Biometric data: security and ease negate passwords, but is it private?

Compared to passwords, authentication through biometric data is simpler to use and can be much more secure.

A joint research report from Nok Nok Labs and PricewaterhouseCoopers highlights the efforts necessary to keep the data secure such as choosing a proper compliance system and infrastructure, training staff and protection from unauthorised access or disclosure.

For organisations that are considering biometrics as they steer away from the use of login credentials, device-side matching of biometric data is a great approach to satisfy important privacy requirements on cross-border personal data transfers in addition to the benefits of individual choice and control around personal data. 

The research emphasises key privacy considerations, the implications of processing biometric data and best practice recommendations in the EU, Switzerland, Canada, US, and the Asia-Pacific region.

Freely given, informed user consent is required before processing biometric data in almost every jurisdiction. The potential for large-scale loss is significantly increased with centralised storage of biometric data. On-device authentication will generally stay away from international cross-border biometric data transfer implications. On the other hand, on-server authentication for a global network of biometric users results in international transfers of data, transfer of personal data, including biometric data, out of a jurisdiction is usually restricted.

“Biometrics are a compelling way to improve mobile application usability and avoid the security pitfalls of username/passwords, but significant privacy concerns come into play,” said Phillip Dunkelberger, president and CEO of Nok Nok Labs. “With biometrics, it is crucial to understand the difference between on-device and on-server matching, as the difference between the two approaches significantly affects the risk and exposure of data in a breach.”

Sign up to our newsletters