Biometrics explained: Breaking down the technology's controversy and contributions to security

Advancements in technology within the last decade have sparked the increased use of digital biometric verification. The technology’s modern verification capabilities have outpaced traditional cybersecurity attack methods geared toward credentials theft -- making the technology an attractive enhancement for corporations seeking to provide a more secure, seamless experience for users to verify their identities. Now, users can leverage biometric technology for secure access to critical information, such as applications in financial and healthcare sectors.

However, recent pushback from the Federal Trade Commission (FTC) on the use of biometrics for identity verification, particularly age verification, highlights compliance concerns surrounding enterprises’ data collection and storage practices -- especially the collection of minors’ biometric information.

The FTC's pushback on age verification exemplifies the growing list of concerns surrounding the use of biometrics in enterprise security. This has led to a rapidly evolving regulatory landscape, with different countries and states implementing their own privacy and compliance guidelines. Successfully navigating this complex landscape is crucial for organizations seeking to maximize the ROI from their security investments and remain compliant. Integrating the right biometric authentication strategies becomes essential to ensure both security and adherence to these evolving regulations.

Common Concerns of Biometric Verification

The advancement of biometric identity and age verification technologies have raised concern among consumers and regulators. This is understandable, as these tools have the capability to gather and store sensitive user data. The most commonly expressed concerns include:

1. Data Sensitivity: Biometric data, such as fingerprints, facial recognition scans, or iris patterns, is unique and irreplaceable. Unlike a password that can be reset, a compromised biometric cannot be easily changed. This raises significant security concerns if data breaches occur.
2. Data Sensitivity of Minors: Biometric data collection from minors introduces additional ethical and legal considerations. There are concerns about potential long-term privacy implications for children who may not fully understand the ramifications of surrendering their biometric data.
3. Algorithmic Bias: Facial recognition and other biometric identification systems can be biased, leading to inaccurate results for certain demographics, particularly people of color and other underrepresented communities. This can have serious consequences, potentially leading to discrimination or denial of access (more prominent than fairness and accuracy in age verification).
4. Lack of Transparency in Data Sharing: The sharing of biometric data with third parties without clear user consent and transparency regarding how the data is used raises privacy concerns. Users should be informed about who has access to their data and for what purposes.

Assessing Biometric Verification Solutions for Businesses

When choosing an identity verification solution, it's crucial to consider four key aspects: security, compliance, accuracy, and user experience. Here's a breakdown of three common verification methods and how they stack up in these categories:

Online Identity Verification: This method leverages automation to determine if a government-issued ID is authentic and belongs to a user, and typically performs a validity check via a selfie to ensure that the person holding the ID is the same person shown in the photo. There are many benefits to online identity verification, including high verification assurance, Know Your Customer (KYC) and Anti-Money Laundering (AML) compliance, flexible implementation and definitive, risk-based results. Since this tactic requires users to upload their IDs to confirm their identity, geographic limitations may arise with some vendors who have limitations on ID support and coverage.

1. Database Solutions: These solutions leverage online and offline data to determine if an online ID is authentic or fraudulent.The benefits to this strategy include a fast and frictionless verification process, as authentication happens without any user interaction.This tool also analyzes data from various sources, minimizing manual intervention.

The pitfalls of this verification technique include vulnerability to spoofing attacks, as fake online identities and social profiles can compromise the verification process. Database solutions also don’t confirm the user behind the transaction is the real owner of the identity, or use an authoritative reference, like a government-issued ID.

2. Credit Bureaus: Credit bureaus provide a wealth of information based on first and last name, address and Social Security number.  Implementation is simple, there’s no friction for the end user and results are fast, but this approach has limitations.

People with limited credit history might be excluded, and, similar to database solutions, it doesn't confirm the person using the identity is the actual owner or leverage credible references like government-issued IDs. Additionally, there's a risk of false positives and potential fraud due to breaches or inconsistencies between credit bureaus.

Strategic Implementation for Seamless Authentication

The growing scrutiny surrounding biometric verification technology underscores the importance of enterprises choosing the right tools for user identity protection. By prioritizing compliance, security, accuracy and user experience, businesses can harness the full potential of biometrics while navigating the evolving regulatory landscape.

Image credit: ras2studio/depositphotos.com

Veronica Torres is Worldwide Privacy & Regulatory Counsel at Jumio. She provides strategic legal counsel regarding business processes, applications, and technologies to ensure compliance with all privacy laws.