Designing Biometrics for Humans
CIOREVIEW >> Cyber Security >>

Designing Biometrics for Humans

Ingrid Dyer, Chief Security Officer, Axa
Ingrid Dyer, Chief Security Officer, Axa

Ingrid Dyer, Chief Security Officer, Axa

Love them or hate them, biometric solutions are becoming increasingly popular in the world of technology. But as with all science-fiction born innovation, this identity mapping child-star has had the misfortune of growing up in the spotlight, having to learn its lessons very publicly and sometimes very embarrassingly. Security innovation enthusiasts have met each attempt with a wave of privacy or accuracy concerns which have held it back from mainstream, until now.

Enter 2020 and the once clumsy technology is becoming both increasingly popular and increasingly viable. Smartphones now use face and fingerprint biometric authentication. Biometric passport control is becoming the norm, schools are considering digital attendance registers, and prisons are looking for solutions to track early released criminals. The pandemic has encouraged most industries to reach for solutions to problems they never dreamed would be in their short-term roadmaps.

Derived from the words "Biology" and "Metrics", biometry is the application of statistical analysis to biometric data. These data attributes can be physical or biological, for example the measurements and patterns of our face, iris, fingerprint, hand outline, voice or even heartbeat.

Innovation is booming while privacy is rapidly diminishing, so where do you draw the line? How can you design a Biometric solution with the human response in mind? You are going to come up against three, interdependent factors;

1. The Creepiness Factor

Identifying customers as they walk (or browse) into your store may sound like the ultimate marketing tool, however in reality the experience can be unsettling. At best it makes a person feel watched, at worst it crosses significant cultural values.

A biometric print is extremely personal, any storage or use without consent will feel invasive.

What can go wrong?

You risk reputational damage. Privacy is taken very seriously, your attempt to draw more patrons could have the opposite effect through boycotting.

Or worse, you risk fines from regulators. The use of Biometric data is highly controlled in Europe and universally protected around the world. The Dutch Data Protection Authority recently issued a €725,000 fine against a company for mandating a fingerprint time and attendance system claiming it to be overkill.

How do you fix it?

Consent! Make sure people can opt-in and can opt-out, and make sure they are aware when their identity is being activated.

Second, use regulations to guide you. The principles of the General Data Protection Regulation(the “GDPR”) focuses on aspects such as transparency, security, and purposefulness, which are considered important in the context of European cultures. Regulation is fiercely and continuously debated and can save you the effort of doing the same.

2. The Convenience Factor

Unless you have a unicorn approving your budget, you are unlikely to win approval just because the technology you’re pitching is sexy. Convenience is probably the strongest motivation for business. But if your feature is being implemented primarily for convenience, it is essential to take some time to understand your end user.

What can go wrong?

If you are relying on biometrics for authentication, accuracy becomes the pivot. An overly sensitive biometric gatekeeper will destroy your solution, but after relaxing the rules, you ended up with the security equivalent of a “beware of the dog” sign on the fence of a sleeping Labrador puppy.

Then there are some other human factors. Some generations resist technology replacing the comfort of human interaction. Some more glamorous users sporting long nails will find fingerprint recognition terribly inconvenient.

How do you fix it?

Design to your demographic. Always offer an alternative option and position it according to your target audience. Provide the opt-out early if many of your users will need it or at the end of the prompt if the majority prefer automation.

Biometric authentication works best in Multifactor authentication model. Consider your second factor carefully to hack the user experience. Linking a device to a user provides seamless, implicit authentication or multimodal biometrics could provide a second data point to improve recognition accuracy.

3. The Security Factor

Improving recognition accuracy provides a good Segway into the third factor – Security. Improving the accuracy of the authentication is an important first step, but it is also crucial to keep in mind the security of the solution itself.

What can go wrong?

The good news is that technology is getting smarter. A NIST study on facial recognition in 2018 found that success rate had improved 20% from the initial study in 2014.

The bad news is that cyber criminals are also getting smarter. New technologies such as DeepFake use artificial intelligence to mimic biometric qualities. Data breaches continue to make the news and dominate boardroom conversations on cyber risk.

We can’t ignore the responsibility of protecting the personal information used by the solution. Misappropriation or misuse of intimate biometric data can give way to discrimination, for example classification based on a person’s health status or ethnicity. Decisions to use and protect that data must be taken very seriously.

How do you fix it?

With brains and eyeballs. Whenever you are venturing into volatile data territory, it is crucial to pay attention to your design team. Architects, developers, and designers with strong Security training will save you a lot of pain in the long run.

Authentication within the information system itself is often one of the first barriers to protection. The robustness of this mechanism is therefore crucial. When choosing an authentication module, consider its robustness and vulnerability factors.

Biometric data is powerful, but it needs to be protected. A person can change their password if it has been leaked but biometric characteristics are a bit more difficult (and perhaps more painful!) to alter.

A well-designed biometric solution can provide an impressive and convenient solution to the right audience. If the technology provides a good solution to your challenge, simply try to make biometric voluntary, pay attention to regulation, and work with trusted partners and an expert team to embed Security by design.

Read Also

Keeping It Real With Your Security Vendors

Robert Pace,VP/CISO, Invitation Homes

Cyber Grc: Core Enabler Of Strategic Cybersecurity

Jamie Sanderson, Director of Cyber Governance, Risk, and Compliance,AES

Your Maiden Grc Implementation Voyage

Eric Bonnell, Senior Vice President, Second Line of Defense Risk Manager, Focus on Privacy and Business Resilience, Atlantic Union Bank

One Source of Truth for Our Frontend

Matthew Hensrud, Senior Director, Platform Engineering and Vadim Komisarchik, Senior Director, Interface Engineering, Freshly

Ubiquitous Retail Banking

Kevin Stehl, Vice President of Marketing, Product and Digital, SECU Credit Union

Effective Defense for New Attack Vectors

Lonnie Carter, SVP, Information Security Manager, Ameris Bank