In biometrics, security concerns span technical, legal and ethical
Biometrics are increasingly being used for enterprise security, but they are not without technical, legal and ethical concerns, which teams must address before deployment.
Snap a selfie, and you've paid. Speak your name, and your account appears.
Now more than ever, biometrics are emerging as part of a broader trend to improve security and thwart cyberattacks through more resilient authentication mechanisms. Not only is the world facing ever more cyberthreats across devices and systems, the global coronavirus pandemic is also shifting how consumers and businesses think about digital and physical risk exposure.
Biometrics have clear advantages from a security perspective, particularly when combined with multiple other factors, such as PINs or security questions. Biometrics are difficult to hack, are challenging for bad actors to replicate, are literally always on us and offer far less friction for end users. From automotive and e-learning to logistics and telehealth, companies across various sectors are increasingly considering biometric interfaces to improve security, safety and experience.
Yet, despite the benefits of biometrics, there are several privacy and security challenges and concerns that enterprises must evaluate in their due diligence.
Technical challenges of biometrics
If compromised or stolen, biometrics are irrevocable for life. Given the unique variations of an individual's biometrics -- indeed the most personally identifiable factor-- they are extremely difficult to hack, requiring unique data to replicate, significant computation and esoteric tools. But the dark side to this coin is that, if these data points are compromised, the damage is double: First, stolen identity credentials can be used for all manner of theft, falsification and incrimination; and second, a person's biometrics are impossible to replace.
Biometrics can be expensive to implement at scale. Implementing biometrics at scale that are capable of supporting multiple locations, devices or people is costly. The hardware, software, interoperability and cloud services required for AI-powered biometric authentication, such as facial or voice authentication, are not insignificant investments -- not to mention the costs of the training, communications and security resources to support it.
Security tradeoffs. While biometric authentication has certain security advantages, it also begets additional security implications elsewhere in the security landscape. Scanners are but one node; data, server and network penetrations represent another set of vectors, as do ever-evolving fraud and spoofing techniques -- not to mention nefarious use of AI capabilities to simulate, compromise or socially engineer. Further, given its lucrative sale on the dark web, biometric data represents one of several proverbial cat-and-mouse games between cybersecurity hackers and defenders.
Inaccuracy, bias and false positives. As with any technology, the risks of inaccuracy are another consideration. Biometric recognition has its own set of machine mistakes, including bias in the training data, denial of entry due to erroneous scanning, compromise of the biometric -- a cut finger, for instance -- backup fail-safe standards, false positives and negatives, and more.
Legal concerns around biometrics
Unclear, fragmented employer liabilities. In the U.S., laws around use of biometric data are highly fragmented -- different laws exist in Illinois, Texas, Washington, Michigan, New Hampshire, Alaska and Montana. Meanwhile, the EU's GDPR has clear delineations for sensitive data categorizations, including biometric data. Variable coverage -- for consumers vs. employees, for example -- by sector, variable recourse and precedents all make for a labyrinthine compliance exercise wherein several legal uncertainties persist.
Unproven technologies and unintended consequences. In addition to the regulatory gray area around biometric data and interfaces, emerging technologies always have unintended consequences when intermingling with the real world. Unexplored legal territories will emerge as biometrics transcend the domain of human health. One security hacker demonstrated as much when he used a high-resolution photo of a German politician's thumb and reconstructed it using commercial software to show the relative ease of identity theft via fingerprint. More recently, Cisco Talos research found some fingerprint scanning technology can be compromised via 3D printing.
Interface. The digital interface -- once constrained to screens -- is expanding across the physical world to our bodies via biometrics. Some biometrics, such as a fingerprint scanner, require active touch. Others, such as facial, ear, voice or gait recognition, can be used in a passive way that doesn't require the participation of the individual. Still others, including scanners embedded in robots, cars and homes, introduce additional technical, legal and ethical biometric security concerns. Interfaces carry diverse implications for consumers and organizations alike.
Ethical issues involving biometrics
Risk of misuse, commercial gain. How could biometric data be used for purposes beyond access controls? In the age of data brokerage and a vast ecosystem of commercial actors buying and selling consumer data -- for advertising, insurance, political gain, hiring and beyond -- biometric data collection represents a novel asset class. Biometric data collection does not inherently equate to sharing and monetization or even storage of that data, but it demands clear articulation and limitations around how consumers' and employees' biometric data may be processed.
Societal questions of identity, citizenship and surveillance. Biometrics used for identification surface deeper questions around citizenship, surveillance and human rights. For example, multiple databases might be combined for dragnets and used to control, incentivize or disincentivize particular behaviors or used to discriminate against particular vulnerabilities or political agendas. These risks are compounded by the lack of standards, policy protections, ecosystem collaboration and awareness of the general population.
Corporations' role in the big questions. As human identity, rights and freedoms become the purview of corporations, questions once outside the domain of technologists come to the forefront: What surrender of business or user security is proportionate to the benefits? Does the introduction of technology perpetuate rather than solve such challenges?
Actionable steps for enterprise biometric readiness
There are many benefits to biometrics, but these technical, legal and ethical concerns cannot be ignored. Security professionals must factor this broader calculus into their evaluation of biometrics.
The following steps are recommended, regardless of where a company is in its biometric assessment:
- Conduct thorough and ongoing due diligence. This is important in both in the context of the organization and across its ecosystem. Biometrics in healthcare may have a different set of benefits, threats, and technical and legal challenges than those in the automotive space. Full assessment also involves a multidisciplinary approach, incorporating expertise across multiple domains.
- Prioritize multifactor authentication. Biometrics are one of many different potential authentication factors. Others include PINs, passwords and questions. While using multiple factors of authentication is always more secure, opting for other factors besides biometrics may preserve security without sacrificing convenience, depending on the use case.
- Translate principles into partnership criteria. The biometric industry is full of companies developing innovative systems and safeguards, along with several participating in broader consortia and standards bodies. Incorporate both technical specs and principles into vendor evaluations.
- Develop backups and fail-safes. Given the diversity of risks, implementations should always include backup methods and modalities for the use case. In addition, compensate for biometric scanning vulnerabilities -- for example, requiring additional factors when using recognition algorithms.
- Engage across ecosystem stakeholders. Given the extreme fragmentation not only in technologies, standards and laws, but also in governance and societal values, it is essential companies engage with broader stakeholders, consortia, discourse and citizenry. When it comes to biometrics, the security concerns far exceed the walls of any single organization.