Biometrics in security: protecting sensitive PII and the sanctity of user identity
This is a guest post by David D. Dunlap, Co-Founder and Senior VP of Corporate Planning, StoneLock
Our personal identity is our single greatest asset – after all, how can one function in the world without an identity? However, the use of technology to assign identities warrants the need to balance out the requirements for security with the vital necessity of protecting individual privacy.
The use of biometrics has been the subject of serious debate in the Security Industry for years. Proponents of biometrics point to the promise of a reliable identity credential, beyond cumbersome passwords, key codes or access cards, all of which are vulnerable to theft and fraud. Critics point out that biometrics are vulnerable to fraud as well, questioning the ability of a biometric to securely protect a user’s identity.
A biometric suggests that the person presenting a physical feature is presenting his or her own physical feature. However, many biometric readers today fail from a security standpoint because they can be easily spoofed. For example, a fingerprint can be easily lifted (German Minister of Defense Ursula von der Leyen’s thumbprint was recently reported to have been recreated from several news photographs) and replicated, and high-quality photos can be used to mimic face or iris scans.
Vulnerabilities like spoofing are routinely publicized by the media, along with countless stories of corporate system hacks resulting in the theft of sensitive Personally Identifiable Information (PII). In 2015 the Office of Personnel Management (OPM) was compromised, revealing the PII (including fingerprints) of every employee of the United States Government. A lack of a trusted solution, coupled with a total, growing dependency on the Internet, has created an incredible, constant threat to everyone, everywhere.
The truth is, a typical person’s identity, privacy, and security is at risk every day. The sense of privacy we all enjoyed a decade or so ago has been replaced by the uneasy acknowledgement that we live in an ‘everything’s out there’ world. Indeed, even biometrics need to capture a measurement of you – whether it’s a photograph of your face, your iris or fingerprint, the recording of your voice or a sample of DNA. So how can anyone’s identity be protected at all in a world of biometrics and digital transactions?
The answer to the protection of user identity involves the combination of two elements in the biometric credential itself:
1. The absence of sensitive user PII in the credential
2. A credential that cannot be spoofed by being used to imitate the user
The following is a simple hierarchical approach that illustrates biometric solutions based on their ability to protect the user’s personal privacy:
CATEGORY 1: THE LEAST PROTECTION
Very Limited Protection of Personal Information
Fingerprint readers, iris readers, voice recorders, and facial recognition solutions that use photographs or video images all rely on personal identifiers that can be copied and reproduced, creating the inherent concern with biometrics with which we are all familiar. Additionally, this category usually contains sensitive (PII) that, if stolen (and encryptions broken), can identify and be used to imitate the user. Note: encryption is viewed as ubiquitous but outside the scope of this discussion.
CATEGORY 2: “LIVENESS” TESTING
Protects Against Imitation but Adds More Sensitive PII
More and more biometrics are implementing “liveness testing” to try to address spoofing concerns. These tests look for a user movement, such as blinking (iris), or pulsing veins (finger and palm) or head movement to confirm a “live” person.
While liveness testing can provide assurance against spoofing, liveness tests have been spoofed as well, using HD video or even fake fingers to simulate vein movements. Liveness elements themselves usually function by collecting and using even more PII than a C1 biometric, so C2 biometrics potentially exposes more PII than C1 biometrics.
CATEGORY 3: NO SENSITIVE PII USED OR STORED
Does Not Reveal You
C3 biometric systems do not store any sensitive PII as a part of the reference file used for user verification. A C3 biometric therefore offers a level of identity protection if compromised, as nothing about the file is recognizable. However, if it can somehow be linked to the user, then the file can still be used to imitate the user.
Category 3 satisfies one of the two conditions required to protect the user’s identity. While making strides to protect identity, this biometric can still be compromised to imitate a user for entry.
CATEGORY 4: SPOOF PROOF
Cannot Imitate You
Category 4 represents the theoretical second element of identity protection: a biometric that cannot be used to imitate the user.
By definition, a C4 biometric is unspoofable yet still contains PII. Therefore, even though a C4 biometric cannot spoof the user, it nonetheless reveals the user’s identity, making it an incomplete solution for identity protection.
CATEGORY 5: UNSPOOFABLE AND NO PII STORED
The Elusive Gold Standard
Can a biometric system ever be certified as unspoofable, or is a product or underlying technology only considered unspoofable until proven otherwise?
This is the crux of the problem of establishing technical criteria by which identity is guaranteed across a digital connection, for instance, in authorizing a transaction. In this aspect, a biometric is no different than cards, PINs, or any other “I am who I say I am” credential. Until NIST or a like certifying agency provides guidelines for certification of an “unspoofable” digital nonrepudiation standard, our identities will never truly be safe from identity fraud.
The matter of protecting one’s personal identity is a problem for the ages, just as vitally important to individuals in a hundred years, even in a thousand years, as it is today. Today, cybercrime is the most common form of crime in the US, with costs expected to double by 2021 to over $6 Trillion. In the backdrop of these amplifying challenges, the challenge for the Security Industry is to develop solutions in such a way that users will not have to compromise the sanctity of identity, personal privacy, or the assurance of security in their daily lives.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.