Tags:

decentralized biometrics
biometrics
biometric security

Category

Biometrics

Last Updated

07 January, 2022

Securing biometrics

The use of biometrics to secure users’ access to locations, devices, and applications is exploding by any measure. Biometrics are the irrefutable link to “who you are”, as opposed to “what you have” and “what you know” which are easily stolen and used by attackers. There are other benefits to biometrics, including, they cannot be forgotten, there is nothing for a person to bring with them, they provide a good user experience, and so on. Strong identity systems based on biometrics provide an underlying fabric for social and economic development, provision of private and public services, as the basis for determining access to online services and enabling digital interactions. It is fact, almost impossible to separate identity needs from the way we live our lives, and this includes on the Metaverse as well.

Nonetheless, for all their benefits, biometrics are a very sensitive type of personal data and pose significant privacy and societal risks if not managed properly. No one is immune. Most of the headlines center around private sector breaches, but government databases too, have been compromised, the most recent being in Albania, where the leaked data is now available for sale for $1 to $5 on the dark web, depending on the information held.  

Biometric concerns should not be ignored

Concerns are high for obvious reasons and relate to all phases of biometrics use:

  • Collection  - Has the collecting entity received consent from the user to collect and use their biometrics? BIPA (Illinois’ Biometric Information Privacy Act) is bringing this issue front and center in the United States, with the pace of lawsuits picking up dramatically in 2021. In fact, as of August 2021, more than 750 class action lawsuits.  have been filed, many of which were settled. Among the most high profile was the Facebook settlement which provided $200 to $400 per claimant. 
  • Security - Is the entity securing the biometric data efficiently and discarding it promptly when it is not needed? This is a key question for system design and accessibility. As stated before, biometric data breaches can have enormous consequences as the data can later be used for attacks by both nation-states and fraudsters. At the core of the CPRA (California’s Data Protection law) and the GDPR (Europe’s version) are several tenets relating to data security, data minimization and fines for data breaches. How the data is protected becomes paramount to compliance and avoidance of risk. 
  • Privacy - The privacy element of biometrics is similar to other types of personal data and overlaps with the other two areas of concern already discussed. Consent is the first aspect; usage is the second. Is the data used for the purpose for which it was collected? A derivative of this is secondary information derived from the biometric characteristics that were initially collected for a different primary purpose. And finally, another central tenet to the CPRA and GDPR are the “right to know” and the “right to be forgotten”. 

As we have seen through the legislative and regulatory landscape, while not perfect, a lot of progress has been made with respect to many of the consent and privacy aspects as relates to biometrics. The security aspects, however, are still being fleshed out. In fact, in a January 2020 report, Gartner calls out the technical risks hampering biometric adoption, stating that , “through 2023, 60% of midsize and 40% of large and global enterprises’ biometric authentication initiatives will experience failure or be compromised, due to incomplete assessment and mitigation of risks.” Given that the biometrics market is expected to grow to $100B by 2027, these risks cannot and should not be ignored by any stakeholder. 

Mitigating biometric risks

Understanding the issue, industry innovators have been working on several approaches to reduce potential exposure or limit possible exploitations in case of compromise.

Encryption

Encryption is used to protect biometric data at all of its stages: at rest, in transit, and recently even encryption during processing. Encryption at rest relates to encryption of databases that holds the biometric data. Encryption in transit relates to the transport protocols, like TLS, between the system components. Both of these are key practices used by most systems today. Encryption during transport and at-rest leaves an exploitable gap of the data being exposed while it is being used by the applications. An attacker who compromises the organization’s environment, may encroach on a server and collect all the biometric data while it is unencrypted (in use).

To prevent that, it is now possible to add encryption during processing leveraging homomorphic encryption, which became operational only in recent years. Homomorphic encryption increases overall system security as it eliminates the need to decrypt biometric data while it is being used for identification or verification functions.

With that, encryption at all stages use encryption keys that still need to be secured. This creates new risks. It should be noted that insider threats and misused privileged access account for about 35% to 60% of breaches. With all encryption levels, the organization administrators have access to keys and servers. Moreover, an attacker that reached the organization network, may elevate their permissions to an administrator and gain the same level of privileges, allowing them to compromise the encryption. 

In addition, homomorphic encryption requires encrypted computations to be implemented inside the encrypted database. That means that in order to keep the biometric data encrypted, the biometric algorithms will need to be coded with the homomorphic encryption into the database and restricted to the functions and biometric performance (accuracy) supported by that algorithm. Any improvements to the algorithm, which may happen multiple times a year, will entail a database code upgrade which is risky, costly, and may cause organizations to keep using old and sub-optimal algorithms for a long time.

Lastly, when it comes to data residency and ownership, encryption is done on the data the organization is hosting. The organization remains the sole controller of the hosted biometric data and is still subject to all data protection regulatory requirements. 

Tokenization 

Biometric data tokenization implements a one-way hash or one-way encryption to make the data non-usable to an attacker. Tokenized data can be used to support both identification and verification use cases. But while tokens eliminate the original biometric data and prevent it from being stolen, a stolen token can actually allow an attacker to impersonate a user more easily as it considerably reduces the matching complexity. Then the question becomes, how to secure the tokens.

The following table summarizes biometric data encryption vs tokenization tradeoffs:

Encryption

Tokenization

Mathematically transforms plain information into cipher representation using an encryption algorithm and key

Randomly generates a token value for plain text and stores the mapping in a database

Scales to large data volumes with just the use of a small encryption key to decrypt data

Difficult to scale securely and maintain performance as database increases in size

Can be used for structured fields, as well as unstructured data such as entire files

Used for structured data fields such as payment card or Social Security numbers

Ideal for exchanging sensitive data with third parties who have the encryption key

Difficult to exchange data since it requires direct access to a token vault mapping token values

Format-preserving encryption schemes come with a tradeoff of lower strength

The format can be maintained without any diminished strength of the security

Original data leaves the organization, but in encrypted form

Original data never leaves the organization, satisfying certain compliance requirements

It’s obvious both methods leave more to be desired, which brings us to decentralization.

Decentralization 

Decentralization is the act of distributing data to multiple parties or locations, in order to eliminate the ability to access or capture it in whole. When it comes to biometric data, two decentralization approaches are being used: device-based decentralization and network-based decentralization.

Device-based biometric decentralization means the biometric data remains on the devices in a holistic template form. This is the approach used for FaceID and TouchID, and with FIDO authenticator USB devices. Biometric credit cards and other physical cards like the Arculus card one introduced by Composecure are using this approach as well. With this method, the biometric data is stored in a secured enclave on the device and is well protected. 

The problem with device-based biometric authenticators, is not the security of the biometric samples, however. The issue is that these authenticators create mega blind spots that reduce overall system security and perpetuate fraud. Consider the case in which a fraudster obtained your credit card information. There is nothing preventing them from adding these details to their phone, with their own biometrics, and using it thereafter on your behalf.  This example demonstrates the gap the device-based biometric leaves between the biometric authentication and the actual identity it is authenticating. The device is oblivious to the identity and this gap is being exploited by fraudsters and attackers.  Similarly, a person who onboarded to a digital bank generates a username and password for access. The device-based authenticator is used to send a yes/no response to the bank, but the bank has no visibility as to who is behind the device. The growing threat of SIM card swaps is a perfect indicator of this risk. 

Another aspect in which device-based biometrics fall short is the applicable use cases. While it can be used for user verification (authentication) against their own samples, they do not support user identification (1:N lookups) use-cases. Some devices download a database of biometric samples to their local storage to support these use cases, creating a risk of the whole database being compromised if the device falls in the wrong hands.

The second mode of decentralization is at the network level.

Network-Based Decentralization distributes the biometric data and activities across a network of nodes, eliminating the shortcomings of all aforementioned methods. 

  • Securing the keys - With network-based decentralization, every biometric sample is broken into multiple pieces, each encrypted with a different key, creating multi-layered, multi-dimensional encryption. The keys are not managed or accessible by any administrator eliminating the insider and attacker key compromise threats. 
  • Securing the matching - The biometric data is kept decentralized at all times, during storage as well as during any activity of identification or verification, thus eliminating the ability to encroach on an application or server to collect it during clear-state processing. 
  • Eliminating the identity gap - The decentralized network approach allows using the same biometric sample to verify a user from any device they are accessing, thus eliminating the device-based gap between the users’ identities and their devices. 
  • Supporting multiple use-cases - It allows performing biometric identification activities as well as verification, overcoming the other shortcomings of the device-based decentralized approach and creating the possibility of a unified standard for decentralized biometric management that can be applicable to larger scale government projects as well as day to day authentication needs. 
  • Biometric algorithms agility - The decentralized network approach is biometric algorithm agnostic supporting multiple biometric modalities and algorithms and allows seamless upgrades to enhance performance over time. This means that a system implementation can rely on multiple biometric modalities and secrets for backup performance instead of usernames, PINs, passwords and other knowledge-based authenticators.
  • Simplifies regulation compliance -  The decentralized biometric network approach uses Zero Knowledge Proof principles, meaning the data is totally anonymized and dispersed across multiple locations and is not needed in original fashion to provide a match response. The anonymization and decentralization work to remove the data ownership and GDPR regulatory issues.

Overall, network-based decentralized biometric systems promise to be superior to all other approaches used today, increasing security, privacy-by-design, biometric performance, and applicable use cases. The network-based decentralized biometrics also correlates well with the digital identity future of the Metaverse. More on that in future blogs. 

In the meantime, contact us to learn about decentralized biometrics.