Fingerprints and facial scans can make identity access more convenient than passwords, but biometric tools present significant ethical and legal challenges.
The use of biometrics for identity and access management has increased dramatically in recent years, as organizations and individuals seek more secure ways to authenticate who is truly authorized to access apps, systems, data and services.
Biometrics enables people to use facial recognition, for example, to unlock their devices or to prove their identity at airports. The "Biometrics Business Guide 2024: Consumer Trust Report," compiled by biometric platform maker Aware, found that more than 50% of tech users authenticate with biometrics daily.
Proponents of biometrics in identity and access management (IAM) see the technology as a convenient, reliable and secure way to authenticate authorized access. But many of those same proponents, as well as critics and neutral observers, see challenges with biometric use. They raise concerns about privacy, errors and the potential for fraudulent use of personally identifiable information (PII).
"In five years, biometrics data will be out there on the dark web, just like every other form of PII," said Joe Holman, principal and practice leader for environmental, social and governance services at Withum, an advisory and accounting firm. "And what happens then? What happens if that data gets out there? We don't have a game plan."
Biometrics involves the measurements of various physiological characteristics, such as fingerprints, voice patterns, iris patterns and facial features. Because these are unique measurements, they can be used to identify a specific individual.
Technology for biometric authorization can be used to verify travelers at airport security stations, customers on a phone call to a bank or shoppers looking to expedite checkout at a grocery store. Offices, research labs and other secure buildings might use the technology to ensure that only authorized individuals gain entry.
Multiple factors are driving the increasing use of biometrics for identification and authentication. Biometrics is generally accurate and convenient. This technology is seen as an efficient method to manage digital identity, which remains one of the thorniest challenges in cybersecurity.
Yet, concerns about ethical and legal obligations make biometric authentication a challenge. Organizations that deploy these tools should be fully aware of the advantages and disadvantages of biometrics.
The Aware report found that security and convenience were the two main reasons for adoption of biometric authentication. The report indicated 62% of respondents said trust had never led them to refrain from using the technology.
Trust and privacy concerns of biometrics
The report also pointed out that "significant concerns linger, especially when it comes to data breaches and trust in supporting technologies. An overwhelming majority of respondents felt neutral or uninformed about how their biometric data is used and stored by companies."
The report noted that, although more than 50% of respondents said they were either comfortable or very comfortable with using biometric technology in public places, such as airports and stadiums, more than 40% said they felt either neutral, uncomfortable or very uncomfortable doing so.
Organizations and individuals should be concerned about biometrics, said Gloria Washington, member of the technology professional association IEEE and associate professor of computer science at Howard University.
To start, biometrics can be faked. In fact, Washington said, it's fairly easy for someone to create a replica of a fingerprint -- there's a plethora of online videos and websites detailing how to do so. Plus, AI and other technologies make it easier to create realistic deepfakes that look and/or sound like a real individual.
And it's not just individuals who should worry about safeguarding their physiological traits. Washington said organizations that collect and store biometric data from their employees, partners, customers and others to aid IAM programs need to protect that data from being leaked or hacked. And they must guard against discriminatory practices and false identifications. Consider, for example, that an individual's biometrics change as they age, which may lead to false negatives.
Additional considerations include ensuring that biometrics data isn't used in ways that are illegal or unethical, Washington said.
Organizations that use biometrics must contend with questions of consent -- allowing, for example, individuals to opt in or out of having their biometrics used for identification and authentication purposes, said Steve Wilson, cybersecurity analyst at Constellation Research.
Organizations are responsible for securing all the biometric data that they collect, store and use, Wilson said.
There's more. Businesses must ensure they know and comply with all the laws that govern data. These include numerous laws that deal broadly with data protection and/or those that address the protection of PII in general. The U.S.'s HIPAA and the EU's GDPR, for example, have provisions meant to safeguard a person's biometric information.
Plus, newer regulations address biometric data more specifically, said Todd Renner, senior managing director and cybersecurity expert with FTI Consulting.
Despite such advice on how best to handle biometrics to ensure secure, ethical and legal use, getting it right is complicated.
The U.S. Federal Trade Commission (FTC), in fact, issued a specific warning in 2023 over the increasing use of biometric information and related technologies, including those powered by machine learning. This development, the FTC said, "raises significant consumer privacy and data security concerns."
Figures from the "Biometrics Institute 2024 Industry Survey" speak to such issues, with 58% of respondents saying privacy and data protection concerns are the most significant barriers to biometric market growth.
Aware's report found that nearly 41% of survey respondents have little to no trust in companies' ability to handle biometric data responsibly, citing concerns about data breaches, surveillance and personal information misuse.
Incidents on the rise
The Identity Management Institute, which offers training and certification in governance, risk management and compliance, sees breaches as a significant risk with biometrics:
Because biometric data can't be changed, any identifiers leaked in a breach remain connected to specific individuals. In the event a breach isn't discovered for weeks or months, hackers could potentially use stolen biometrics to commit numerous malicious activities before getting caught. Perhaps more disturbing is the potential for hackers to identify and track the owners of stolen biometric data.
Vulnerabilities discovered in Suprema's BioStar 2 security platform provide a clear illustration of how easy it can be for hackers to obtain biometric information. In 2019, researchers showed it was possible to infiltrate the BioStar 2 system and access over 27.8 million records. Fingerprints and face photos were among the identifiers readily available within the system. Whether such vulnerabilities exist in a third-party platform or an on-site security solution, hackers get easy access to some of the most personal information an individual possesses.
Experts stress the severity of the problems that arise from lost or stolen biometric data. A person isn't able to fix a problem the way they can when logins, passwords and other credentials are misused.
"You can't buy a new fingerprint. You can't get your palmprint back if it's stolen. So, if someone steals it, it doesn't belong to you again," Washington said. "And, once your face information is stolen, it really can mess up your entire life."
Organizations using biometrics should note the potential consequences if their use violates any rules and regulations.
For example, Texas Attorney General Ken Paxton in July 2024 announced that his office secured a $1.4 billion settlement with Meta to stop the company's practice of capturing biometric data of millions of Texans without authorization.
In another 2024 case, Clearview AI, a facial recognition startup, settled an Illinois class-action lawsuit that alleged its photographic collection of faces violated subjects' privacy rights.
I'm kind of surprised the industry hasn't taken this more serious.
Steve WilsonCybersecurity analyst, Constellation Research
Too many executives and individuals skim over concerns and challenges related to biometrics, Washington said. "People are thinking about ease of use, such as being able to easily check out. However, each time we give away our data, we're giving away that part of us."
Wilson, too, is concerned that enterprise leaders don't seem to be as attentive as they should.
"I'm kind of surprised the industry hasn't taken this more serious," he said.
Wilson specifically cited the risks involving deepfakes as a particularly "clear and present weakness of biometrics," explaining, for example, that call centers aren't ready to determine synthetic voices from actual ones.
"Every biometric needs to be fuzzy," he said, noting that only with flexibility can biometric technology authenticate an individual whose voice or face naturally changes from day to day. But it's also a characteristic that could overlook a deepfake's slight variations from the original.
"It's a danger we don't have any systemic response to. We're just going to be putting fires out all the time," Wilson said.
Strategies to manage risks
The challenges and concerns around using biometrics for IAM are similar to those that organizations have faced for safeguarding other types of PII, Holman said.
As such, Holman said an organization's risk, privacy and security officers can lean on the best practices and strategies they use to protect PII. Plus, new biometrics-specific regulations can help to dictate what they can and cannot do around biometric use.
Daniel Saeedi, partner at Blank Rome, a law firm where he co-leads the biometrics privacy team, sees that happening. Laws dealing with biometric privacy, such as the Illinois Biometric Information Privacy Act, which businesses nationwide typically follow so they can transact in those states, push organizations to address concerns about the security, privacy and ethics of biometrics. "To comply with those laws, companies must treat biometric data pretty sensitively," Saeedi said.
But is that enough to thwart the bad actors looking for ways to exploit biometric IAM systems?
"Threat actors will figure out a way to manipulate the ones and zeros that are doing the authentication with biometrics," Renner said. "So, we'll have to continue to focus on defense in depth, regardless of whether we're also using retinal scans or thumbprints."
Mary K. Pratt is an award-winning freelance journalist with a focus on enterprise IT and cybersecurity.
