Adopting Biometrics-as-a-Service: Key Questions You Need to Ask

Alessandro Chiarini, SVP, of enterprise authentication, Aware, says biometrics are being converted to the cloud, which is dramatically increasing access to this modern authentication technique. But what questions do you need to ask before adopting biometrics-as-a-service?

Whether you’re a CSO or IT security specialist administering system and network access privileges for employees, or a developer creating new apps requiring extremely convenient yet highly secure authentication, you’re probably well aware of the limitations of passwords. Generally speaking, they are weak, highly prone to theft and loss, and inject unnecessary friction into the authentication process. According to a recent surveyOpens a new window , 58 percent of small business owners would consider allowing their customers and/or employees to replace their password(s) with more advanced authentication methods like biometrics – faceprints, voiceprints, fingerprints, or iris scans, for example. 

To date, the problem has been that implementing biometric forms of authentication has typically required advanced technical development and special on-premise hardware and equipment – keeping biometrics out of reach for many organizations. Offering biometric authentication as a cloud-based SaaS service would dramatically increase accessibility, and as a cutting-edge technology associated with machine learning, big data, and artificial intelligence, one would think that the use of biometrics would be quickly adapted to the cloud. But to date, it hasn’t been – why?   

The cloud has a lot to offer the biometrics industry – including scalable technology, expandable storage, parallel processing capabilities, and with the widespread availability of mobile devices, an accessible entry point for apps and services that rely on mobile clients. As more enterprises adopt biometrics, many solution providers are looking to shift to an on-demand, service-based model.  

But from the very beginning of the cloud computing era, security has been among the biggest concerns for enterprises considering the cloud. Enterprises see the clear benefits, particularly cost, but when they consider security, there is a fear of going wholeheartedly to the cloud. Storing biometric data on the cloud tends to raise concerns around security, compliance, and privacy.    

See More: Biometric Authentication at the Workplace: Risks and Legal Challenges    

If you’re considering a cloud-based biometrics solution, the burden of proof is on the biometrics provider to meet your needs, and you’ll need to ask several detailed questions.

What extra steps are taken to ensure the security of biometric data?  

Even though a biometrics provider may be an expert in biometric security, the provider must also have a solid understanding of non-biometrics best data in transit practices so they can ensure a high level of data security at every step of the cloud-based transaction.  

There are many mechanisms to bring added security to biometric data as it is collected and routed to the cloud for processing. First, there should be encryption of all biometric data in transit. Remember, however, that enterprises should also do their part when it comes to securing data in transit, and best practices like using a VPN or SSH keys should always be followed. Whenever biometric data is stored at all in the cloud (for instance, biometric templates that are not stored in databases or moving through networks), the biometrics provider should apply “data at rest” encryption. Additionally, there should be an erasure of data at various time intervals. 

There are other techniques as well to enhance the security of biometric data in the cloud, such as the “cancellable biometric,” – where a distorted biometric image derived from the original is used for authentication. For example, instead of enrolling with your true finger (or other biometric), the fingerprint is intentionally distorted in a repeatable manner, and this new print is used. If, for some reason, your old fingerprint is “stolen,” an essentially “new” fingerprint can be issued by simply changing the parameters of the distortion process.  

Finally, one of the most groundbreaking new techniques involves breaking biometric templates down into anonymized bits. This approach to breaking biometric templates up and storing data in multiple places throughout a cloud-based resource in the form of anonymized bits makes it virtually impossible for a hacker to access complete biometric templates, even if a hack were possible. 

What assurances can you give to demonstrate you can deliver on our compliance requirements?  

It is vital that your biometrics provider understands your unique compliance requirements, which can vary from country to country. Consider GDPR in Europe and the “Right to be Forgotten,” which states an individual has the right to essentially erase all personally identifiable information (PII) concerning him or her without undue delay. In addition, regulations in some countries prevent organizations from storing individuals’ personal information outside the borders of the country. Storing biometric templates in the cloud may make this difficult, but stateless APIs have evolved as a means of circumventing this. With stateless APIs, data persists only as much as is needed to do the transaction, and then it’s immediately discarded after that. So in no way is the data then subject to PII governance rules.  

Are your cloud nodes distributed?    

A distributed system is a computing environment in which various components are spread across multiple computers (or other computing devices) on a network but can work together. Cloud-based biometrics applications are prime for this kind of model, as there should be a clear separation between biometric templates and other personally identifiable information (PII) on the individual that may be stored at the hosting provider (some would argue that cloud-based biometric applications should require no PII at all). In this way, biometric imagery is not associated with anything that could reveal the user’s identity, so the information would be completely worthless to attackers.  

How long will it take to get fully implemented?  

Ideally, a cloud-based biometrics provider should be able to get an organization up and running on biometric authentication very quickly and affordably. Moving biometrics to the cloud is all about removing hurdles and creating a viable answer for small businesses and start-ups that simply can’t afford the cost and time associated with more traditional approaches.  

Conclusion  

The biometrics industry is evolving beyond its traditional way of doing things, which to date has not been cloud-native. Remember, while at first blush, the idea of cloud-based biometrics may cause some hesitancy, the cloud delivers many advantages over more traditional techniques and may once and for all bring “biometrics to the masses.” Cloud-based biometrics may be the answer we’ve been searching for, enabling organizations to do away with outdated passwords once and for all and offering the promise of increased flexibility and scalability for applications promoting the utmost in convenience – an intriguing new frontier to explore.  

Which questions do you think organizations should ask when their biometrics provider wants to move to the cloud? Let us know on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window

MORE ON BIOMETRICS

• Why Your IT Department Needs to Part Ways With Passwords
• Ageism in Cybersecurity: Why Baby Boomers and Gen-Xers Matter in 2022
• Booming Gig Economy Wreaks Havoc on Digital Identity Security
• Digital Identity – Is the Solution to Cybersecurity in Your Pocket?