develop in the future, what your financial situation is, when you might go through a break-up or divorce, etc. This can then be used to assess your insurance prices, creditworthiness, and even expose you to targeted advertisements. You may have to pay higher health insurance, higher mortgage, or may not get that home loan you wanted for a long time because your future looks bleak as per data analytics.
Despite its risks and fears, biometrics is still in its infancy, and its risk surface will only increase going forward. Failure to implement good policies and cybersecurity practices now could lead to a disastrous future. There are few measures that security experts, consumers, and businesses could implement. There needs to be an international standard for building, implementing and securing biometric systems, including methods to protect sensitive data.
Cybersecurity experts need to be fully aware of all the data risks and the attack methods involved. They should implement stronger encryption of any personal data stored. They should also encode all biometric data with a unique hash, without which the biometric data becomes garbage and useless if it’s stolen.
Consumers should take a proactive approach to understanding the risks involved when sharing their biometric data, and only share them when necessary. They should also hold the business accountable, and advocate for stronger policies through their governments.
Businesses should avoid using biometric authentication to replace other methods, but rather use them in combination. They should make sure that proper data storage and access policy is in place, and the raw data access is limited to a few trusted employees.