Does Your Biometric and Behavioral Biometric Data Meet Data Privacy Compliances?
With passwords so vulnerable to compromise, there is a never-ending search for the best authentication method. Biometrics gets discussed a lot as a secure and logical login option because, theoretically, no one should be able to reproduce your retina or fingerprint. But biometric methods have been found to be hackable.
So, now, attention is turning to behavioral biometrics. The idea behind behavioral biometrics is that not only are there no two fingerprints, but no two people will put their finger on the device in the same manner. No two people type alike, and so on. As the Veridium blog stated, “They are dynamic as opposed to static authentication — such as traditional biometrics, passwords, tokens. Using just the sensors in your phone, hundreds or even thousands of patterns can be used to continuously authenticate a person.”
If securing access to your network and data are your No. 1 priority, behavioral biometrics is a very good first or second authentication step. However, you need to make sure that you add the data behind biometrics or behavioral biometrics to the rest of the big data you are protecting. As more focus is put on data privacy regulations and allowing citizens to protect the information that companies stored, no data is more personal than biometrics.
Biometric data should be considered as sensitive PII (personally identifiable data), said Rajiv Dholakia of Nok Nok Labs and co-founder of the FIDO Alliance. And there is a lot of data being captured: Commercial implementations of biometrics can create many layers of security to secure the biometric data captured through sensors such as fingerprint, camera and other sensors.
Understanding the Biometric Data Gathered
There are two basic kinds of biometrics implementations. Client-side capture and match systems happen when the biometric never leaves the end user’s personal device and is secured below the operating system in a secure enclave. Dholakia said these kinds of client-side systems are endorsed and used by standards groups such as FIDO to do authentication online without the biometric leaving the device, and the authentication is done based on asymmetric keys that create a decentralized, distributed authentication process that is difficult to attack in a scalable way.
The other kind of biometric implementation captures and transmits user biometric data the server for processing, storage and matching. “These systems are frequently used by nation-states and governments,” said Dholakia. “Commercial applications of server biometrics are not as common because of concerns around the central storage of biometric data that could fall under PII regimes depending on the way the data is handled. Such central stores also represent an attractive target for attackers looking for a central repository that can be used to mount a scalable attack by stealing lots of secrets at one time.”
This type of biometric storage is more difficult to defend. “There are known large breaches of such systems that are considered catastrophic, such as the OPM breach that lost the fingerprint biometrics of millions of government employees who had gone through a background check,” said Dholakia.
Behavioral Biometrics Difference
“Behavioral systems should be considered different from biometrics such as fingerprint/retina etc.,” Dholakia stated. “The key difference is related to the user and consent. Fingerprint systems, for example, require an explicit gesture from the user. Behavioral systems, by contrast, perform their work silently without explicit participation from the end user.”
Where traditional mobile biometrics require the user to perform a explicit gesture, behavioral biometrics systems try to monitor the user passively without any explicit gestures and try to deduce implicitly if it is the same user. Behavioral biometrics picks up after authentication is complete and passively monitors the user’s interactions with the device, “implicitly authenticating” the user and allows the session to be long-lived without asking the user to repeat the explicit gesture.
Most behavioral biometric data is collected into a central location, which can create a security risk. “Such centralized systems run risks of creating centralized stores of data, not permitting the user agency over their data and potentially being more subject to an attack on the central system or running afoul of some privacy regimes.
Biometric Data in a GDPR World
GDPR, the California Consumer Privacy Act and other state-sponsored data privacy legislation have put a new focus on data protection. Dholakia advised that data generated from both traditional biometrics and behavioral biometrics can’t be forgotten. Consumers may not even be aware that that information is stored out of our control.
The consequences of poor implementation of biometric data storage could end up being costly—as costly as any other type of data breach.
“Customer notification and consent of the usage of biometrics should be a priority,” said Dholakia. “The usage of client-side biometrics in conjunction with privacy preserving protocols like FIDO have the best chance of meeting GDPR and similar regulations.”
