As we roam further into the first full weekend of Cybersecurity Awareness Month, the next issue that I want to bring up is about Biometrics. When I originally started my tech writing biz some 12 years ago, this is the area in which I got started.
Not only did I resell hardware and software, but I also wrote three books about the subject matter through a real publisher. So in various sorts of ways, I guess I do know something about this topic.
Biometrics is a technology that has been around for quite some time, probably even going back to the 1950s when Hand Geometry Recognition first came out. But it has come in and out of the public limelight depending solely upon the amount of press coverage that it is has received.
Essentially, Biometrics is yet another way of confirming your identity (as if you probably have not heard enough about this already).
But what is different about this versus the other authentication mechanisms is that your identity is confirmed based upon either your unique physiological or behavioral characteristics, I will address all of these technical things in a future blog.
But the key to remember here is that Biometrics also has a succinct number of advantages over the other authentication tools, which include some of the following:
*It cannot be easily spoofed or replicated. For example, since everybody on this planet technically has a different fingerprint structure from any body else, reconstructing it can prove to be an almost impossible task. I am not saying here that it cannot be done – recent scientific studies have shown that it is possible, but it takes a lot of time and effort – something that probably a lot of people won’t have the patience to do.
*It cannot be hijacked or stolen. Yes, we are all aware of passwords being sold on the Dark Web after they have been heisted but think about this: Nobody can really rip off your finger or rip out your eye to hijack your unique traits that reside within them. If this were to actually happen, it would really be quite painful. Also, Biometric devices only make use of live samples – meaning you cannot rip off the finger or eye from a corpse in order to spoof the device and claim the identity of the dead person.
*You do not have to create long and complex things. This is the total opposite of passwords. Once an image of your unique physical or behavioral has been captured, the raw image of it is actually converted over into what is known as a “Template”. If this were to ever be hijacked by a Cyberattacker, all your IT Security Team would have to do is simply disable it that particular template, and have you come back to get new samples from you, which would only take a few minutes to accomplish.
*As just mentioned, the Templates is what is stored into the databases of businesses – not the raw images. In fact, the Templates are actually mathematical files. For example, an image of your fingerprint would be converted over to a binary mathematical file, which is nothing but a series of zeroes and ones – for example, 001101010100011111, etc. Thus, if this Template were to ever be hijacked, the chances of a Cyberattacker actually reverse engineering it for malicious purposes is almost nil. After all, what can they do with a series of zeros and ones – really nothing. It is not the same thing as having your credit card number.
*The Biometric is now becoming a very popular replacement for the traditional password. For instance, rather than spending long minutes trying to either figure or reset your password, you can be logged literally into your device within seconds with a simple scan of your fingerprint or eye.
So while Biometrics does have these distinct advantages, when compared to the other Cybersecurity technologies that are out there, it is the most prone to scrutiny by the public, and even to some degree feared. Why is this so?
The bottom line is that it is a piece of our individuality that is being taken from us and being stored somewhere that we do not even know of. But can’t the same also be said of passwords and credit card numbers?
Yes, it can be. But in these instances, we can always reset our passwords, or even call our credit card company to have a replacement card sent out in case it has been stolen or hijacked. But with Biometrics, this simply cannot happen. In other words, if somebody steals the raw image to your fingerprint, you cannot create an entirely different one. We cannot change what we are born with.
So in this sense, we have a loss of control, and there is not a whole lot that we can do about it. Really, it call comes down to the issues of privacy rights and civil liberties, which are core freedoms that are guaranteed by our own United States Constitution.
If we feel that our Biometrics based PII has been stolen, at least theoretically speaking, we have the option to pursue legal recourse. But believe it or not, in other countries, where these freedoms are not afforded, Biometrics is a huge boon to these societies.
This is yet another huge topic for discussion, and in fact, I have also written a book just on this entire subject, which deal with the social impacts of Biometrics. As I had mentioned earlier in this blog, this kind of technology has been in and out of the public eye probably for at least the last two decades. The first time I remember is right after 9/11.
It was just like the .com craze for the Biometrics Industry, where venture capitalists and other investors were pouring in money into existing vendors and startups. It was Facial Recognition that was getting all the glamor, and when it failed to live up to its expectations, it was totally booed out.
The next instance I remember is when Apple adopted Fingerprint Recognition (also known as the “Touch ID”) into its later versions of its iPhone brand, and subsequently Facial Recognition (also known as “Face ID”).
Now, we will be seeing a third episode of where Biometrics will be heavily scrutinized not only by the public at large, but also by the governments around the world as well. The catalyst for this are all of the data privacy laws that have come about, primarily those of the GDPR and the CCPA.
It is important to keep in mind that Biometric Templates are also considered to pieces of Personal Identifiable Information (PII), so as a result, companies will also be faced to audits and heavy financial fines if they store these Templates.
But what is further fueling the controversy even more is that the Biometric Templates are not just credit card numbers, Social Security Numbers, or even Drivers License Numbers. Also as described previously, Biometric Templates are nothing but mathematical files – so now the real issue is how do you deal with the privacy of them, if they cannot be traced back to the original individual who submitted these biological/behavioral samples in the first place?
This issue has already been coming out here and there in the Cyber news headlines, and quite frankly, nobody knows how to deal with it yet. In fact, there are some governments around the world that have totally prohibited the use of Biometrics in certain applications (such as that of Facial Recognition) because they simply cannot find an answer yet.
This is an extreme form of action to take in my opinion, but it is what it is in today’s environment that we are facing today.
So what can a business do about this? Well, first and foremost, if you do store Biometric Templates, make sure that you are remain in compliance with every letter of both the CCPA and the GDPR. Also, keep using Biometrics – they truly are a great authentication tool to use, especially if you are thinking of implementing the Zero Trust Framework.
But here is one thing to also remember: Biometrics are just another piece of security technology. It too is prone to breakdowns and faults just like anything else in the world of Cybersecurity. Never rely upon it as your only means of defense. It works very well when it is used in conjunction with other tools, in what is known as a Multi Modal approach.