- Security TWENTY
- Women in Security
Biometric technologies are extremely valuable but must be deployed with security and privacy front of mind, says Isabelle Moeller, Chief Executive of the Biometrics Institute, a body representing the users, vendors and researchers of biometrics. She stresses the need for a better understanding of biometrics to help build trust into the secure technology and address common misconception.
Biometrics cannot be stolen unlike passwords because they are physical features of a person. Copies of biometric images (photograph, fingerprint) can be made hence there is a need for effective anti -spoofing and liveness detection in biometric capture devices. Implemented well biometrics offer far greater security, privacy protection and user convenience than single factor password protection or two factor non biometric systems.
“The Biometrics Institute is taking an active role in promoting the responsible use of biometrics by bringing together the users, vendors, academics and privacy experts to facilitate this important mission.”
The institute has developed a set of Privacy Guidelines to ensure that organisations using biometrics are making the balance right between security, convenience and privacy.
Biometric authentication has the potential to ease the burden of security given its simplicity and usability. All security technologies have flaws, including PINs and passwords, and when subject to a determined attack none will guarantee absolute security. Most biometrics are not “secret” and should be used with a secure second factor. Security relies not only on one factor but on combining them, such as relying on a PIN and fingerprint.
Moeller says: “There are a number of technologies, both software and hardware, that can be used to detect such spoofing attacks; the Biometrics Vulnerability Assessment Expert Group (BVAEG) – a subcommittee of the independent Biometrics Institute consisting of many of the most experienced experts in this area from around the world are addressing the need for vulnerability detection to be included with biometric devices as well as to promote standards, enhance privacy protection, performance measures and testing, and to help facilitate the dissemination of new research or findings in this area.”
Spoofing a biometric requires a number of steps which make an attack like the one on the Apple iPhone 5S difficult under typical usage scenarios. When we give up a password, provide a biometric or other sensitive personal data it does come down to a question of trust and control. Some people and organisations are regarded as more trustworthy than others.
Governments are typically required to put very robust trust models in place to ensure end-to-end security is provided, through for example government accredited networks, compliance processes for privacy and record keeping legislation, assurance mechanisms involving partnerships and processes around access to data.
Where some organisations are involved that end-to-end security and assurance just might not exist – what happens with your face, your fingerprints in that environment is potentially riskier and requires far more than just a technology solution.
Another question is control and data retention. What happens to that biometric? Who looks after it, at what point in time is it destroyed? After a person leaves school or a particular job? What processes exist for managing any compromise of identity data, for re-establishing confidence in identity, for redress?
Moeller adds: “We have seen many successful implementations where biometrics have helped to transform identity management, privacy protection and identity security, like electronic passports facilitating a better and more secure travel experience or large-scale identity management systems such as the Indian Unique Identity (UID) scheme which facilitates the delivery of government’s services to the poor and marginalised.”
The Biometrics Institute members include immigration, customs and defence agencies, police, airlines, banks, university research groups. The institute is holding the “Biometrics 2014: The future of identity starts here!” on October 21 to 23, 2014 in London and the “Showcase Australia 2014” on November 18 in Canberra. Visit: www.biometricsinstitute.org.