We have written extensively about biometrics in our Market Leadership section, from how biometrics work, to how biometric data is stored to how biometric technology is deployed across a wide range of industries.
One of the most common questions we hear when it comes to biometrics is about the security of biometrics. There has been a lot of misinformation in the press about the safety and security of using biometrics as a way of identifying and authenticating people are who they say they are and, in this post, we are going to bust some of those myths relating to the security of biometrics and showcase why biometrics is one of the most secure forms of authentication.
What is biometrics?
Biometrics is the technical term for body measurements and calculations. It refers to metrics related to human characteristics. Biometrics authentication is used in computer science as a form of identification and access control.
Biometric information is digitised by converting biometric data (the ridges on a fingerprint, for example) into biometric templates using special formulas or algorithms. To be useful, biometric data must be unique, permanent, and collectable. Once captured, the biometric is compared and matched in a database.
Where a lot of confusion arises is around the collection and storage of that data and the security of the database where the data is stored.
How is biometric data stored?
Biometric templates are binary files and encompass unique traits of an individual’s biometric data. unreadable without the right algorithm. There are several storage-based strategies for biometric data that organisations can employ. These include:
· On-device storage
· Hardware recognition system
· Portable token
· Database server
· Distributed data storage
· Blockchain data storage
You can read more about all of these biometric storage options in our recent post, How is biometric data stored?
Is biometric data secure?
Now we understand more about what it is and how it is stored, it’s important to understand what makes biometrics secure.
Take facial recognition as an example:
· When you create a facial recognition template from a face, whether this is in real-time, in person or using a photograph, the biometric is not the image or the photo and it is NOT the facial image or photo that is stored.
· What is created (i.e. the “biometric”) is actually a proprietary, mathematical interpretation of the subject’s face and any original picture or video is discarded and is not stored. This mathematical interpretation is called the facial “template”. This facial template is proprietary to the facial recognition solution provider.
· It is impossible to interpret or even read this template without the vendor’s secret, proprietary algorithm to decode it.
· Lastly, even when the template is decoded using this secret algorithm, this does not and never can recreate the face used to create the template to begin with. Recreating the original face or photograph from the facial template is simply impossible. It is akin to recreating a complete person from a shoe print left in the dirt.
So, the fear that once a person’s biometric is compromised, that the hacker can recreate the person’s original face, fingerprint or whatever the biometric happens to be, is simply misplaced. Without the vendor’s secret, proprietary algorithm to decode it, your biometric is useless to a hacker and is still secure. Far more secure than passwords and the like that are either stored in clear text or can be easily decrypted with brute force attacks. Neither of these is possible with a properly created biometric.
Biometric authentication is therefore one of the most secure ways possible to prove that a person is who they say they are.
Can biometric data be hacked?
This is perhaps one of the biggest misconceptions about biometric data. The most common answer you will see to this question usually looks like this, “Whilst a stolen PIN number can be easily updated and changed, once your biometric data is stolen, it can no longer be used as a way of identifying yourself once compromised.”
This thinking, however, is flawed.
As we have already covered, when biometric data is stored, you are not simply storing the original image used to create the biometric (e.g a photo of a face). If that was the case, hackers would not need to break into complex databases to steal our biometrics. They could simply do a Google search and find an image of us and recreate this as a mask or printed photo. Similarly, if they wanted to use our voice biometric, they could simply call us and take a recording of our voice. Without the secret biometric algorithm, the hacker can’t create a new biometric or decode any existing biometric.
Biometric matching is only one component of today’s identity verification and authentication systems. These systems are used to answer the question “Is this person who they say they are?”, however, an additional layer to modern-day biometrics authentication systems is liveness detection that helps to answer the question, “Is this a real person?”
As hackers have become more sophisticated in the way they operate, biometric systems have had to adapt. Liveness detection is anti-spoofing face recognition technology that uses artificial intelligence to detect whether the biometric source is a real person or not. It is used in conjunction with face recognition to detect whether someone is fraudulently impersonating another individual by, for example, wearing a prosthetic mask or presenting an inanimate photo or image.
This additional layer of security is particularly important in use cases that are remote or unsupervised, such as signing up for a new bank account on a mobile app instead of in person at a branch.
Even if a hacker managed to steal a company’s database of biometric information, this information would be completely useless to them.
As soon as your biometric data is converted into a template, these cannot simply be reversed back into the original sample. A modern biometric system only stores the templates, not the original biometric information.
The biometric template does not store any of the attributes associated with the original scan and contains no personal information about the individual. If someone did manage to steal a biometric template, the information contained would be useless without the corresponding algorithm that is unique and bespoke to each business and is also securely protected.
Add into this the secure nature of storing biometric data such as blockchain or portable token, and a hacker would have two layers of useless bytes.
Most industries are utilising the power and convenience of biometrics to put multiple security checks in place to protect personal information and transactions.
It is not enough to rely on one form of authentication in order to offer the most secure system. Instead, businesses use two-factor authentication (2FA) or multi-factor authentication (MFA) in order to authenticate that you are who you say you are. This might typically include something you know (like a password or PIN), something you have (like a token or mobile phone) or something you are (a biometric identifier).
Banks are a prime example of this. Whilst they may allow access to online banking apps via a biometric such as facial recognition or fingerprint ID, they will often require a secondary authentication method for large transactions (such as confirming your password) or they may authentication via a token which could simply be your authorised and authentication mobile device.
Multi-factor authentication is becoming more commonplace and is used in conjunction with biometrics in order to make transactions and authentication convenient and secure.
Rethinking the question: is biometric data secure?
Hopefully, this post has helped to allay some of the misguided fears associated with the safety and security of using biometric authentication.
Whilst there is always a possibility of professional hackers accessing any form of database, the likelihood of them accessing data that can be used to impersonate an individual is extremely low and much less likely than them accessing passwords or other forms of authentication.
Biometric authentication technology is here to stay and over the next decade, we can expect to see an overwhelming adoption of the technology worldwide.
The COVID-19 pandemic has accelerated the need to create frictionless and contactless environments across a wide range of sectors, particularly the travel and hospitality sectors and those businesses that were early adopters of biometric technology are reaping the benefits as they have been some of the first companies to be able to offer contactless experiences throughout the pandemic.
Biometric data is helping to make the world more secure and convenient. You can read more about biometric authentication in our post Which biometric authentication method is most secure.