Public trust concerning biometrics is top of mind, with opinions on the Home Office Biometrics Strategy taking many forms. This outpouring provides us an opportunity to more constructively discuss biometrics, the use of which is rapidly expanding in government and among consumers.
Deloitte notes that the consumer adoption of biometrics is soaring while over the next 12 months, officials — in response to innovations in the biometrics space — aim to establish a system of biometrics governance.
From improvements upon the oversight of passive facial biometrics used at large public gatherings to recommendations on how to build a technical platform into which existing biometric systems will integrate, there's a national conversation taking place. While the conversation is focused on home security, policing, and immigration, it is raising awareness of biometrics.
Apprehension concerning biometrics is rooted in a suspicion that these intimate credentials are beyond our control and will fall into the wrong hands. Once a person's biometric is fixed into a database, subsequent verifications are matched against the reference image.
Image retention and referencing in a 1:1 many matching scheme makes centralized biometrics worrisome to consumers and others unlinked to national security or the criminal justice system. These symmetrical systems have a user present their biometric when needed and match that image against a library of everyone’s biometrics held centrally.
A 1:1 matching scheme, common outside the government sector, is characterized by a person’s biometric being matched against itself, such as on a mobile device. The end-user and service provider then do business using public-key cryptography (PKI), in a token exchange where these sensitive images are never transmitted over the internet.
In fact, the service provider holds no such library of user credentials and with biometrics the credentials, this finally retires the password from online life.
Governments have a dismal record of handling centralized biometrics. In the US, our federal government’s Office of Personnel Management (OPM) was hacked using Sakura malware, resulting in the theft of 5.6 million government employee fingerprints out of a total 21.5 million records stolen. India’s Aadhaar identity database — set to be the world’s largest biometrics store — has been susceptible to hacking not once, but twice.
As adoption of newer biometrics applications in financial services demonstrates, these considerations are being addressed with resolve. A question executives ask when deploying biometrics for password-less authentication into applications and friction-free payments is, “Where will we store these biometrics?” The response is more crucial than ever in light of GDPR and PSD2, and in the context of mass data breaches caused by credential reuse.
Leading firms now forgo the unsafe practice of storing biometrics centrally. Instead, they put mobile devices to their highest and best use by safely storing user biometrics on the device. Consumers verify their identity against an isolated and encrypted biometric inside the device in a 1:1 matching scheme.
Ostensibly unconventional, Global 2000 firms have already deployed biometrics in a manner that would reassure critics of government systems. Often, these architectures are built upon open standards such as those of the Fast IDentity Online (FIDO) Alliance, a US-based consortium of technology giants.
Biometrics, similar to passwords, PINs and bankcards, are a credential. With the impending death of the password, due to its security and usability flaws, online services are migrating to password-less experiences against the backdrop of decentralizing key assets. Credentials don’t merely require protection, they should be closely held by their owner — not the service provider.
The sophistication of our commonplace mobile devices helps settle some of the governance, compliance, and discussion of how biometrics are handled, because they enable decentralization and matching of privileged data. This depends on how these systems are architected, as device sensors aren’t configured as such when shipped.
Outside the public sphere, especially in financial services, decentralized authentication with biometrics credentials, reigns as the preferred password-less implementation.
Government will always have an appetite for centralizing enormous libraries of credentials for identity matching. During our larger conversation about biometrics at ministries and kitchen tables, officials may want to take a cue from financial firms that deploy biometrics with an unflinching eye toward security, privacy and trust.