Trust Stamp Blog

Protecting Biometric Identity Against Data Breaches

Written by John Bridge | Oct 5, 2022 7:42:09 AM

Biometric technology has become ubiquitous as both an identity management and verification tool as well as providing enhanced access control. Biometrics provide opportunities to create and manage identities in places where identification standards were previously scant or non-existent. They also substitute as an identification standard in places with traditional, well-established systems for identification. Biometrics are replacing passwords and keycards in many use cases where databases, facilities or applications require controlled access.

Biometric identification has become standard in places like India. In 2009, India’s Ministry of Electronics and Information Technology launched Aadhaar, a 12-digit identification number comprised of biometrics and demographic data. Administered by the Unique Identification Authority of India, the database has swelled to over 1.1 billion records, making it the world’s largest biometric repository. This volume of data creates exceptional risk exposure to biometric data breaches.

Biometric technology remains an emerging market. However, traditional data breaches have been around for nearly fifty years. Over six million data records are lost or stolen every day. Data breaches result in loss of brand reputation, may result in expensive fines, require expensive mitigation processes and result in loss of trust. Equifax was fined up to 700 million dollars for the 2017 data breach, in addition to their other expenses related to credit monitoring and mitigation. Businesses suffer in other ways as well. For instance, stock values drop an average of five percent following the announcement of a data breach. The majority of CMO’s believe the greatest loss following a data breach is the reputational impact on a brand. With reputation leading concerns over traditional data, the impact of biometric data is certain to come with a corresponding increase in concern from consumers.

The relevance of biometric data loss can be found in several high-profile breaches of biometric data that have happened in recent years. Among these major data-losses are: the OPM data breach resulting in the loss of 5.6 million fingerprints; Suprema’s Biostar 2 data breach resulting in the loss of biometric data on more than one million users; the Israeli Population Authority breach whose extent of data loss remains unclear; the Preceptics License Plate Reader data breach which was released to the dark web; the data breach of Chinese surveillance company Sensenets which revealed that the Chinese government was tracking nearly 2.6 million people in a region of Xinjiang; and a series of Aadhaar breaches in India which exposed the identity records of 1.1 billion citizens. The magnitude and sensitivity of these breaches demonstrate the importance of finding solutions that better protect biometric data from data loss. While traditional data breaches have generally required password changes, biometrics are permanent. The loss of biometric identity has lasting ramifications.

Public perception related to the collection of biometrics presents another challenge to both adopting as well as trusting processes related to biometric data collection. This is particularly relevant to government and law enforcement use of the technology. While law enforcement has been collecting biometric data in the form of fingerprints since the early twentieth century, the emergence of other biometrics has been more controversial. Privacy concerns are the primary focus of friction in this arena. Several cities have already banned police use of facial recognition stating concerns over accuracy, abuse and the creation of a surveillance state. However, a Pew Report finds that the majority of Americans trust law enforcement to use this technology responsibly. A report published by Paysafe finds that “Consumers are yet to be convinced of the security benefits of replacing passwords with biometric authentication, and this may hinder adoption, even if they make payments more convenient.” The balance between privacy and convenience creates tension in emerging biometric markets.

Legal responsibilities run parallel to the issue of trust. The American Bar Association (ABA) has published information related to the permanent risk to personally identifiable information (PII) publishing pointers for the collection of biometric identification. Among the recommendations made by the ABA are to “secure with encryption the biometric data at rest and in transit” and to “consider storing less than 100 percent of the entire biometric dataset for an individual.” These are important legal considerations that may be addressed in the technological architecture.

Designing a solution to address these concerns is preferable to creating reactionary solutions. One pro-active method of protecting this type of data “at rest and in transit” is to hash the data. While the ABA recommends encryption, non-encrypted hashing is far more secure. The technological challenge lies in the creation of a process that allows hashed data to serve as a zero-knowledge proof related to identity verification. This challenge has been resolved with the creation of the Evergreen Hash ™, developed by Atlanta-based Trust Stamp. Trust Stamp has created an Artificial Intelligence-driven solution capable of storing PII separate from identity hashes consistent with the ABA recommendation not to store the entire biometric dataset for an individual together. The Evergreen Hash takes this recommendation a step further, allowing the biometrics to be destroyed when a hash is created, or allowing it to be stored separately from the hash on a secure server. The hash has pivot points allowing for identity verification while pointing to sensitive data stored securely in another location.

Hashing technology is different from encryption in that hashing is irreversible. This means that there is no encryption key that would allow an entire data lake to be compromised. The technology relies on artificial intelligence which provides a one-to-many zero-knowledge proof related to identity, without requiring any actual biometrics to be “stored or transited.” This process also allows for deduplication, matching any duplicate identities in order to prevent the creation of synthetic identities within a data lake. As citizen-consumers navigate the issues of privacy and convenience, governments and businesses are forced to contend with the consequences of data loss. The permanency of biometric data breaches creates an enhanced need for improved solutions related to biometric-based identification. Consumers seek low-friction solutions while expecting their privacy to be protected. The legal implications of losing biometric data in an era of fines approaching one billion dollars is a sobering thought. Building solutions like hashing and zero-knowledge-proof allows for low-friction with enhanced security. It is a solution that currently exists and can be implemented with existing biometric technology.

As this technology continues to emerge, Trust Stamp continues to research enhanced solutions to biometric identity. Multi-factor authentication may be replaced by multi-modal biometrics. Currently, consumers prefer a combination of passwords and biometrics. The ease of biometrics along with the enhanced security of multi-modal options indicates an area of potential growth in the area of low-friction biometric authentication.

Biometric identification will continue to increase and will likely become the standard for both identity verification as well as access control. This growth does not alleviate the moral and legal responsibilities to protect sensitive data from data breaches. The permanency of biometrics makes this issue increasingly important. With technology already available to make this process more secure, it is imperative to continue researching ways to improve security and protect consumers and citizens against the compromise of their most sensitive data, their biometric identity.