The utilization of biometrics as a tool for securing and verifying identity has been standard practice among government and law enforcement agencies for quite some time now. Some of the common uses of biometrics include the collection and storage of fingerprints to track government- and state-issued permits and licenses (in the cases of healthcare professionals, passports, drivers’ licenses, etc.), the prevention of unauthorized access into secure facilities (military bases, restricted areas of government buildings, etc.) and the management of data pertaining to the criminal element of society.
In this article, we will take a look at the increasing use of biometrics in the private sector and explore some of the salient features of this technology from the perspectives of use and security/privacy.
A Brief History of Biometric Authentication for Consumer Devices
Built-in and after-market fingerprint readers have been part of portable computers for over a decade. In lieu of passwords, users have the option to run their fingertips over an optical sensor and gain access to their devices. However, for a time, the retail/consumer aspect of biometric authentication technology remained quite limited, both in use, and in capability, until the second quarter of this decade.
In 2012, Apple acquired a less-known company called AuthenTec for a whopping $356 million. Little could the world have known, at this point, that a whole new era of biometric authentication on consumer hand-held devices would soon follow.
In September 2013, Apple unveiled the Touch ID technology on its then-most-advanced smartphone - the iPhone 5S. Users would no longer need to be tied to securing and accessing their phones via numeric passcodes. They could, instead, register prints from one or more of their fingers, on the device, and use the iPhone’s fingerprint recognition feature for authentication and access. Since late 2013, we have seen biometrics enter more mainstream use cases involving the daily activities of the average Janes and Joes.
Apple’s release of its Touch ID technology quickly led to other major smartphone manufacturers, such as Google and Microsoft, to introduce their own flavors of fingerprint authentication. In an era where product design is centered around making user experience lightning-fast, seamless and delightful, companies raced against one another to let the user save a precious couple of seconds in unlocking their phones by holding their fingers against a sensor, instead of ‘tediously’ having to type out a 4-character/digit passcode.
The game changed once again, in September 2017, when Apple announced Face ID, the next step in the technological evolution of consumer biometrics. A user now only had to hold up their phones, and stare into the screen with their eyes open, and instantly unlock them without any need to strain those thumbs against a fingerprint sensor. The device would automatically match the facial reference points, registered to the device, and employ a set of complex algorithms to ensure that the person seeking access to the device is indeed one authorized to get it.
The Various Uses of Consumer Biometrics
Device manufacturers, financial institutions and app developers have pushed the boundaries on the various uses for consumer biometrics over the years. With something that was initially conceived for the sole purpose of providing access to buildings and computer systems, consumers can now do a variety of things using biometric authentication. They are able to hold their phones against a credit card reader and make a transaction simply by providing biometric permission, instead of physically swiping/inserting a card or holding cash out to a clerk. Apple Pay, Google Pay, and Samsung Pay are some popular product offerings in this space of digital payments.
Besides the more obvious fintech use cases, biometrics are also used to authorize purchases from smartphone app stores. A user can also use biometric authentication to access and populate pre-saved credit card information into ecommerce purchase workflows. Biometrics are also being used, extensively, in the storage and retrieval of passwords from digital keychains. In this day and age when users have to register and create a profile to use virtually every online service, one would have to set, and recollect, multiple passwords, or multiple versions of one password, to use these services. Biometric authentication allows users to store and populate login information, contextual to any given website or login form, with the user needing to do nothing more than tapping on one of the login fields and authenticating with a fingerprint (or face recognition).
These are just some of the most widespread applications of biometric authentication that have streamlined our day-to-day activities, over the years.
Device or Server Storage – Understanding Where Your Biometric Credentials Live
In this section, I’ll try to delve into some of the high-level technicalities behind the storage and use of biometric data.
I recently heard a story from a friend who was shopping for a new smartphone at an Apple Store. While browsing through the stock, she overheard a rather interesting conversation between another customer and a sales representative. While the sales rep was explaining the benefits of Apple’s Face ID to the other customer, about how she only needed to look into the screen of the phone to unlock it instantly, the lady reportedly responded with an aghast look on her face. Far from questioning or inquiring about the security safeguards inherent to this form of authentication, the customer reportedly expressed issue with the manufacturer storing and referencing images of her unkempt face, whenever when she tried to unlock and use the phone first thing in the morning.
While I did not delve into the details of how this interesting conversation unraveled further, or drove into any form of conclusion, I was intrigued by a consumer concern that I could not have expected – one of privacy.
While my friend was narrating this story, and when she was about to get to the part where this customer was just about to articulate her worry regarding the Face ID technology, I was more expecting something along the lines of “what if my twin sister, who resembles me too closely for my comfort, were to unlock the phone without my knowledge” or “what if someone unlocked my phone by snatching it from my hand, knocking me senseless, and holding it against my face?” Mind you, Apple claims there are adequate safeguards in the Face ID technology to mitigate (or even eliminate) unauthorized access in either of these hypothetical cases. For example, according to an article How Secure are Face ID and Touch ID from howtogeek.com, Apple states that there is a 1 in 50,000 chance that someone else’s fingerprint will unlock your phone, in case of Touch ID, and that there is a 1 in a million chance that someone else’s face could do it, when it comes to Face ID.
However, the core issue here is not necessarily unauthorized access, but one of self-consciousness and privacy in the digital networking age. This scenario may be used to drive home a major point regarding where the biometric data themselves are stored.
Several major manufacturers have categorically stated that biometric data, used for the purposes of device-driven authentication, are stored in a secured, encrypted location in the device itself. Furthermore, the biometric data are neither uploaded to the manufacturer’s servers, cloud repositories, or any location from where a third party could access them. In their raw form, the data are virtually inaccessible to anyone, even the authorized user of the device, who can only interface with them for either managing their authentication preferences, or for the purpose of authentication itself.
Therefore, I would surmise that the threat to consumer privacy through unauthorized access (which would require the hacker to first get a hold of the device, and then beat all the sophisticated security protocols put in place to safeguard the biometric data), or the chances of having a coincidental biometric match on a device owned by another user, are fairly low.
In September 2017, Alipay launched ‘Smile to Pay’ in China. This is a service where the user, for all practical purposes, does notneed a smart phone or a personal device of any sort to make a payment at a supported retail location. According to a TechCrunch article dated September 2017, the customer need only sign up for the Alipay app and enable facial recognition through a compatible smartphone with a camera. Another 3D camera, located at the point of sale (just so someone cannot, theoretically, just hold up a photograph of someone else before the camera at the point of sale), scans the customer’s facial profile thoroughly to verify their identity against what was originally registered through the smartphone. There also an additional phone number verification option that users might choose to enable with Smile to Pay.
Unlike cases where a user’s personal device is the storage location for their biometrics, this scenario implies that the user’s biometric data (i.e., those pertaining to their prints, face, etc.) would have to be uploaded onto, and referenced from a secure server/repository.
Keeping in mind that there are likely extremely robust mechanisms and infrastructure dedicated to the security and privacy of a user’s biometric data at this server/repository, the larger point to drive home here is that the user’s biometric profile, in this case, and unlike the first, is likely stored at a location outside the user’s personal device. This could raise security and privacy concerns in the minds of some. We will explore these apprehensions a little deeper in the following section.
The Risks of Having Biometric Data Stolen or Accessed
With all due credit to the robustness of modern security systems, which are increasingly using AI to monitor and protect consumer data, we have also seen several large data breaches over the last several years. In these breaches, deeply personal data such as users’ names, dates of birth, tax identification numbers, credit card details, etc., have been compromised to unauthorized access. In this section, we will explore the consequences of a hypothetical and extrapolated scenario where a user’s biometric credentials fall prey to unauthorized access.
To even get to this stage, however, and based on what we have seen so far, we must assume that that whoever stole the biometric data (1) had the knowhow of navigating through complex safeguards and encryption protocols on any device or database and acquiring the raw data, (2) is capable of interpreting the stolen data (in its raw form) and interpreting it to a usable biometric profile, and (3) is actually able to find a way to use the decrypted biometric data to “unlock another door.” Many modern biometric authentication hardware and software do not simply take pictures of your faces and your thumbprints and dump them somewhere, from where they can be used in those very forms. The complex reference data captured from registering a face, or a thumbprint, are stored under layers of encryption and security firewalls. Even if someone beats the heaps of safeguards and arrives at the foundational data, they would have to have an intricate understanding of how the data themselves are formatted, so they might be effectively used. All of this does sound improbable, but if there is anything recent incidents in data security has taught us, it is that nothing is impossible.
With that cautious note, let us proceed to the ramifications of biometric data being stolen, if it indeed can be. Let us first talk about the consequences non-biometric sensitive data being breached. If one loses credit card details and the thief goes on a spending spree, the victim may immediately call their bank to dispute the charges, cancel the card and get a new one. There is very limited liability to the customer under these circumstances as long as they are proactive with setting all the necessary remedial steps in motion. In fact, the customer can get right back on track, quite easily, in this scenario, and may even continue using the same financial product/credit card, albeit, with a new number and other details such as expiration dates and security codes. As an extreme extension of the above scenario, a consumer may also request a new Social Security Number (SSN) in case theirs was compromised, and if they can adequately demonstrate that they are being “harassed, abused, or are in grave danger when using the original number,” as laid out by the Federal Trade Commission as the pivotal criterion for requesting a new SSN.
Note that the above examples are what I would classify as mutable extensions of a user’s identity, i.e., information that may be altered and reintegrated with the victim, even if, with some effort and cost.
Taking this up a notch, however, what if more personal, more intrinsic, pieces of information, such as dates of birth or biometric data are stolen, whatever be the means? These are not identifiers that can easily be altered, as they are immutably coupled to a user’s identity. What if the (somehow) stolen biometric data are rerouted for illicit use elsewhere? Is there any remedial course of action the user can take to ‘replace’ or ‘deactivate’ the stolen data and get on with their lives like one can do with a compromised Social Security Number? How could anyone decouple someone from their own facial contours or fingerprints that the user might have used as keys to several doors, allegorically speaking? I am afraid these contentions will leave us with more questions than answers at this stage.
Nevertheless, I do not mean to insinuate that biometric data are at high risk of being stolen. I would, in fact, lean toward the opposite. The only point I am trying to drive home here, in the interest of taking a balanced view, is that the stakes of biometric data being breached are at least as high as, if not higher than, immutable, textual, personal data, such as dates of birth, names, etc. being compromised.
The larger, more real danger of biometric data being used without express consent of owners stems not from data breaches, unauthorized access, or accidentally unlocking another person’s phone in a 1-in-million case, but from government intervention. This is a world where users of technology leave data footprints willingly in a multitude of places, be it on some innocuous website, an app on a phone, or in physical locations such as airports, train stations, and immigration checkpoints. While there are explicitly police states that encroach upon the privacy of their civilian population with a vast network of surveillance equipment connected to face recognition software, the democratic world also grapples constantly with what might constitute to be proper justification for governments requesting (or demanding) access to citizens’ private data. This was exemplified by the Apple vs. FBI legal battle of 2016, where the FBI, through a judge’s order, asked Apple to unlock the iPhone of San Bernardino shooter Syed Farook.
Apple refused to provide a “master key” with which law enforcement agencies would become “capable of opening hundreds of millions of locks,” according to a CNBC article dated 2016. Also, according to the report, the FBI went ahead and dropped the case, claiming they had received the help they needed for unlocking the shooter’s phone, allegedly, from an Israeli firm called Cellebrite. While it is unclear whether any biometric data of the shooter were used, or even needed, to gain access to the device (if it was indeed accessed), this case highlights one of the most high-profile conflicts of interest between a democratic government trying to prosecute terrorists and keep its citizens safe, and the citizens themselves, who are entitled to privacy of information, even if they are suspected or convicted of heinous crimes.
Biometric authentication can indeed be thought of as a masterstroke from a product management perspective. It finds application in a variety of use cases, and improves user experience in areas as diverse as digital payments and data security. The security of biometric data also seems to have kept pace with the evolution of the technology, with corporate values and protective technology, more often than not, advocating equally for a consumer’s right to privacy.