COMMENT
Although it wasn’t called biometrics at the time, a rudimentary form of this technology emerged in 1901 when Scotland Yard has adopted fingerprint classification to identify criminal suspects. Since then, in the more than 120 years since then, the field of biometrics has come a long way.
Public and private sector organizations now use it identify and authenticate individuals to grant access to computer systems, such as laptops and tablets, and to business applications such as human resources or customer relationship management systems. Apple adopted biometrics to unlock the iPhone in 2013, and Face ID is a common feature on cell phones today. The Mastercard biometric card combines chip technology with fingerprints to verify the cardholder’s identity for in-store purchases. Healthcare organizations also use biometrics to verify individuals and determine access to medical care. This is especially useful if the patient cannot produce other forms of identification.
With biometric devices being part of the growing collection of data-containing devices deployed across multiple industries, including government agencies and militaries, organizations wishing to utilize this technology must ensure their data security solutions protect what could be a new goldmine for hackers.
Department of Defense Details Biometric Data Risks
The US government is now fully aware of the potential danger posed by biometric data breaches: the Inspector General (IG) of the US Department of Defense (DoD) has released a relationship in November 2023, revealing significant gaps in biometric data security and management within the Department of Defense. These gaps can pose risks to personnel and potentially threaten clandestine operations. According to the IG report, the Department of Defense’s use of biometric data has been extensive, particularly in conflict areas where accurate identification of individuals is critical to security operations. The report found that many of the Department of Defense’s biometric collection devices lacked data encryption capabilities and a clear policy for destroying or disinfecting biometric data.
While commercial enterprises do not face the same challenges as the Department of Defense, the threat of biometric data breaches to business operations is also a serious concern. Some of the major threats to private sector organizations include:
-
Data theft: Stolen biometric data can lead to unauthorized access to company systems and theft of sensitive information.
-
Spoofing and imitation: Biometric systems can be fooled using various spoofing techniques, such as fake fingerprints, facial images or voice recordings.
-
Privacy Concerns: The collection and storage of biometric data raises privacy concerns, as individuals may worry about misuse or unauthorized access to their personal information.
-
Integration Challenges: Poorly integrated biometric systems can introduce vulnerabilities, especially when integrated with other security or IT systems.
The “blind spot” of biometrics in security policies
The IG report highlights a troubling gap in the Department of Defense’s biometric policies, which could represent a cybersecurity blind spot. As the use of biometrics grows in popularity and the technology is adopted more widely by governments and businesses, organizations need to carefully review their security policies and update them to guide the use of biometrics-enabled devices and adequately protect data biometrics.
By default, biometric data is personally identifiable information (PII) and therefore protected information subject to privacy laws, rules and regulations. data security guidelines already in force. Failure to protect this type of data poses the risk of non-compliance with data security frameworks and privacy regulations, leading to possible fines, legal action and loss of consumer trust.
Companies must go to great lengths to protect the integrity of sensitive data, especially since biometrics is one of the key methods used to authenticate unique individuals beyond username and password combinations. Policymakers and security leaders should consider:
-
Imposing tougher penalties for device and biometric data breaches.
-
Incorporate multifactorial rigor into the use of biometrics by implementing multimodal biometrics. This combines multiple sets of biometric data (such as fingerprints, retinal scans, palm prints, voice signatures, facial recognition and behavioral traits) to authenticate users with each data set separated and secured separately. When the individual is authenticated using two or more methods, that person’s identity is verified. This way, compromising one dataset cannot compromise the entire authentication scheme.
Final thoughts
The use of biometrics is not new. We have had the means to acquire, record and compare fingerprints for decades. But the technology available to capture and compare biometric data in more detail, at scale and in near real time has opened up many new possibilities. Responsible use of biometric datasets should be implemented and celebrated to improve security, particularly through more rigorous authentication.
At the same time, these developments should only proceed in conjunction with broader data security measures, including best practices prescribed by NIST, CIS and others, to protect these systems and the privacy of data subjects whose biometric data are used.