Biometric Data Offers Added Security — But Don't Lose Sight of These Important Risks

Pattie Dillon remembers a story from her time as a consultant before becoming product manager of antifraud solutions at SpyCloud. At that time, her call-center client used voice recognition technology to identify a caller who was pretending to be someone else.

"It was a little comical because it was a gentleman that was calling in trying to sound like a woman," Dillon recalls. "Coincidentally, they had had several of these phone calls from this same individual, and [the software] was actually able to find those voice patterns and identify it as the same person."

Biometric authentication, such as face ID, voice biometrics, fingerprints, or some combination thereof, is becoming an essential part of the cybersecurity toolbox as organizations try to block adversaries from taking over online accounts and to prevent fraud. However, companies must safeguard biometric data to prevent it from being exploited or stolen.

How to Secure Biometric Data

Though biometric authentication can be user-friendly, its critical flaw is that biometric data can't be updated once it is compromised, says Gerald Alston, associate partner and leader of the US security practice for Infosys Consulting. Passwords, PINs, and other identification methods can be replaced, but there's no way to replace a thumbprint, for example, once it is compromised, he says — which is another reason why protecting this type of data is so important.

Traditionally, IT and cybersecurity teams store images containing biometric data in one place after capturing them, but some are starting to explore tokenization. Tokenization is a process in which the images are divided and kept in different locations, reuniting them from their respective databases when the biometric authentication method is used, Alston explains. If an unauthorized intruder enters the system, they need to find where the other components of the biometric images are, but that only delays the inevitable breach, he says.

To better protect tokenized data, Alston suggest implementing a mature encryption key management system, instituting data discipline, and knowing where you currently use tokenization. In other words, make sure you have established processes and procedures for your encryption keys, stay abreast of where your data is, and understand what data you have tokenized and where it's stored, he says.

To that point, another issue to consider is where the data is stored. The FIDO Alliance describes how to securely gather, store, and transmit biometric samples between devices or servers, says Mitek Systems CTO Stephen Ritter. Instead of just saving the biometric image directly on the device or sending it to a central server, the FIDO approach generates a unique cryptographic key pair. When the device is set up for biometric authentication, the private key is saved on the device, usually in the device's secure enclave so that it can't be readily stolen by attackers. The public key is registered with the application or service. During authentication, the client device signs the action — by providing a fingerprint or taking a selfie, for example — with the private key to verify its validity. The secure enclave is designed to be protected space from the rest of the device, and its contents are not readily accessible from outside.

Legal and Business Requirements

Besides following industry guidelines, Ritter also recommends that IT and cybersecurity teams watch for data privacy regulations, including the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA), and the Biometric Information Privacy Act (BIPA) in Illinois.

BIPA contains rules for the retention, disclosure, collection, and destruction of biometric data. CCPA requires companies that collect consumers' personal information, including biometric data, to disclose and control the use of the data collected. The European Data Protection Board, which facilitates the consistent application of the GDPR, is soliciting public comments regarding the guidelines for law enforcement use of facial recognition.

"Whenever you are going to collect biometric data and you are going to use it for authentication, you need to be very clear to the user, before they sign up for that service, that that's what you're going to do. And you have to get their consent in writing," Ritter says.

Third-party vendors that handle outsourced biometric authentication are a centralized hub for "mountains of identity data," making them a ripe target for threat actors, Ritter says. Companies should evaluate vendors to ensure the data is secured properly to the extent they are comfortable. Mitek enters into data protection agreements with its clients, complies with ISO 27001 standards, generates System and Organization Controls 2 Type 2 reports, and offers source code reviews, he adds.

"It takes work to go and identify the right vendor and ensure that they have the right security and control in place, but that is almost always better than building these things on your own," Ritter says.