Physical Biometrics: Privacy and Security Concerns to Consider

The scope, scale and frequency of online attacks against user accounts have demonstrated repeatedly that companies can no longer rely upon authentication methods based on static elements that can and will be stolen.

These cybersecurity trends have recently led organizations to consider the use of human biometric characteristics to supplement standard, but weak, single-factor authentication schemes that have historically relied on a password to validate rightful owners. However, the term “biometrics” has become an industry buzzword that encompasses a number of human second-factor solutions from “selfie”-based facial recognition to fingerprint and iris scans, behavioral patterns, voice – and even the human heartbeat.

As such technology is increasingly proposed and used in online and offline transactions, it is rapidly becoming an area of concern from a data privacy and security perspective.

While the use of physical biometric factors has been a boon for physical security— where the person to be authenticated is physically presenting themselves for enrollment and subsequent authentication—many factors quickly lose effectiveness in an online world.

There are several factors companies must consider before relying on physical biometric technology to authenticate users in an online environment. The first consideration is that using only one physical biometric data point to authenticate a user is essentially the same as adding a static second password – albeit one that can never be changed if compromised.

Perhaps the most significant issue with relying on physical biometrics for online authentication is that they can be captured and, in some cases, reused. Humans leave behind biometric traces with every glass they pick up, every piece of gum they discard and every camera that records their image.

Unlike passwords or credit card numbers, a person’s physical biometric attributes can never be changed, resulting in privacy and identity concerns if a high-quality reproduction of a biometric element were to be obtained by a malicious actor. Just this past September, 5.6 million fingerprints were stolen from the office of Personnel Management.

From a security perspective, there are several possible use cases where compromised biometric data, like that of the OPM, can be used to access accounts without the user being present. Using the infamous gummy bear attack against a newly released product with embedded fingerprint scanning, for example, was a variation on a well-known physical hack for in-person fingerprint scanners dating back to 2002.

Alarmingly, as authentication of high-value transactions is increasingly moving to multi-factor authentication using some form of physical biometric, there is a real potential for criminals to shift their focus to obtain the biometric identifier, with violence. For this reason alone, many companies are steering well clear of using physical biometrics.

With this in mind, not all biometric factors have the same risk of impersonation or lack of effectiveness when used to authenticate online interactions.

A much less invasive, and more consumer-friendly technique leverages signals generated by the way in which a human interacts with the world around them. When taken in aggregate, such behavioral signals are highly effective at identifying repeat good users, are self-enrolling and are tolerant of changes in the patterns presented as a user’s behavior naturally changes over their lifetime.

For an example of how behavioral data is useful in identifying a legitimate account holder, think about how you use your smart phone to interact with a website or application. Do you realize that you have a unique way of holding your mobile device that’s different from other people, if only slightly? Does your phone tilt a little to the left? Do you normally hold your phone in portrait or landscape mode? Do you use your index fingers, or thumbs to type? How hard do you press on the screen when you hit each key?

This method, dubbed “behavioral biometrics,” aggregates hundreds of these human and interaction signals, creating a unique signature for each authentic user.

Using these subtle signals and unique signatures, organizations can easily identify when the account owner is not the one attempting to authenticate, even if the correct login and password is used in conjunction with the authentic account holder’s computer or mobile device.

Unlike physical biometrics, behavioral signals that make up a behavioral biometric profile cannot be stolen, duplicated or reused – so they have no value to criminals. In the event that a high-fidelity copy of an authentic user interaction were made, the mere attempt to replay the past interaction would, in itself, be an anomaly that is out of pattern for any human user.

Collecting behavioral biometric data is non-invasive to the consumer, as they do not have to enter, enroll in or provide any additional information to a website or application to benefit from its protection. They simply keep doing what they are used to doing: interacting with the sites and services as they always have.

As organizations consider layering additional authentication technology and methods to secure their users’ accounts, they must select methods that reduce friction for their good users, reduce risk to the organization or the consumer and are sensitive to the privacy concerns of their users – all the while making the reuse of compromised authentication and identity information nearly impossible.

About Robert                                                                                                                     

As NuData Security’s vice president of business development, Robert is responsible for developing and nurturing strategic alliances, partnerships and channels.

Robert is a recognized technologist, thought leader and advisor with over twenty years of experience in the design, management and protection of complex information systems – leveraging people, process and technology to counter cyber risks. In his previous role at RedSeal as a Senior Director, Robert was responsible for technical, security and customer operations. Prior to RedSeal, Robert was senior manager, global trust and safety at StubHub.