For organizations considering biometrics as they move away from reliance on usernames and passwords, it’s important to remember that regulation of the personal information that such systems collect (fingerprint patterns, for instance) is becoming front and center for many governments.
Fortunately, device-side matching of biometric data is a compelling approach to satisfy key privacy requirements, according to a white paper from PwC Legal and Nok Nok Labs comparing key privacy implications of on-device and on-server matching of biometric data.
The protection of personal information like retinal scan or fingerprint identifiers becomes especially important in cross-border personal data transfers, as are the benefits of individual choice and control around such personal data.
Some jurisdictions have already specifically referenced biometrics in privacy guidance and legislation. Freely given, informed user consent is required before processing biometric data in almost every jurisdiction, for instance.
“Biometric authentication and verification can be one of the most secure ways to control access to restricted systems and information,” said Stewart Room, partner at PwC Legal. “Unlike authentication based on traditional passwords, authentication through biometric data is easier to use in practice, and can be far more secure.
“However, this is a double-edged sword, because biometric data is extremely sensitive due to its uniqueness and how intrinsic it is to a specific individual. Additional efforts must be made to keep this data secure including choosing a proper compliance system and infrastructure, training staff how to handle it and protecting it from unauthorized access or disclosure.”
The white paper noted that with centralized storage of biometric data, the potential for large-scale loss of data is significantly increased. And in fact, on-server authentication for a global network of biometric users results in international transfers of data; transfer of personal data, including biometric data, out of a jurisdiction is generally restricted. In contrast, on-device authentication will generally avoid international cross-border biometric data transfer implications.
“Biometrics are a compelling way to improve mobile application usability and avoid the security pitfalls of username/passwords, but significant privacy concerns come into play,” said Phillip Dunkelberger, president and CEO of Nok Nok Labs. “With biometrics, it is crucial to understand the difference between on-device and on-server matching, as the difference between the two approaches significantly affects the risk and exposure of data in a breach.”
Photo © Titina Ongkantong