Stone, scissors, biometrics: how electronic data becomes safer than paper
Biometric solutions for identification (user recognition) and authentication (confirmation of the authenticity of a user, process or device) have become an integral part of people's digital lives in a few years.
Just 10-12 years ago, a phone with fingerprint identification was a novelty, but today, on the contrary, it's hard to find a smartphone without it.
The transition to the new digital age has completely changed our daily lives. The way we interact with each other, use services, pay for goods, work and play today is completely based on digital interaction and authentication.
In the current wave of advances in machine learning technologies and the availability of big data, the development and adoption of biometric technologies has become one of the most dynamic IT trends, and the fight against the COVID-19 pandemic has only boosted their spread.
The ability to prove your identity by physical presence without the need of paper documents, magnetic cards, memorizing complex passwords and other uncomfortable procedures has become a regular occurrence — because it is not only instant, it is also convenient.
How does the ease of use of personal biometrics compare with its security against hacking and cyber-attack threats? How do technologies and data really work?
The global web and digital services have brought people not only benefits, but also numerous privacy and security problems with personal data. The global data protection market has already reached $61.33 billion by 2020 and will grow to $113.39 billion by 2027 at a compound annual growth rate of 9.1%, according to analysts from Valuates Reports.
The use of biometrics is expanding as the need for identification of people grows — for example, in access to buildings and critical infrastructure, in the use of digital and mobile devices, in banking, healthcare, schools, transport, offices and other daily situations.
Currently, the development of new systems for the use of biometrics is carried out considering the accumulated experience of using such solutions. In addition to improving the security of data in such systems, increasing their accuracy and reducing their cost, it is sometimes equally important for customers to formulate the purpose of their use. For example, is biometric identification really necessary, or is the basic verification stage more than enough for business to verify the presence of a person instead of their image.
In many cases, determining the character of the biometric system usage model is critical for deciding the level of access security and accuracy, and here, as in the case of using any personal data, a similar principle applies to biometrics: there is no need to collect and store unnecessary. Otherwise, excessive data can turn into additional vulnerabilities, problems for customers and finally destroy the reputation or even the entire business.
In contrast of passwords or cryptographic keys, which ensure 100% accuracy (password right or wrong), biometric identification and authentication has a low percentage of false positives (passing the impostor) and false negatives (rejecting the authorized person).
Between convenience and security
Even at the stage of designing a system for the collecting and using biometric data, it is important to imagine the real requirements for such a platform in regards to its key parameters: security, speed of operation, scalability and the necessary (sufficient) amount of data to be used.
Regardless of the field of application — whether it is a solution for government and public services (police, federal services, army and navy), access to Windows on an office computer or checking the balance with a telecom operator, a biometric system must provide error-free access.
However, for each specific case there is a balance between convenience and safety. The use of technologies and compliance with various levels of security when using biometrics directly depends on the character of the managed data and the level of critical risks.
Security and infrastructure
After the number of cyberattacks and security incidents began to grow at an alarming rate in recent years, many organizations turning to work with biometrics are trying to provide additional levels of data protection by attracting the most reliable service providers and solutions. This trend is especially noticeable in the financial and banking sector.
Additional security can provide storage of data on the security infrastructure in an encrypted form, with different encryption protocols applied to each 'data cell'. For example, fingerprint, iris data and bank account number are linked to identify the right person, but are encrypted and stored on different servers.
And even if an attacker gains access to one of the data elements, it is still not possible to log in and steal money. A similar approach for storing confidential customer data is perfectly suitable for use in other areas as well.
How it works
An example of a system approach for developing a biometric access control solution for operating or information systems is the Id-Logon software product by RecFaces.
Id-Logon software product is used in organizations and institutions to verify access rights to systems by using biometric identification and verification. During the identification process, a person's biometrics are entered into the system through special webcams or scanners and Id-Logon checks the obtained templates against the data in the profile database and grants or rejects access into the system as a result. In the verification process, the overall level of security is increased by using two-factor verification, where biometric identification is completed by entering a password.
Id-Logon-based solutions are suitable for verifying individual access rights to platforms of all sizes, from corporate IT systems to individual Windows PCs, with a login biometric identification speed of less than 1 second and a reported false event probability of less than 0.0001%.
An additional advantage of this system is its modularity: the price of the solution depends directly on the selected license for the number of persons in the database and the sources of biometrics (cameras, scanners, terminals, ATMs, infokiosks and others). Moreover, the organization using Id-Logon installs this solution on its own server, to which the client PCs, cameras and terminals are connected. If necessary, the Id-Logon-based solution is ready for integration with an ACS, a turnstile relay or other passage device, as well as a Wiegand terminal or controller.
In healthcare facilities, RecFaces identifies staff or patient faces, and notifies the administration of important information or the appearance of stoplisted individuals on the clinic premises if necessary. The system can also be configured to measure the temperature immediately at the entrance, without contact, and record the information in an event log.
In the banking industry, the implementation of Id-Logon and other RecFaces products allows the instant identification of a person in front of a camera by their face and therefore improves service quality in bank offices, monitors employee presence in the workplace, protects facilities from unauthorized access and generally quickly responds to security incidents.
Biometric systems based on Id-Logon and other RecFaces products are applicable to many industries where rapid identification of staff and visitors is required, including government agencies, education, law enforcement, industrial and sports facilities, business centers, transport, retail, restaurant, entertainment and many others.
Biometrics and Russian legislation
Recently, on the 11th of October 2021, the Government of Russia adopted regulation No. 1729 on state control in the sphere of biometric identification and/or authentication in our country. According to these regulations, organizations accredited to deal with personal biometrics are now divided into three «severity groups».
Belonging to a particular group reflects the severity of the consequences that may arise from non-compliance with the requirements of the law. Thus, all objects that are engaged in the identification (authentication) of people using personal data or provide specialized services are assigned to group A of high severity.
The medium severity group B comprises organizations that use personal biometrics only for authentication or the provision of services of a related nature. The low severity group B comprises organizations that use biometrics for authentication in access control systems — for example, for access to protected premises.
The Ministry of Digital Development, Communications and Mass Media (Ministry of Digital Development) of Russia has been assigned the role of supervisory authority and the level of control depends directly on the severity group assigned. The law will come into force on 1 January 2022, simultaneously with amendments to Federal Law No. 149 «On Information, Information Technologies and Information Protection», aimed to regulate the rules of biometric personal data processing for accredited organizations.
Another important document, adopted in 2021, specified the business reputation standards of the heads of organizations, performing identification using personal biometrics. This document will enter into force on the 1st of March 2022 and will be effective until 2028.
According to Regulation No. 896 of the Ministry of Digital Development dated the 27th of August, the head or a member of the collegial executive body of an organization with an IT identification or authentication system using personal biometrics must not have an unexpunged criminal record; dismissals less than three years ago upon disclosure of a legally protected secret (state, commercial, official and other); entrepreneurial activity without a permit or illegal activity in the field of information protection less than a year old, as well as facts of administrative offenses in the field of personal data in the previous three years.
With the advent of the digital age of human development we no longer need to entrust our personal secrets to paper, and with the development of biometric technology, passwords written on random scraps of paper become a thing of the past as well.
The current stage of biometric technology can only be described as the beginning of a long journey of its development and improvement. Every year they become more universal, faster, more secure and, no less important, more convenient for everyday use.
About biometricsBusiness casesTechnologies