When is it ok to use biometric authentication?

Biometric authentication is becoming a more common method of authenticating that you are who you say you are.

From accessing your mobile phone to clocking in for work to passing seamlessly through border control, we are all becoming more familiar with the use of biometrics for identification and authentication.

Despite the wider adoption of biometric authentication technology, we are, however, still seeing resistance to its use in some areas.

Whilst people are intimately familiar and comfortable using their biometrics such as face or fingerprint recognition for everyday tasks such as unlocking their phone, there is still wariness about using biometrics to perform other tasks such as facial recognition at airports.

This difference and mistrust likely stems from several things:

1. Users feel like they are in control of the biometric process on their phone. Afterall, they can elect to use it or not.
2. They are in control of the biometric enrolment process.
3. They have complete control of the biometric once it is “in” their phone, and can amend and delete it at any time and
4. They believe the biometric remains on their phone.

Some of these factors are being driven by the misinformation in the media surrounding both the security and the reliability of biometrics as a way of identifying and authenticating people. You can learn more about the reliability of biometric authentication in a recent post.

Personal Use vs Business Use

One of the key differences we see when it comes to the trust, or lack of, around biometric authentication is whether an individual is using biometric authentication for personal or business use.

Wariness comes into play when organisations start collecting and using biometrics without the knowledge or consent of the user and potentially use the collected biometrics for purposes that are not consented to by the user and for which the user may not even be aware.

New Zealand has strong privacy laws and guidelines when it comes to the collection and use of private information, and biometric information falls into this category. All organisations operating in New Zealand must consider these rules and guidelines before the collection and use of private information, including Biometrics. Some of these guidelines include things such as:

• The organisation should obtain the user’s consent before collecting or using their private information (there should be some form of enrolment function or acknowledgement and an “opt out” option).
• For users who don’t wish to or can’t consent to provide a biometric, there must be an alternative path to gaining access to the service. So, for example if a user doesn’t want to user their fingerprint or face to unlock their phone or PC, then they have the ability to use a password or pin number instead.
• The organisation must clearly set out why they are collecting the information and what it will be used for. They must not use the information for any other purpose, without prior consent.
• The organisation must be clear about with whom they may share the information, and for what purpose. They must not share more widely than “consented” by the user. So, if an organisation collects a biometric for authentication, they should not market the data to other organisations, without the user’s consent and can only do so if the use is “proportionate” – see below.
• The user must have the ability to correct any information they believe is incorrect.
• The organisation should delete the information once the purpose is fulfilled. If for example, an organisation collects a biometric as part of their membership process, they should not retain the biometric when the user resigns their membership.
• The organisation must not collect more information than is required for the purpose. For example, if the primary purpose is to check someone’s identity using a fingerprint or a face, the organisation should not also collect information such as age, addresses, marital status, driver license number or any other “unnecessary” information that is not required to identify the person.
• All information should be treated sensitively, collected, transmitted, and stored in a secure manner and the user should be informed about how. A small business running their IT systems in a provider’s garage will likely not have sufficient security or robustness to pass this “test”.
• The information collected should be “proportionate” to its intended use. It can be tricky to interpret “proportionate”, but it basically means that if a service could utilise less sensitive information for a particular purpose, rather than using a biometric, then it should. For example, collecting someone’s fingerprint to allow a coffee machine to dispense the right coffee could be an example of an outcome or benefit that is disproportionate to the value of the biometric being collected but using the biometric for identification when paying for that coffee may be proportionate.

There is no question that the use of biometric data is a growing part of our future. One can buy home door lock systems that use your fingerprints to unlock your home. Airport e-Gates are a great way to avoid long customs and immigration queues. Pay by face is already in place outside New Zealand and will eventually find its way here. And all of these will need to take privacy considerations into account.

Protecting your biometrics here in New Zealand

The Office of the Privacy Commissioner recently updated its guidelines for the collection and use of biometric data, regulated by the Privacy Act. The document helps to guide an organisation to when and how to use private information such as a biometric. It also helps an organisation to assess the privacy impacts of collecting personal and private information helps them to assess the impact of possible breaches or compromises of this information.

If you are still unsure about the collection, storage, or usage of biometric data that you collect, you can also reach out to the Privacy Commissioner for further guidance.

It should be noted, however, that the user should also understand what is being collected and stored when a biometric is collected or enrolled. For example, many people have the incorrect belief that when facial recognition is used, that this biometric stored is a photograph or image of the person and that this is vulnerable to compromise.

However, this isn’t the case.

One of the biggest barriers to adoption has been security concerns around the storage of biometric data. However, much of this concern is misplaced. While the storage of your biometric data is obviously important, there are many misconceptions about what a biometric actually “is” and what can be done with it.

Take facial recognition as an example:

• When you create a facial recognition template from a face, whether this is in real-time, in person or using a photograph, the biometric is not the image or the photo and it is NOT the facial image or photo that is stored.
• What is created (i.e. the “biometric”) is actually a proprietary, mathematical interpretation of the subject’s face and any original picture or video is discarded and is not stored. This mathematical interpretation is called the facial “template”. This facial template is proprietary to the facial recognition solution provider.
• It is impossible to interpret or even read this template without the vendor’s secret, proprietary algorithm to decode it.
• Lastly, even when the template is decoded using this secret algorithm, this does not and never can recreate the face used to create the template to begin with. Recreating the original face or photograph from the facial template is simply impossible. It is akin to recreating a complete person from a shoe print left in the dirt.

So, the fear that once a person’s biometric is compromised, that the hacker can recreate the person’s original face, fingerprint or whatever the biometric happens to be, is simply misplaced.

Without the vendor’s secret, proprietary algorithm to decode it, your biometric is useless to a hacker and is still secure. Far more secure than passwords and the like that are either stored in clear text or can be easily decrypted with brute force attacks. Neither of these is possible with a properly created biometric.

Biometric authentication is therefore one of the most secure ways possible to prove that a person is who they say they are.

You can read more about biometrics and how they are stored in our recent post, How is biometric data stored?

When is it ok to use biometrics authentication?

Coming back to the title of this post, hopefully, we have cleared up some of the grey areas around the collection, storage, and usage of biometric data.

As we move into 2022 and beyond, we can expect to see biometric authentication rolled out into more and more businesses worldwide. As more people gain a better understanding of biometrics and we continue to bust some of the myths that surround the safety and security of biometric authentication, we hope to see less resistance to the use of biometric authentication, allowing businesses to operate more securely.

The COVID-19 pandemic has also accelerated the adoption of biometric authentication as more and more businesses look to contactless solutions to tackle a wide range of issues, from staff clocking in to passing through customs to paying for goods and services in a shop.

Related Posts

• How reliable is biometric authentication?
• How is biometric data stored?
• How biometrics work
• How does biometric authentication work?
• What is the future of biometrics identification technology?