Biometrics offer a stronger option for GDPR compliance
Data privacy is high on the global agenda. In the wake of data protection policies such as Europe’s GDPR, ensuring the integrity of personal data is an increasingly pertinent subject. This is a governmental and corporate policy reflection of the fact that our lives are moving increasingly online and, with it, our personal data is facing new and increased threats.
For all access to private data or services, we must be authenticated – this is the basis of privacy in the online world. But as PINs and passwords are increasingly viewed as insufficient to tackle this new reality, the world is looking to stronger authentication solutions, such as biometrics.
When implemented in the right way, biometrics will bring multiple benefits. Already biometrics have enabled consumers to add layers of authentication to personal data previously unsecured in their owned devices – from apps and e-commerce, to our homes and devices. But its potential is phenomenal. Consumer-driven authentication via our phones and tablets is already by far the largest application of biometrics in the world, with figures in the billions that dwarf government-led identification schemes such as India’s Aadhaar and the FBI database.
Crucially though, it’s a privacy and security measure that consumers have the power and choice to implement. And as third parties, such as financial services, health care and enterprise organizations, increasingly accept consumer biometrics authentication for their services, supporting the market’s continued adoption is an important and timely topic. But first, as biometrics creates its own sensitive personal data, there are a few points to clarify and discuss.
Undeniably, the success of existing applications of consumer biometrics is based on the advantages they offer consumers. Just look at the penetration and use of fingerprint biometrics in smartphones. But the success of future adoption will be determined by how confident consumers continue to feel in new situations. We’re frequently reminded not to use the same password or PIN multiple times, so it’s only natural consumers are beginning to feel concerned of their biometrics integrity as they start to utilize their fingerprint on multiple devices and apps: their phone, tablet, card, USB dongle.
Consumer device authentication utilizes a "privacy by design" approach that inherently protects end-user biometric data with an on-device authentication approach – where biometric data is enrolled, stored and managed all on the same device. Certain ideas have been fundamental to biometrics’ privacy protection in mobile and are what will enable new benefits for consumers in other personal device-based scenarios.
For example, it's a common misconception that biometric data, such as fingerprints, are stored as images. And in turn, if this image is accessed, the corresponding fingerprint is permanently compromised and unable to be restored or used securely on other applications. You’ll have heard the argument about biometrics: “I can change my password any time, but I only have ten fingerprints; what happens if they’re all hacked?”
In fact, data from a biometric sensor is captured and stored as a template in binary code – or encrypted 0s and 1s. This mathematical representation makes hacking basically pointless, because even if fraudsters could access the template, they can’t do anything with it. Template code cannot be reverse-engineered into the original fingerprint image, nor can it be linked to other services and, in turn, other personal data. Moreover, this template is unique to the device it is on, making it impossible to reuse between devices, even if the same fingerprint has been enrolled.
This neatly leads on to my next point regarding storage. In consumer authentication use cases, information is stored solely on the unique consumer device on which the template was created, remaining physically in control of the user.
Our recent consumer research found 38% were unwilling to share their biometric data but, with this approach, no data needs to be shared with third parties or cloud-based databases as everything is stored, and the authentication process is contained, within a single personal device.