With the iPhone 5S biometrics are coming to the consumer masses for the first time. While the the European Association of Biometrics welcomes the widespread use of automated authentication, it wants to reiterate that privacy and security remain primary objectives in these consumer-facing applications.
As the primary biometrics association for the European continent, the group acts in the best interests of all biometrics stakeholders and has published a position paper detailing the latest developments of biometrics in the consumer space. In drafting this statement, the group hopes to offer mobile devices suppliers, service operators and the mainstream user better perspective on how to assess biometrics technology, particularly as it relates to security and usability.
Until now, a vast majority of biometrics applications have been employed in law enforcement, border control and public security. However, Apple’s inclusion of a fingerprint sensor on the recently released iPhone 5S has officially announced the arrival of biometrics in the consumer space.
With this consumer implementation, the public is seeing biometrics in a new light, and is beginning to understand that this technology can offer an improved user experience as well as boost convenience.
As the association sees it, the iPhone 5S is bringing storage of sensitive data back to the device, offsetting a trend that has more recently seen information storage shift to the cloud. Initial reports from Apple indicate that fingerprint biometric data is securely stored in a chip that is not accessible by third-party applications. Accompanying the safeguarding of a user’s unique biometric identifier is the claim that their data is also encrypted to ensure that the fingerprint image cannot be retroactively constructed.
According to the group, one possible reason for the delayed adoption of biometrics in the consumer sector is privacy. In fact, some EU countries are resisting outright the expanded use of biometrics, citing the protection of personal data and privacy.
For this reason, the association states that consumer-facing companies like Apple need to address – and reassure – the public that use of biometrics technology make them the subject of surveillance, nor will larger corporations or government agencies misuse the data by biometrics implementations.
From a nuts-and-bolts perspective, the association sees merit in Apple’s Touch ID technology as a contact pattern matching system, that is, “contact” that requires a physical connection between a finger and a sensor. Once this contact is established, the system essentially performs a pattern matching process wherein the biometric software creates reference data for the finger image at the time of enrollment, and uses that image to recognize the user at every time of contact thereafter.
From the public’s point of view, however, the EAB posits whether users would want to be informed of how much similarity between the enrolled fingerprint image and the subsequent pattern is expected. It’s a delicate balance to strike, especially given the fractious nature of the mainstream public.
On one hand, when the accuracy of matches increases, so too does overall security. On the other hand, however, the usability improves if a wider tolerance of variation is allowed, for example the positioning of a finger or the acceptance of poorer quality images when fingers are too dry.
Herein lies the challenge for companies, like Apple, who are seeking to bring biometrics to the mainstream consumer. Where does the line for security end and the line for usability begin?
Trust in the components of an application as well as the business or government organization running the biometrics service using is paramount. For the EAB, assessing whether a biometrics solution is “fit for purpose,” the biometrics community considers the balance of costs to benefits – not just financial costs and benefits, but also usability against security – as well as the trustworthiness of the software, hardware and the operator.
The EAB considers, amongst others, the following concerns:
- How easy is it for other organizations to harvest users’ biometric data of by exploiting weaknesses in the design of the device or the service?
- How much data could be gathered that does not necessarily recreate the original image of a fingerprint but still allows matching to fingerprints obtained by other means?
- How could an insecure implementation by one vendor impact the perception of the security of biometric recognition by other, more conscientious, suppliers?
Ultimately, the EAB prescribes an open and transparent approach when dealing with the consumer sector. It will be vital to stress that information made available to the biometrics community will not compromise the security of consumer devices, but rather will ensure that consumers will be able to rely on privacy-compliant, secure and user-friendly smartphones and laptops.