The Biometrics Institute is stressing the need for a better understanding of biometrics to help build trust into the secure technology and address common misconception.
There have been discussions about biometrics replacing passwords and different advantages of the identification technology. Unlike passwords, biometrics cannot be stolen because they are physical features of a person. Copies of biometric images — photograph, fingerprint — can be made hence there is a need for effective anti-spoofing and liveness detection in biometric devices.
The Biometrics Institute developed a set of Privacy Guidelines to ensure that organizations using biometrics are making the balance right between security, convenience and privacy.
Biometric authentication has the potential to ease the burden of security given its simplicity and usability. All security technologies have flaws, including PINs and passwords, and when subject to a determined attack none will guarantee absolute security. Most biometrics are not “secret” and should be used with a secure second factor. Security doesn’t rely on one factor but on combining them, such as relying on a PIN and fingerprint.
Spoofing a biometric requires a number of steps that make an attack like the one on the Apple iPhone 5S difficult under typical usage scenarios.
When consumers give up a password, provide a biometric or other sensitive personal data it does come down to a question of trust and control. Some organizations are more trustworthy than others.
Governments are typically required to put very robust trust models in place to ensure security is provided, through for example government accredited networks, compliance processes for privacy and record keeping legislation, assurance mechanisms involving partnerships and processes around access to data.
Where some organizations are involved that end-to-end security and assurance just might not exist – what happens with your face, your fingerprints in that environment is potentially riskier and requires far more than just a technology solution.
Another question is control and data retention. What happens to that biometric? Who looks after it, at what point in time is it destroyed? After a person leaves school or a particular job? What processes exist for managing any compromise of identity data, for re-establishing confidence in identity, for redress?