As biometric solutions become more mainstream, so do worries about privacy and security. On his blog, analyst Alan Goode of Goode Intelligence in London looks at the growing concerns surrounding the expansion of biometrics into consumer digital services.
Data breaches are becoming commonplace, like today’s announcement that up to 80 million customers of health insurance company Anthem had their account information compromised. While the breach doesn’t involve biometric information, that type of data – the most personal of data – lives on mobile devices and in cloud-based databases. Concerns about how well that information is protected will only grow as more breaches are reported.
“There is much debate about the relative merits of these two trust models,” Goode writes. “Is the device-centric approach that Apple and FIDO employed too restrictive a model? And can I trust the security of a database (cloud-based) biometric solution?”
Goode says the answers are elusive because there is little control over how biometric data used for authentication is captured and stored. There are efforts in some regions, like the European Union, to pass data protection and privacy legislation. “In other regions including Australia, Canada and the USA, there is federal and state data protection legislation that could be applied to biometric data but nothing specific,” Goode writes.
He says an EU directive that may be approved this year that “recommends the use of `strong user authentication’ which is defined by the European Central Bank (ECB)… as “a procedure based on the use of two or more of the following elements – categorized as knowledge, ownership and inherence: (i) something only the user knows, e.g. static password, code, personal identification number; (ii) something only the user possesses, e.g. token, smart card, mobile phone; (iii) something the user is, e.g. biometric characteristic, such as a fingerprint”.
Goode says the fingerprint biometric is among the fastest growing authentication technologies for its convenience. He also likes behavioral biometrics, which he describes as “how individuals uniquely interact with a device – be it a smartphone or a laptop accessing a website. Behavioral traits include keystrokes and interactions with a touchscreen.”
Goode Intelligence has published a white paper about the impact of privacy and data protection legislation on biometric authentication. A free download is available here.