Biometric identification and authentication, are often misconstrued, or mistakenly used interchangeably. A joint paper by the EDPS and the Spanish DPA, offers clarification on 14 common misconceptions on the two.
Biometric identification and authentication, although sometimes linked, refer to two distinguishable concepts. Biometric Identification is the process of identifying an individual among a group using biometric data such as fingerprints or facial recognition, comparing the data to that of others within the group. Authentication, on the other hand, is the process of comparing the data of an individual with the data of a claimed identity in order to prove the identity claimed by the individual. The increase in popularity of the use of biometric data has uncovered several misconceptions on the technology. The EDPS and Spanish DPA have decided to clarify the fourteen most common misconceptions,of which we have provided a summary.
Misconception
“Biometric information is stored in an algorithm”
Clarification
An algorithm is not a means of storing information, rather a set of procedures or instructions. The information is stored within data records called templates, patterns or signatures, which differentiate persons from each other by numerically recording the physical characteristics. However some procedural knowledge can be passed down to some machines.
Misconception
“The use of biometric data is as intrusive as any other identification/ authentication system”
Clarification
Biometric data is actually more intrusive, as a lot more information can be involuntarily extracted from a small sample of data, including personal information which can easily single out the person and collect information on their state of being which may actually be irrelevant to the use of the data. Race, gender, substance use, diseases and even a person’s emotional state can be discerned from biometric data.
Misconception
“Biometric identification / authentication is accurate”
Clarification
It has a larger room for error than password/pin based systems as there are simply more variables that are involved. Biometric identification is based on probability, as compared to password or pin based systems which are either 100% correct, or processed as incorrect. Due to the nature of biological matter they are affected by the circumstances around them i.e humidity,refraction ,technical difficulties, age or any of these could skew the accuracy of the results of the input, resulting in false positives and negatives.
Misconception
“Biometric identification/ authentication is precise enough to always differentiate between two people”
Clarification
This is not always the case, and is particularly difficult in cases of twin siblings and in open areas where the facial recognition could be less than accurate. Also, obstructions on the face can also greatly reduce accuracy. Accuracy of biometric input is improving on an ongoing basis, as the technology continues to evolve.
Misconception
“Biometric identification/ authentication is suitable for all people”
Clarification
Some physical impairments prevent all types of biometrics from being administered all the time. Whether it is a temporary state of being or a more permanent condition such as being paralysed, it causes there to be some difficulty in collecting or processing biometric data for some people.
Misconception
“The biometric identification/ authentication process cannot be circumvented”
Clarification
This is not true. Some types of biometric identification or authentication are difficult to circumvent. However, over time many inexpensive means have come about getting around these security measures. There are systems whose entire purpose is to defeat facial recognition software, while retinal and footprint scans can also be fooled with the right equipment and sufficient preparation.
Misconception
“Biometric information is not exposed”
Clarification
The information provided to biometric scanners and databases are simply traits which are recognizable and easily identifiable. This is why they are indeed exposed. Infrared, high fidelity images and other equipment can easily extract biometric information from others without their consent or even their knowledge. Avoiding the unwanted reading or exposure of biometric information is actually a lot harder to prevent for the average citizen.
Misconception
“Any biometric processing involves identification/ authentication”
Clarification
This is not the case. Authentication is not very strenuous, but simply meant to differentiate between eligible users and non-eligible. However, it is not an infallible system and cannot be bypassed without 100 percent accuracy. False readings are also not unheard of, so the authentications aren’t very stringent security protocols that one can depend on as a foolproof main source of security.
Misconception
“Biometric identification/ authentication systems are safer for users”
Clarification
It can actually be quite problematic having biometric information stored in a singular place as it cannot be changed like a pin or a password, once breached there are very few means of mitigating the possible damage. Typically most entities that hold biometric information tend to invest a bit more into security measures, due to the sensitivity of the information.
Misconception
“Biometric authentication is strong“
Clarification
On its own biometrics is considered weak due to it being a single layered security protocol but typically it would be a prerequisite that some other form of identification would be required to access the biometric input e.g an employee ID badge to swipe into the room with a retinal scanner- The retinal scanner itself is weak on its own.
Misconception
“Biometric identification/ authentication is more user-friendly”
Clarification
Depending on the implementation and the ease of enrolment and/ or inclusion into these biometric systems, the result could be very streamlined or it could be extremely tedious and with issues that are harder to rectify, particularly when compared to simply resetting a password or obtaining a new ID, and deactivating or making the old one invalid. Biometric data cannot be changed once collected.
Misconception
“Biometric information converted to a hash is not recoverable”
Clarification
As an added layer of security to the processing of biometric data, it is recommended that the biometric pattern from which the “hash” or “biohash” was obtained be removed. However, some studies show that it is possible to reverse the biohash, and obtain the original biometric pattern, particularly if the secret key has been violated.
Misconception
“Stored biometric information does not allow the original biometric information to be reconstructed from which it has been extracted”
Clarification
Biometric pattern, or stored biometric information does allow the original biometric information to be reconstructed (e.g generating a face from facial recognition biometric pattern). In some cases the biometric information reconstructed from the pattern is accurate enough to be recognized as the original information. The accuracy of the reconstruction depends on the amount of biometric information collected.
Misconception
“Biometric information is not interoperable”
Clarification
Biometric information processing systems are particularly developed to be interoperable. Systems that work by comparing the result of applying a hash function on biometric patterns can also be made interoperable by simply sharing the keys used during the hashing process.
What are the implications of this information for my business?
Understanding the concept and inner workings of processing biometric identification and authentication data is paramount to ensuring that that data is handled ethically if your business processes such data. In this way, a proper understanding lends itself to sufficient and appropriate data protection. It is important to note that the GDPR classes biometric data as special category data in the vast majority of cases, requiring extra protection in processing. Biometric data becomes classed as special category data the moment that it is used “for the purpose of uniquely identifying a natural person”.
