More regulation's needed to protect biometrics

Most of the heavy lifting for biometric data protection falls on the shoulders of the businesses who are gathering that data.

Fortunately, progress has been made in recent years, and collecting biometric data is much easier thanks to standards like FIDO2, which help to streamline the process of traditional identity authentication. Additionally, our phones have become powerful platforms for biometric sensors, including fingerprint readers and multi-modal cameras, which companies can leverage to capture facial and other visual biometrics data.

While collecting biometrics has become an easier task in recent years, the process of keeping data secure after collection is an intensive process with fraudsters and IT professionals constantly vying to stay one step ahead of the other. While there are several safeguards businesses can employ to help protect data, perhaps the simplest is to promote safe password practices to their customers. Passwords are the first level of protection, and ensuring customers do not leave any easy-to-guess codes goes a long way in safeguarding against vulnerabilities to biometrics databases.

Adding layers of protection like a multi-factor authentication system increases the level of difficulty for intruders to gain access via remote attacks. But possibly the most critical layer to add in today’s environment is anti-spoofing technology to discern real from fake. One of these methods is liveness detection, which typically involves monitoring for the movement of physical features such as eyes and lips or using 3D depth perception, and it can go a long way toward preventing attacks.

At the same time, however, rubber masks, virtual reality and now deepfakes represent an increasingly sophisticated threat as hackers look to overcome these safeguards, and businesses need to remember not to underestimate the resourcefulness of bad actors. Biometric companies need to invest heavily in ensuring that liveness detection and other authentication technologies continue to improve so that we can trust the biometric signal.

As adoption of biometric identity verification technologies grows, governments are also looking to implement new regulations to protect consumer privacy. This comes on the heels of GDPR and more local legislation such as the California Consumer Privacy Act, which are gaining broader support as consumer awareness and concern over the security of their data are at an all-time high.

In maybe the most prominent example of these new regulations, Congress is debating the Commercial Recognition Privacy Act, which aims to “strengthen consumer protections by prohibiting commercial users of facial recognition technology from collecting and re-sharing data for identifying or tracking consumers without their consent.” While legislation still has a long way to go to catch up to the pace of technology, this is a step in the right direction. The current climate is akin to the wild west, with little protection for the consumer, and new regulations are needed if the technology is to continue to expand in a safe and sustainable way.

There is no doubt that biometric data is here to stay, as we have only scratched the surface of its usability. As technology advances, biometric data will permeate into more of our everyday lives. It is not hard to imagine that soon retina scanners will be used to unlock the front door and the car will start just from a fingerprint touch. The future is bright and incredibly personal, so long as we all work together to ensure this biometric data is protected.