Securing biometrics
The use of biometrics to secure users’ access to locations, devices, and applications is exploding by any measure. Biometrics are the irrefutable link to “who you are”, as opposed to “what you have” and “what you know” which are easily stolen and used by attackers. There are other benefits to biometrics, including, they cannot be forgotten, there is nothing for a person to bring with them, they provide a good user experience, and so on. Strong identity systems based on biometrics provide an underlying fabric for social and economic development, provision of private and public services, as the basis for determining access to online services and enabling digital interactions. It is fact, almost impossible to separate identity needs from the way we live our lives, and this includes on the Metaverse as well.
Nonetheless, for all their benefits, biometrics are a very sensitive type of personal data and pose significant privacy and societal risks if not managed properly. No one is immune. Most of the headlines center around private sector breaches, but government databases too, have been compromised, the most recent being in Albania, where the leaked data is now available for sale for $1 to $5 on the dark web, depending on the information held.
Biometric data security concerns should not be ignored
Concerns are high for biometrics and security for obvious reasons and relate to all phases of the identity lifecycle:
- Biometric Data Collection - Has the collecting entity received consent from the user to collect and use their biometrics? BIPA (Illinois’ Biometric Information Privacy Act) is bringing this issue front and center in the United States, with the pace of lawsuits picking up dramatically in 2021. In fact, as of August 2021, more than 750 class action lawsuits. have been filed, many of which were settled. Among the most high profile was the Facebook settlement which provided $200 to $400 per claimant.
- Biometric Data Security - Is the entity securing the biometric data efficiently and discarding it promptly when it is not needed? This is a key question for system design and accessibility. As stated before, biometric data breaches can have enormous consequences as the data can later be used for attacks by both nation-states and fraudsters. At the core of the CPRA (California’s Data Protection law) and the GDPR (Europe’s version) are several tenets relating to data security, data minimization and fines for data breaches. How the data is protected becomes paramount to compliance and avoidance of risk.
- Biometric Data Privacy - The privacy element of biometrics is similar to other types of personal data and overlaps with the other two areas of concern already discussed. Consent is the first aspect; usage is the second. Is the data used for the purpose for which it was collected? A derivative of this is secondary information derived from the biometric characteristics that were initially collected for a different primary purpose. And finally, another central tenet to the CPRA and GDPR are the “right to know” and the “right to be forgotten”.
As we have seen through the legislative and regulatory landscape, while not perfect, a lot of progress has been made with respect to many of the consent and privacy aspects as relates to biometrics. The security aspects, however, are still being fleshed out. In fact, in a January 2020 report, Gartner calls out the technical risks hampering biometric adoption, stating that , “through 2023, 60% of midsize and 40% of large and global enterprises’ biometric authentication initiatives will experience failure or be compromised, due to incomplete assessment and mitigation of risks.” Given that the biometrics market is expected to grow to $100B by 2027, these biometric data security risks cannot and should not be ignored by any stakeholder.
Mitigating biometrics and security risks
Understanding the issue, industry innovators have been working on several approaches to reduce potential exposure or limit possible exploitations in case of compromise.
Encryption
Encryption is used to protect biometric data at all of its stages: at rest, in transit, and recently even encryption during processing. Encryption at rest relates to encryption of databases that holds the biometric data. Encryption in transit relates to the transport protocols, like TLS, between the system components. Both of these are key practices used by most systems today. Encryption during transport and at-rest leaves an exploitable gap of the data being exposed while it is being used by the applications. An attacker who compromises the organization’s environment, may encroach on a server and collect all the biometric data while it is unencrypted (in use).
To prevent that, it is now possible to add encryption during processing leveraging homomorphic encryption, which became operational only in recent years. Homomorphic encryption increases overall system security as it eliminates the need to decrypt biometric data while it is being used for identification or verification functions.
With that, encryption at all stages use encryption keys that still need to be secured. This creates new risks. It should be noted that insider threats and misused privileged access account for about 35% to 60% of breaches. With all encryption levels, the organization administrators have access to keys and servers. Moreover, an attacker that reached the organization network, may elevate their permissions to an administrator and gain the same level of privileges, allowing them to compromise the encryption.
On top of that, quantum computing which is now becoming fairly accessible is forecasted to be able to crack encryption keys much faster than previously conceived. Researchers at the University of Sussex estimated in February 2022 that a quantum computer with 1.9 billion qubits could essentially crack the encryption safeguarding Bitcoin within a mere 10 minutes. Just 13 million qubits could do the job in about a day. We are still not close to this speed, as the strongest quantum computer by IBM currently delivers 433 qbits, which means it will still take It 4.7 years to crack a such key, but they are doubling to tripling their qbits every year (127 qbits in 2021, 433 qbits in 2022, 1000 qbits expected by end of 2023). However, the 4.7 years is lightyears faster than regular computing, that even with hundreds of powerful computers working on a single private key, would still take millions of years to crack. With that on the horizon - now regular encryption key will suffice to encrypt any database or session, and alternatives have to be developed, which is why the National Institute of Standard and Technology (NIST) has created Post-Quantum Cryptography workgroup that announced in July 2022 the first four Quantum-Resistant Cryptographic algorithms.
Going back to homomorphic encryption - not only it is still susceptible to key compromise as any other encryption, it also requires encrypted computations to be implemented inside the encrypted database. That means that in order to keep the biometric data encrypted, the biometric algorithms will need to be coded with the homomorphic encryption into the database and restricted to the functions and biometric performance (accuracy) supported by that algorithm. Any improvements to the algorithm, which may happen multiple times a year, will entail a database code upgrade which is risky, costly, and may cause organizations to keep using old and sub-optimal algorithms for a long time.
Lastly, when it comes to data residency and ownership, encryption is done on the data the organization is hosting. The organization remains the sole controller of the hosted biometric data and is still subject to all data protection regulatory requirements.
Tokenization
Biometric data tokenization implements a one-way hash or one-way encryption to make the data non-usable to an attacker. Tokenized data can be used to support both identification and verification use cases. But while tokens eliminate the original biometric data and prevent it from being stolen, a stolen token can actually allow an attacker to impersonate a user more easily as it considerably reduces the matching complexity. Then the question becomes, how to secure the tokens.
The following table summarizes biometric and security encryption vs tokenization tradeoffs:
Encryption |
Tokenization |
Mathematically transforms plain information into cipher representation using an encryption algorithm and key |
Randomly generates a token value for plain text and stores the mapping in a database |
Scales to large data volumes with just the use of a small encryption key to decrypt data |
Difficult to scale securely and maintain performance as database increases in size |
Can be used for structured fields, as well as unstructured data such as entire files |
Used for structured data fields such as payment card or Social Security numbers |
Ideal for exchanging sensitive data with third parties who have the encryption key |
Difficult to exchange data since it requires direct access to a token vault mapping token values |
Format-preserving encryption schemes come with a tradeoff of lower strength |
The format can be maintained without any diminished strength of the security |
Original data leaves the organization, but in encrypted form |
Original data never leaves the organization, satisfying certain compliance requirements |
It’s obvious both methods leave more to be desired, which brings us to decentralization.
Decentralization
Decentralization is the act of distributing data to multiple parties or locations, in order to eliminate the ability to access or capture it in whole. When it comes to biometric data, two decentralization approaches are being used: device-based decentralization and network-based decentralization.
Device-based biometric decentralization means the biometric data remains on the devices in a holistic template form. This is the approach used for FaceID and TouchID, and with FIDO authenticator USB devices. Biometric credit cards and other physical cards like the Arculus card one introduced by Composecure are using this approach as well. With this method, the biometric data is stored in a secured enclave on the device and is well protected.
The problem with device-based biometric authenticators, is not the security of the biometric samples, however. The issue is that these authenticators create mega blind spots that reduce overall system security and perpetuate fraud. Consider the case in which a fraudster obtained your credit card information. There is nothing preventing them from adding these details to their phone, with their own biometrics, and using it thereafter on your behalf. This example demonstrates the gap the device-based biometric leaves between the biometric authentication and the actual identity it is authenticating. The device is oblivious to the identity and this gap is being exploited by fraudsters and attackers. Similarly, a person who onboarded to a digital bank generates a username and password for access. The device-based authenticator is used to send a yes/no response to the bank, but the bank has no visibility as to who is behind the device. The growing threat of SIM card swaps is a perfect indicator of this risk.
Another aspect in which device-based biometrics fall short is the applicable use cases. While it can be used for user verification (authentication) against their own samples, they do not support user identification (1:N lookups) use-cases. Some devices download a database of biometric samples to their local storage to support these use cases, creating a risk of the whole database being compromised if the device falls in the wrong hands.
The second mode of decentralization is at the network level.
Network-Based Decentralization distributes the biometric data and activities across a network of nodes, eliminating the shortcomings of all aforementioned methods.
- Securing the keys - With network-based decentralization, every biometric sample is broken into multiple pieces, each encrypted with a different key, creating multi-layered, multi-dimensional encryption. The keys are not managed or accessible by any administrator eliminating the insider and attacker key compromise threats.
- Securing the matching - The biometric data is kept decentralized at all times, during storage as well as during any activity of identification or verification, thus eliminating the ability to encroach on an application or server to collect it during clear-state processing.
- Eliminating the identity gap - The decentralized network approach allows using the same biometric sample to verify a user from any device they are accessing, thus eliminating the device-based gap between the users’ identities and their devices.
- Supporting multiple use-cases - It allows performing biometric identification activities as well as verification, overcoming the other shortcomings of the device-based decentralized approach and creating the possibility of a unified standard for decentralized biometric management that can be applicable to larger scale government projects as well as day to day authentication needs.
- Biometric algorithms agility - The decentralized network approach is biometric algorithm agnostic supporting multiple biometric modalities and algorithms and allows seamless upgrades to enhance performance over time. This means that a system implementation can rely on multiple biometric modalities and secrets for backup performance instead of usernames, PINs, passwords and other knowledge-based authenticators.
- Simplifies regulation compliance - The decentralized biometric network approach uses Zero Knowledge Proof principles, meaning the data is totally anonymized and dispersed across multiple locations and is not needed in original fashion to provide a match response. The anonymization and decentralization work to remove the data ownership and GDPR regulatory issues.
Overall, network-based decentralized biometric systems promise to be superior to all other approaches used today, increasing security, privacy-by-design, biometric performance, and applicable use cases. The network-based decentralized biometrics also correlates well with the digital identity future of the Metaverse. More on that in future blogs.
In the meantime, contact us to learn about decentralized biometrics.