Data from Experian shows that 81% of customers view biometrics as the more secure form of identity verification compared to passwords. So why, then, have some businesses been reluctant to implement passwordless logins? 

As biometric technologies become increasingly commonplace in online authentication and identity management, it's important that businesses properly evaluate solutions to ensure that personally identifiable information is protected against mounting privacy and security threats. 

Over the course of this article, we will highlight some of the privacy risks associated with biometric data, and look at how companies can use privacy-enhancing technologies (PETs) to make it safer to store biometric data while complying with cross-jurisdictional data protection laws.

What are the privacy risks of storing biometric data?

As mentioned above, data breaches are a very real threat and have the capacity to affect millions of users. 

While much of the focus on data breaches tends to be on “written down” customer information (passwords, email addresses, telephone numbers, etc.), skilled hackers also target biometric data as well.

Biometric data such as fingerprints are immutable and cannot be altered. As such, biometric data theft is far more dangerous than a standard password leak, as its could have wide ramifications for the person who has been hacked. Biometric data theft can pose a legitimate security concern, as a well-equipped and highly funded group of hackers could create a 3D-printed fingerprint mold to unlock any device or account that is linked to the hacked user. 

Due to the sensitive nature of biometrics, there are a number of policies around the world that govern how biometric data is collected, stored, and used. 

What are the regional differences in biometric legislation?

As we highlighted in our article on data protection outside of the EU, the European Union leads the way when it comes to data protection regulation, and biometric data is no exception.

Defined by EU data privacy law as “special categories of personal data”, the General Data Protection Regulation (GDPR) establishes that it is forbidden for any company to share the biometric data of EU citizens and long-term residents with third parties without their consent. 

Legislation for the protection of biometric data also exists outside of the EU, with India and China, in particular, having strong guidelines on what can and can’t be done with biometric data.

In the United States, meanwhile, there is no single unified law that regulates biometric data (or any type of personal data for that matter), with individual states deciding on their own policies. However, the state of Illinois does have the Biometric Information Privacy Act, which is the most expansive policy in the country.

How can PETs help?

In light of the current security challenges facing every online business, organizations are beginning to adopt an approach known as data protection by design to help keep customer data safe. This approach has seen businesses implement one of five emerging PETs to ensure that any personal data processed has been safeguarded to prevent it from falling into the wrong hands. 

The Five PETs

As highlighted above, there are five emerging PETs that are vital for safely using personal data online. Large organizations that handle sensitive customer data - such as banks - use PETs to ensure that their customers' data remain safe.

The five PETs are as follows:

1. Homomorphic Encryption - Refers to the ability to run computational operations on encrypted data

2. Trusted Execution Environments - This PET refers to an isolated computing environment that is separate from a computer's main processor and memory.

1. Differential Privacy - Often used in combination with another PET, Differential Privacy is a process that quantifies the privacy leakage that occurs when accessing a database.

2. Federated Learning -   This PET is a machine learning technology that processes data locally and then sends back the requested results to a central server.

3. Multi-Party Computation - This PET refers to an encryption method that allows multiple parties to collaborate on encrypted data. Keyless uses multi-party computation to process authentication requests without revealing data during the computational process.

As highlighted above, by using secure multi-party computation, Keyless removes the need to store or process biometric data. This greatly enhances the security of Keyless, making it a no-brainer when it comes to safeguarding the identity of your customers.

Keyless’s unique biometric authentication enables organizations to safely implement Keyless into their business without breaching regulations and exposing themselves to compliance risk.So what are you waiting for? Give your customers the joy of a smooth, frictionless, passwordless login with biometrics that simply works.

Request a demonstration to learn more.