Managing Director, The Bunker, PHIL BINDLEY
Biometrics and behavioural biometrics are undoubtedly going to become the most common forms of identifying users. Access to devices and applications will be critical to secure the enterprise and the continuation of simple single factor password authentication will eventually be superseded, as the risks posed by employing single factor authentication will be seen as too great. However, Information Security professionals and risk and compliance managers will need to have in place clear strategies to deal with protecting these new kinds of personally identifiable data in line with legislation and compliance regimes.
Behavioural biometric and identity process
Behavioural biometrics are a potential solution to the long standing issue of persuading organisations and end users to drop the single factor password authentication that is still the most prevalent methodology of gaining access to a system. The unique nature of the way each of us interacts with our keyboard, mouse or touchscreen can provide an early warning that someone has had their credentials compromised and prompt for further identification or simply cut access to the user. As this is passive and does not require additional technology at the user interface, unlike IRIS scan, fingerprint readers or facial recognition, it would facilitate a transparent and highly accurate way of determining identification and reducing risk.
Voice recognition and identity process
Voice recognition has already established itself as a technology that can be adopted to deal with verifying identity. However, there is an overarching risk that presents itself when we delve into the murky world of those that would seek to profit from circumnavigating these controls. If we have our passwords stolen we can change them, if we lose our 2 Factor Authentication token they can be revoked. But we cannot change our voice patterns and, once that “identity” has been forged, then we cannot change it.
The upcoming changes in Identity regulation (GDPR and PSD2)
PSD is very prescriptive about what the expectation is in terms of when strong authentication is required, however is less so in terms of the definition of “strong”. What is clear is that single factor password authentication for the following scenarios would be not acceptable: when a customer either accesses their payment account online, initiates an electronic payment transaction or carries out any action through a remote channel which may imply a risk of payment fraud. There are a huge number of column inches, seminars and events surrounding the close approaching deadline for GDPR compliance. There is nothing that is seminally or intrinsically linked to Digital Identity, in terms of increasing the robustness of the authentication process.
However, when we think about some of the key tenants of the legislation, it is abundantly clear that organisations will have to have in place controls not only to protect key identity data that they hold on behalf of an individual, but also to ensure they have the Technical and Organisational Measures in place to prevent the exposure of any personally identifiable information through weak identity management to their systems and data.
The use of Biometric data has gained popularity over the years, but traditionally there has been limited or no legislation to safeguard the processing of this data. We are starting to see fingerprint, voice and face recognition becoming standard ways to access our mobile devices, office buildings, secure areas, even our bank accounts.
With Biometrics data becoming so widely used, how are we ensuring our personal data is protected? In June 2017, Washington and other US states passed a biometric privacy law, but what about the EU and its member states?
It will come as no surprise that with the new EU regulation (GDPR) coming into force next year, biometric data has come into sharp focus. GDPR defines biometric data as “personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.
Biometric data and genetic data under the EU regulation have been added to the special categories of personal data. So, what does this mean to those businesses who are thinking of processing this type of data? GDPR is quite clear that the processing of special categories of personal data is prohibited. However, there are provisions in the Regulation that can help those who wish to process this type of data.
Firstly, you need to ensure at least one of the Article 6 conditions is met. These are:
• Data subject gives consent for one of more specific purposes
• Processing is necessary to meet contractual obligations
• Processing is necessary to meet legal obligations
• Processing is necessary to protect the vital interests of the data subject
• Processing is necessary for tasks in the public interest
• Processing is for the purpose of legitimate interests pursued by the
controller.
Once you have satisfied these conditions, then you will need to ensure one of the conditions of article 9 has been met. You will notice that there is some overlap with Article 6, but it is still a prerequisite to processing this type of data. These are the Article 9 exclusions:
• The data subject has given explicit consent
• It is necessary to fulfill the obligations of the controller
• Processing is necessary to protect the vital interests of the data subject
• Processing is carried out by a nonprofit organisation
• The personal data has manifestly been made public by the data subject
• Establishment, exercise or defense of legal claims
• Reasons of public interests in the area of public health
• Achieving purposes in the public interest
• A member state has varied the definition of a special category.
In order for you or your business to comply with GDPR to process biometric data, clear consent is generally the key factor. The rules around consent need to be observed closely, because a lot of businesses feel that their data subject may have at some point given them consent to process their data.
However, we need to be clear that processing special categories of personal data is strictly prohibited by EU law. Consent under GDPR is defined as any freely given, specific, informed and unambiguous indication of the data subject’s wishes, by which he or she by a statement or by clear affirmative action signifies agreement to the processing of personal data relating to him or her.
Trust is a key factor for the adopting of technology and cloud based services. As organisations and individuals adopt new enabling technologies in the world of all things financial, businesses operating in this space will need to demonstrate they have robust and secure ways of not only identifying individuals, but in securing that personal data under their control.
