This article is written by Pranow Prakash, LLB (1st Year), ICFAI University, Dehradun, and co-authored by Sakshi Kothari, Assistant Professor, ICFAI University, Dehradun.
ABSTRACT
Protecting one’s own data is one of the most important concerns in today’s world, be it in the physical or the cyber world. However, with the advancement of technology, assessing risks and mitigating strategies in this regard in the arena of the cyber world is tough work, as it also raises questions on the right to Privacy. Biometrics are far more commonly used to measure physical characteristics. With the dawn of computers, biometrics bloomed.
Biometric authentication has become a widely adopted solution for enhancing cybersecurity, but its security is not without concerns. This study investigates the safety margin of biometric authentication, focusing on the vulnerabilities and potential attacks that can compromise its security.
Through a comprehensive experimental evaluation, this research tries to assess the performance of various biometric modalities (facial recognition, fingerprint scanning, and iris scanning) against spoofing attacks and evaluate the effectiveness of anti-spoofing measures. Results show that biometric systems are vulnerable to sophisticated attacks, highlighting the need for robust security measures to ensure the integrity of biometric authentication.
With an increase in breaches of data, safeguarding it from vulnerable cyber-attacks and ensuring proper protection is paramount. Of course, biometrics have attained massive acceptance from the public, replacing the traditional methods of Passwords and PINs for data protection. However, it cannot be denied that “Locks only keep honest people out”. Now this is what the research paper aims to answer, i.e., how safe and private these unique features are in order to protect data in this digitalized era.
Keywords
Biometric modalities, Biometric authentication, cyber-attacks, spoofing, Right to privacy, cyber security, Information Technology Rules 2011, Law enforcement, DPDPA 2023.
Note: This paper looks at various research methodologies for the purpose of the study of understanding biometrics and its security. The present study has used the doctrinal method of research and analysis, relevant case laws, and also provides definitions of keywords. Consequently, the research has used existing data to deduce the extent of safety of biometrics. Ultimately, the research paper used academic publications, related reports, and various other statistics and document analysis to find the key answer.
INTRODUCTION
Biometrics are unique and measurable biological or physical characteristic features that varies from person to person. Biometric authentication refers to the cybersecurity process wherein the person or the user’s identity is verified by using their biometrics such as fingerprints, voices, retinas and facial features. This is a way more secured form of authentication and verification than any other traditional form of multi- factor authentication to cross the gateway to access data.
According to Merriam-Webster, biometrics refers to “the measurement and analysis of unique physical or behavioural characteristics (such as fingerprint or voice patterns), especially as a means of verifying personal identity.” Legally, the Information Technology (Reasonable Security Practices and
Procedures and Sensitive Personal Data or Information) Rules, 2011, [1]define biometrics under Rule 2(b) as technologies that measure and analyse human characteristics, such as fingerprints, retinas, irises, voice patterns, facial patterns, hand measurements, and DNA for authentication purposes.
BIOMETRIC DATA CAN BE CATEGORIZED INTO THREE MAIN TYPES:
1. Biological biometrics: This includes DNA and blood characteristics.
2. Morphological biometrics: This covers features like eye patterns, facial structure, and fingerprints.
3. Behavioural biometrics: This involves identifying patterns such as gait, voice, and other physical activities.
TYPES OF BIOMETRIC AUTHENTICATION
Biometric authentication systems store information in order to verify the identity of the user whenever the user access their account .Some of the biometric authentication methods are as follows:-
- Facial recognition
- Fingerprint Recognition
- Eye Recognition
- Voice Recognition
Gait Recognition : These elements fall into two primary categories: physiological and behavioral.
Behavioural Biometrics[2] : A behavioural biometric is a person’s distinct manner of carrying out a certain action, such as signing a document or moving down a corridor. Even though this technology is still developing, some current approaches include:
To isolate and identify the user submitting their login credentials, keystroke recognition captures each person’s unique typing pattern, including the speed at which they write specific letters or sentences.
Gait recognition: Complex systems analyze and monitor a person’s gait to compare it to a user profile that is known to exist. Gait recognition can be a reliable way to identify a person, albeit it isn’t always practical.
Vein Recognition: Vein recognition uses the pattern of blood vessels in a person’s hand or finger to identify them. This type of biometric authentication uses infrared light to map the veins under the skin in your hands or fingers. Vein recognition is extremely accurate, more than retina/iris recognition.
Digital signatures: This system is made up of two parts: a dynamic component that follows the user’s hand motions while writing, and a static component that compares the user’s signature input to an existing handwriting sample.
Physiological Biometrics[3]
To verify a match with an existing user profile, physiological biometric authentication examines each person’s distinct biological indicators, including fingerprints, eye structure, and facial form. Because it is impossible for fraudsters to mimic these physiological parameters without costly equipment, they are very precise and easy to trace.
Physiological biometrics include, for instance: Fingerprints: Since each person has a unique fingerprint, fingerprint scanning is one of the most popular and affordable forms of biometric verification available. Eye scanning: The user looks into an eye reader, which compares their retinal structure or iris pattern to a user profile that has been approved.
Facial recognition: By measuring important facial traits, the device’s cameras scan the user’s face to confirm their identification. Face recognition technology is used to solve theft cases in large settings that need strict security, such as casinos. Vein recognition: To verify the user’s identification, the system looks at the distinctive vein patterns in their finger or palm. Because vein patterns are subcutaneous and hence more difficult to change, this technique is more secure than fingerprint identification.
Ear recognition: Certain systems evaluate each user’s ear shape and compare it to their profile. .Deoxyribonucleic acid (DNA) matching: Since each person’s DNA is unique, technology that compares the length and sequence of the acids in DNA to user profiles provides a very precise way to identify people. Finger geometry: A person’s distinct hand or finger form can be used by some systems to identify them. Voice recognition: This authentication technique looks for particular patterns and cadences in the sounds a person produces when speaking.
Body odour recognition: While these systems are uncommon, they allow technology to identify people based on their distinct body odour by applying sensors to certain body regions, including the armpits or the backs of the hands.
Biometric technologies have gained immense popularity and significance in the realm of cybersecurity.
They offer a higher level of security and convenience compared to traditional authentication methods.
By leveraging unique physiological or behavioural traits, organizations can accurately verify an individual’s identity and grant or deny access accordingly. Some of the roles og biometrics in cybersecurity are as follows:-
User Convenience- Usage of biometrics is more user-friendly and faster than entering PINs or passwords that can also be forgotten or misplaced. Biometrics possessed by individuals being unique makes it more reliable and allows for quick and seamless access.
Enhanced Security- Biometric traits are unique and difficult to replicate or steal, making it highly improbable for an unauthorized individual to gain access to sensitive information, making it less susceptible to theft. It requires continuous authentication
Fraud Prevention
Biometrics provide a reliable way to prevent identity fraud. By validating an individual’s unique traits, organizations can ensure that only authorized persons have access to sensitive information, thereby reducing fraudulent activities.
Services: – Biometrics are used in other services like healthcare for patient identification and other health insight procedures, in financial services for securing transactions, digital payments and other regulatory compliance. It is also used for surveillance and health tracking purposes as well.
Law enforcement- The role of biometrics in law enforcement includes tracking criminals and therefore aid investigation procedures.
HOW DO WE USE BIOMETRICS?[4]
Enrollment is the first time a person’s biometric data is input into a biometric system. A characteristic is gathered during the enrollment process to act as the individual’s biometric reference information.
This data can be stored as a digital template or as raw data, like a fingerprint image. A digital template is created by extracting and processing important characteristics of the biometric characteristic. The template is then saved in a database for further usage.
The same procedure is followed when biometric data is later shown (commonly referred to as recognition): the individual’s traits are identified, important aspects are taken out, and they are then compared to pre-existing templates in the database to either identify or authenticate them. The majority of biometric devices just save the template—not the actual biometric picture. The original photos of the enrollment features, such as fingerprints, could, nonetheless, occasionally be kept as well. Although there are hazards involved, as we will see later in this article, some operators believe this is essential in case re-verification is subsequently needed. The templates created and saved are often exclusive to that biometric solution, and occasionally even to the specific recognition engine model. A system created by a different vendor will not recognize a template created by the biometric engine of one manufacturer. Occasionally, a template created with a single manufacturer’s previous software version won’t work with a later one.
As a result, storing templates is far less risky than storing raw biometric characteristics, like a fingerprint image. Nevertheless, templates should still be encrypted whenever raw biometric images biometric-systems-work are stored. Security controls are crucial in these situations, and regular monitoring and auditing of those controls should be conducted. Organizations should also think about whether they want to be a target for criminals looking for biometric data that could be used for identity theft.
THREATS TO BIOMETRIC SECURITY
While biometrics offer significant advantages, they are not immune to threats. It is vital to understand the potential risks to biometric systems to ensure effective security measures. Some of the threats to Biometric security include:
1. Spoofing Attacks:
Spoofing attacks involve creating a replica or imitating an individual’s biometric traits to gain unauthorized access. If a malicious actor manages to get access to the database, then they get hold of your biometrics. This is not only a risk to the business you’re a part of, but it’s also a risk to your Identity as attackers can steal your biometrics for illegitimate purposes.
2. Data Breaches
Biometric data, like any other form of personal information, is vulnerable to data breaches. If an organization’s biometric database is compromised, it can result in serious security implications. Stolen biometric data can be used for impersonation and identity theft.
3. Privacy Concerns
The use of biometrics raises concerns about privacy and data protection. Individuals may be hesitant to share sensitive biometric data due to fears of misuse or unauthorized access. Because if an unauthorized person gets access to your biometrics, it might result to breach of privacy.
4. Inaccuracy and Fraud
Most biometrics do not use complete biometric data. Although they store complete data, they use partial data for authentication to make the process faster and to leave room for unexpected minor discrepancies. As a result, there can be inaccuracies in authentication, and if someone figures out what parts of data the system uses for authentication, they can find a way to fraudulently get around it.
5.System Failures
The world we live in is not totally ideal. So, there’s always a chance of things going wrong. In the case of biometric authentication, system failures might cause great inconvenience. It might not be a big deal in cases where it’s one of the authentication options, but in the other case, there is no escape clause.
LIMITATIONS BY GOVERNMENT ON PRIVACY
Biometric data from an individual is required to obtain consent regarding its usage for any authorized use. Given its sensitive nature, biometric data must be collected only for lawful purpose which is connected to something essential. Once the purpose is fulfilled, the Entity collecting the biometric must not use it anymore for any other purpose unless required and consent given so as to maintain and ensure the Right to Privacy [5]of an individual. However, in certain cases where the security of public at large and national security as well is concerned, this right to privacy in relation to biometrics can be even curtailed to some extent, therefore ensuring proportionality between the privacy rights and personal integrity.
SECURITY PROTOCOLS FOR BIOMETRIC SAFETY
Public Awareness- Educating the public about the potential risks and measures while using biometrics so as to empower decision-making.
Incident Response- Establishing protocols like to closing the access or notifying about probable device or locations, to respond promptly to potential breaches whenever there is any unauthorized approach to access the data
Multi-factor authentication- Implementing multi-factor authentication along with biometrics adds on extra safe layer for data security. This can include any security code or passwords.
Liveness Detection- Liveness detection is where the biometric provided is whether from a living and present individual or not is detected. This helps to prevent spoofing attacks by checking whether from a living person or a fabricated one.
Continuous Monitoring- Continuous monitoring allows to maintain security by detecting unusual patterns or anomalies like user behaviour, system logs, ensuring prompt identification and response to threats.
Laws for protecting biometrics:
At present, the Indian law requires that the principles that have to be followed for dealing with sensitive personal data or information also apply to possessing, dealing or handling of biometric data. However, it is pertinent to note that IT Act regulates biometric data since such data can be collected and processed using a computer resource, and it constitutes to be a form of personal data.
The Personal Data Protection Bill which was tabled in Parliament in 2018 under the Personal Data Protection Bill Act, 2018 plays a very integral role in providing an inclusive legal framework meant to protect persons’ biometric information. This is a Bill spelling out provisions that regulate the collection, storage, and use of personal data, including biometric identifiers. After two more bills were presented in the
Parliament in 2019 and 2021 which, due to some inadequacies withdrawn led to the enactment of the Digital Personal Data Protection Act 2023. The Data Protection Authority (DPA) appointed under The Digital Personal Data Protection Act 2023 [6](DPDPA) comes in as a core and prime monitoring and enforcement regulatory authority on issues relating to the protection of biometric data. Such an authority is set up to keep surveillance on legality with respect to processing biometric information and have actions taken in case such provisions are violated or breached. Similarly comes the European
General Data Protection Regulation (GDPR), which is equivalent to the DPDP Act, aims to simplify the procedures and rules and provide a comprehensive structure for the same, and is applicable in European Union areas.
Moreover, landmark judgments have played a leading role in the interpretation of relevant legislation in safeguards against exploitation of data protected by biometrics and maintaining privacy in India while upholding the constitutional validity of such act requiring the use of biometrics provided that the court also mentioned about the nature of data, purpose, and place of its collection, and other transactions related to such information. However, in this case, the court also provided about the reduced time limit for storage of data provided in the Act from 5 years to 6months under regulation 27, and also struck down some provisions of the Aadhar Act as unconstitutional. [7]
Through biometric authentication made possible by the Aadhaar Act of 2016, people may use fingerprints, iris scans, and other biometric modalities to confirm their identity against the Aadhaar database. For a variety of services, this procedure guarantees a safe and distinct identity verification.
The Supreme Court has advised government agencies and commercial entities to establish a “compelling legitimate purpose” in using biometric data because it has a significant impact on citizens’ “right to privacy.” This is because authenticating an individual’s identity involves the collection, processing, sharing, storing, and eventually deleting of biometric data. Therefore, two fundamental concepts enshrined in the Act are “consent” and “purpose limitation,” which state that biometric data should only be used for compelling, lawful purposes.
For example, as part of its Know-Your-Customer (“KYC”) requirements, the Reserve Bank of India (“RBI”) permits banks and lending institutions to use video-based systems to monitor customer onboarding and identification verification. Before requesting personal information, the financial organization must notify the persons in question of the reason for processing the data and obtain their agreement in order to fulfill its KYC duties.[8]
The following are some important factors to take into account while gathering and using biometric data covered by the Act:
Application: Unlike previous iterations of data protection legislation, the Act does not consider whether personal information, including biometric information, is sensitive. That may, however, have an impact on how the legal organizations that gather the data (the “Data Fiduciary”) are classified and punished.
Consent and Notice: Biometric information may only be collected for valid reasons that are essential to the Data Fiduciary’s job. Before collecting biometric information from a person (the “Data Principal”), such a legal entity must get her verified consent. A notification outlining the Data Principal’s rights (as outlined in Chapter III of the Act) about the biometric data being collected must be delivered with this consent. Additionally, information on the grievance redressal process must be provided.
Data Retention: There are restrictions on the use of biometric data gathering. Following the accomplishment of this processing goal, the biometric information gathered must be deleted from the systems of the Data Fiduciary and any vendor (the “Data Processor) that has access to it with the Data Principal’s permission. [9]
Disclosures: Before sharing any biometric information with suppliers or other third parties, the Data Fiduciary must get the Data Principal’s permission. However, disclosure for legal objectives such as criminal identification, prevention, investigation, prosecution, and punishment does not require consent.
Transfer of Data: Only with the consent of the data principal in issue, or if doing so is necessary to fulfill a legitimate contract between the data principal and the data fiduciary, may biometric information be shared with other parties, both inside and outside of India. The government would also have the authority to whitelist and ban such cross-border data exchanges.
Reasonable Security Measures: A Data Fiduciary must have “reasonable security safeguards” in place to prevent data breaches. The Data Fiduciary may be subject to fines of up to 250 crores if these processes are not implemented. This includes any security flaws made by a third party to whom the biometric information was sent.
A Data Fiduciary is therefore responsible for ensuring that a vendor has a sufficient cybersecurity framework and that the vendor is bound by the terms of the contract in the case of a breach. Data Protection Officer and Consent Manager Appointment: Each Data Fiduciary must appoint a Consent Manager to oversee the consent management procedure. This individual will be in charge of ensuring that, as soon as the Data Principal withdraws her consent for the data to be processed, the Data Fiduciary removes the biometric data from their systems.
CONCLUSION
As a result of the study, we conclude that Biometrics are unique biological or physical measurements with the availability of numerous types of authentication methods. For instance, in the case of fingerprints, the probability of two individuals sharing the same fingerprint is 1 in 64 billion. In the case of voice recognition between identical twins, the error rate varies from 0 to 48% with the fact that they tend to have similar speaking fundamental frequencies. It is important to note that the usage of biometrics to keep our data safe shows a super satisfying result of around 99% accuracy.
It can be said that biometrics are difficult enough to steal or replicate and use, but not impossible.
So, it should be regulated strictly and bring up extra options to avail services in sectors like finance, healthcare or departments dealing with national data to ensure better safety. Similarly, in other cases when biometric fails, there should be other ways to prove someone’s identity without using biometrics else lessen system failures.
However, after all this, the automated unique features protecting data are nowhere near foolproof and can be subject to unauthorized access or imposed limitations by the government. Unauthorized breach of these safety systems just like can also have other impact; it is also protected by various laws like DPDPA, IT Act, etc.
Therefore, biometrics provide a gratifying result to protect privacy and safety in the cyberworld but with enough risks that cannot be kept out of consideration while using digital data protected by biometrics. If biometrics are kept safe and secured then whichever data we use protected by biometrics will be secured anyway.
[1] The Information Technology Rules 2011, rule 2(1)
[2] Optimal IdM. (n.d.). Types of biometric authentication. Optimal IdM. https://optimalidm.com/resources/blog/types-of-biometrics-sensors/
[3] Optimal IdM. (n.d.). Types of biometric authentication. Optimal IdM. https://optimalidm.com/resources/blog/types-of-biometrics-sensors/h
[4] Office of the Victorian Information Commissioner. (n.d.). Biometrics and privacy – Issues and challenges. OVIC. https://ovic.vic.gov.au/privacy/resources-for-organisations/biometrics-and-privacy-issues-and-challenges/
[5] Indian Constitution, art 21
[6] The Digital Personal Data Protection Act 2023
[7] Justice K.S. Puttaswamy vs Union of India, (2017) 10 SCC 1
[8] Unique Identification Authority of India. (n.d.). Authentication ecosystem. https://uidai.gov.in/en/ecosystem/authentication-ecosystem.html
[9] King Stubb & Kasiva. (2023, November 2). Regulation of biometric data under the Digital Personal Data Protection Act, 2023. KSK Advocates & Attorneys. https://ksandk.com/data-protection-and-data-privacy/regulation-of-biometric-data-under-the-dpdp-act/
Disclaimer: The materials provided herein are intended solely for informational purposes. Accessing or using the site or materials does not establish an attorney-client relationship. The information presented on this site is not to be construed as legal or professional advice, and it should not be relied upon for such purposes or used as a substitute for advice from a licensed attorney in your state. Additionally, the viewpoint presented by the author is personal.
