Two international standards bodies have published a joint security and privacy standard to help ensure biometric data used for online authentication will not be compromised.
Biometrics refers to the automated identification of individuals based on facial, iris, palm, fingerprint or voice patterns.
The International Organisation for Standardisation (ISO) and the International Electrochemical Commission (IEC) say it is crucial to safeguard the security of a biometric system and the privacy of data subjects and have outlined countermeasures in the new ISO/IEC 24745 standard.
"As the internet is increasingly used to access services with highly sensitive information, such as e-banking and remote healthcare, the reliability and strength of authentication mechanisms is critical", said Myung Geun Chun, project editor of ISO/IEC 24745.
"Biometrics is regarded as a powerful solution because of its unique link to an individual that is nearly or absolutely impossible to fake."
However, said Chun, while the cost of biometric techniques has been decreasing and their reliability has been increasing, biometric identification raises unique privacy concerns.
"While the unchanging and distinct association with an individual on the one hand, provides strong assurance of authentication, this binding which links biometrics with personally identifiable information on the other hand, carries some risks, including the unlawful processing and use of data," he said.
The new ISO/IEC 24745 standard has been developed as a tool to address these risks because with biometrics, if the authentication information is compromised, usual solutions such as issuing a new password or token are not available as biometric characteristics are difficult or impossible to change.
As more and more personally identifiable information is linked with biometric references, and this data is shared across international borders, it is crucial to safeguard the security of a biometric system and the privacy of data subjects with solid countermeasures, the standards bodies say.
The new standard includes security requirements for binding between a biometric reference and an identity reference, biometric system application models with different scenarios for the storage and comparison of biometric references, and guidance on the protection of an individual's privacy during the processing of biometric information.
Download a whitepaper on biometrics: Combating Retail/Restaurant Fraud with Fingerprint Biometrics