Researchers warn biometric template protection still not adopted by industry

As facial recognition and fingerprint scanning become ubiquitous – from unlocking smartphones to airport security – biometric data privacy and security is becoming an increasing concern. Unlike a stolen password, fingerprints and facial templates cannot be reset, which makes biometric information uniquely sensitive.

These dangers are putting the spotlight on the field of biometric template protection (BTP), which, despite two decades of academic innovation, still lags behind in practical adoption. To address this, a group of researchers from the Swiss Idiap Research Institute, the University of the Bundeswehr Munich, and Michigan State University has written a new book focused on mitigating the risks associated with storing and using biometric templates.

The “Handbook of Biometric Template Protection: Motivation, Methods and Metrics” was published by Springer earlier this week, offering an overview of the technical and regulatory landscape of biometric template protection.

“This is the first book to present a comprehensive overview of the increasingly relevant biometric template protection (BTP) field, including: why it matters (motivation), what types of techniques have been proposed for protecting our irreplaceable biometric data (methods), and the approaches used to evaluate these methods (metrics),” writes Vedrana Krivokuća Hahn, the book’s co-editor and a researcher in Idiap’s Biometrics Security and Privacy Group.

The other editors are Marta Gomez-Barrero from Research Institute CODE at the University of the Bundeswehr Munich, Arun Ross from the Department of Computer Science and Engineering, Michigan State University and Sébastien Marcel, also with Idiap’s Biometrics Security and Privacy Group.

The handbook identifies three main culprits behind the slow adoption of BTP in the real world: Many system deployers do not recognize the importance of protecting biometric data or have no incentive to do so. Other researchers prefer sticking with traditional encryption methods despite their limitations, while some cite uncertainty over robustness and the proper evaluation of newer BTP techniques.

Privacy regulations such as the EU’s GDPR are beginning to change this calculus, fueling renewed interest in BTP research. The EAB examined the GDPR compliance challenge of biometric template protection in a 2023 workshop. The book offers a brief introduction on how to approach the evaluation of BTP methods from the point of view of existing technical standards.

Researchers argue that the methods used for generic data protection are usually unsuitable for protecting biometric templates. This includes traditional techniques like hashing, conventional encryption, distributed databases and smart cards and the more recent trusted execution environments.

“This is due, in large part, to factors such as the intrinsic noisiness of biometric measurements versus the exactness requirements of mechanisms like cryptographic hashing and encryption,” the book notes.

The handbook explores methods such as handcrafted BTP algorithms designed by humans, including feature transformations and biometric cryptosystems. It also delves into BTP methods learned using neural networks.

Other chapters explore how BTP could be achieved with the help of homomorphic encryption, which does not traditionally fall into the BTP domain. In Norway, for instance, the banking industry is testing homomorphic encryption from Mobai for protecting biometric templates.

Article Topics

biometric template  |  biometric template protection  |  biometrics  |  biometrics research  |  data protection  |  Idiap  |  MSU  |  Swiss Center for Biometrics Research and Testing