Data Privacy a Growing Consideration for Biometrics in IAM
Using biometrics for secure access management is becoming more common. Most of us now rely on a fingerprint or face scan to unlock our phones, but honestly, the role of biometrics in security is a mixed bag. It’s certainly a lot harder to steal a fingerprint than a passcode, but as more organizations turn to biometrics as a source of user authentication, the technology surfaces a host of issues, according to an RSA session presented by Mike Serra, product counsel with Cisco Systems, and Stephen Wu, shareholder with the Silicon Valley Law Group.
“One of the things I’ve been noticing is an increasing slant toward being concerned about human rights,” said Wu. GDPR and other data privacy laws are driving attention to the need to protect users. As these data privacy laws mature and more states and countries pass new regulations, protections surrounding biometrics are moving front and center. A new EU law that addresses artificial intelligence, for example, discusses biometrics, Wu pointed out. The law prohibits the use of real-time biometric identification systems in public spaces.
As biometrics becomes more intertwined with data privacy laws, organizations that rely on biometrics as part of their authentication systems must also be aware of how the data is used and stored.
The Benefits of Biometrics for Identity and Access Management
There are two different types of biometrics—morphological traits and behavioral traits—that are used for identity and access management (IAM), according to Gartner. Morphological traits are what we most associate with biometrics—the physical parts of our bodies that change very little over our lifetime and are difficult to alter. Behavioral traits are things like speech and vocal patterns, keystrokes or gestures that do change with age or with an impairment like an injury.
The primary benefit of any biometric authentication is the general lack of variance. The data about your personal biometric information is not going to change too much. Even better, you don’t have to remember a password to gain access.
“However, the actual benefits of biometrics depend on the trait used as well as the configuration, performance and accuracy,” a Gartner blog explained. User experience will vary and some users may balk at the use of biometrics, Gartner added; those implementing IAM solutions will need to decide if that balance between user experience and security meets the organization’s risk tolerance.
Facial Recognition, Authentication and Risks
For a long time, fingerprints were the standard for biometrics, but facial recognition technology is on the rise. According to Serra and Wu, adding facial recognition to IAM is much stronger and more accurate than fingerprint scanners alone because of the increased amount of data collected. Facial geometry and the way features blend together make facial recognition stronger than other types of biometrics.
But the use of other technologies, like photographs and masks, can actually work against facial recognition authentication and AI has made it easier to use deepfakes for facial recognition. If the facial recognition system is given false data, it will create biased—and incorrect—algorithms. This results in a breakdown in biometric authentication.
Data Protection in Biometric Authentication
Biometrics falls under a special category of data, said Serra. There are more restrictions around it, and violating the security of biometric data results in more severe penalties. Some regulations, like HIPAA, address biometrics directly. The Illinois Biometric Information Privacy Act is the standard for biometric data privacy in the United States, requiring informed written consent before data collection and mandatory protection obligations and retention guidelines to follow.
But the reason why the Illinois law is used as a legal guideline is that it includes statutory damages. If biometrics are misused, the plaintiff doesn’t have to prove any actual damage, resulting in large class action lawsuits, Serra pointed out.
Biometrics can play a vital role in IAM because it is easy for users and offers high levels of security. But it doesn’t come without challenges. Deepfakes and weaponized AI can break through biometrics, but the rise of privacy laws that target biometric data will require security teams to focus more on protecting the information generated through these systems. As biometrics as authentication becomes more mainstream, data protection and integrated risk assessments around biometric data has to be a higher priority for security and IT teams.
