More than twenty years ago, biometric devices appeared in sci-fi movies, like a futuristic concept using a fingerprint to authenticate the user. There is a notorious scene in the movie “Sneakers” with Robert Redford (1992, Universal Pictures) where a group of hackers coerce a character into speaking specific words into a microphone and reuse that voice recording to break into a high-tech lab that uses voice recognition as the access control. Inspiring, even somewhat comical at the time; this technology has now become a reality.
Biometric devices are a form of identification devices used to authenticate an individual by using a part of their body or behaviour to identify them uniquely. Biometric authentication is considered an additional layer of authentication, using it in conjunction with a username/password combination. This authentication is known as multi-factor authentication.
While initially biometric devices were intended for access to buildings, smartphone technology has now introduced biometric technology to authenticate the users on the phone. TouchID is the name of the technology used in iPhone technology. Android phone technology uses a similar concept. Fingerprint technology is used to identify people authorised to use the phone.
One of the key places where biometric devices installed, is in schools. This technology is being used to manage truancy for some institutions and provide more enhanced services for borrowing books from the library, for example. Over the years, privacy concerns have arisen over biometrics, around storing of fingerprints, voice samples and other unique identifiers. Security has been of concern around biometric management systems and protecting the personally identifiable information that pertains to the individual.
The list below outlines some facts about biometric systems:
Biometric systems do not store samples of fingerprints and other body identifiers. When registering a user in a biometric system, the unique identifiers on your body get converted into the result of a complex mathematical equation, and it is difficult to reverse to represent the original identifier.
This information is not readily available to the legal system; if the Biometric information were stored such as fingerprints, law enforcement would need to have a warrant for an arrest or charges laid against an individual whose personal information is stored in the biometric system.
Malicious actors can still gain access to offline networks (regardless if the information is stored offsite or onsite), not connected to the Internet. Although more difficult and the likelihood of compromise is remote, with the right motivation in place, malicious actors can compromise these biometric management systems.
There is a significant responsibility for implementing biometric technology. Operating biometrics is no different than any other IT system introduced into a digital environment. There are seven essential tips that organizations should consider when applying this technology:
Develop a risk management plan that outlines all risks associated with the implementation of biometrics technology in your digital environment and ensures the organisation remediates any risks that are at or higher than the organisation's risk appetite.
Ensure that biometric management systems are isolated from critical corporate network systems and connectivity to these systems is minimised. (If you cannot avoid connectivity to the system ensure only the necessary communication required for correct operation is permitted).
Develop a policy that governs how biometric technology is used in the organisation. Ensure training is included and obligations around protecting information in this system is covered for all and that the workforce are aware of these obligations.
Develop processes around auditing and monitoring activity in the biometric system, ensuring that any access, privileged actions and changes to the system get flagged and reported to the appropriate stakeholders within the organisation.
Ensure maintenance of these systems, including software updates, vulnerability management, disaster recovery plan, incident response plan and backups are included in the overall management of corporate systems within the organisation
Ensure appropriate Service Level Agreements (SLAs) are set and agreed to with the biometric system vendor for support in the event of a disaster or outage of the system beyond the skillset of your current IT organisation.
Consult a change manager if this is a brand-new technology to be implemented. Change managers can assist with any culture and people-based issues that you may encounter through the implementation and provide a strategic roadmap to remediate any of these challenges.
Biometrics can add a whole new dimension of authentication for individuals. However, it can also raise concerns about individual’s privacy if not managed correctly. Ensure, that you seek appropriate and professionally qualified people to plan, deploy and hand over such systems and also, that organisations secure the system in line with the organisation’s risk appetite.