Government agencies and technology companies using biometric identifiers like fingerprints or facial recognition to replace passwords should generally eschew large databases of citizens’ personal data, a study out Thursday says.
‘Rather than storing everyone’s fingerprints in a huge database’ which would make a juicy target for hackers to steal, ‘do the authentication on the device, one-to-one,’ said Phil Dunkelberger, CEO of Nok Nok Labs, which commissioned the study from PriceWaterhouseCoopers Legal.
Essentially, there are two ways of using biometrics to confirm identity: server-side or one-to-many, and device-side or one-to-one. In the former model, the user’s biometric is transmitted from the device to a server, where it is checked against a database of many users’ details.
But this model can run afoul of laws or regulations limiting the offshore storage of confidential data, according to the study.
‘A global network of biometric authentication users will require international transfers of biometric data,’ the study reads. ‘The transfer of personal data out of a jurisdiction is generally restricted and most jurisdictions enforce stringent requirements’ for security and confidentially of such transfers.
The study’s author, British lawyer and PwC Legal partner Stewart Room, calls the use of biometric data for identity authentication ‘a double-edged sword,’ because of its sensitivity and the fact that — unlike a password or credit card number — a fingerprint can’t simply be changed or re-issued if it’s stolen.
‘Device-side matching of biometric data is a compelling approach to satisfy key privacy requirements on cross-border personal data transfers, as well as providing the benefits of individual choice and control around such personal data,’ according to the study.
Nok Nok Labs is a founder member of the Fast Identity Online, or FIDO, Alliance, which has developed technical standards for interoperable device-side authentication.