After biometric data breach, are digital identities secure?

December 4, 2019 by Steve Ritter

by Steve Ritter

When I sat down to write this post, I thought of starting with a spoof headline: “Biometric data breach creates new business opportunity in fingerprint replacement!” The first line would have read: “Oh no, that’s right, fingerprints aren’t replaceable.”

Probably not such a great editorial inspiration. Still, the spoof would have made the point: If your driver’s license is compromised, you can get a new one. You might even be able to get a new social security number. But, even before you learn what biometrics are, you know you can’t get new fingerprints. And, unless you’re willing to undergo expensive, painful, risky surgery, you can’t change your irises or your facial characteristics either. If your biometric data gets hacked, it’s no longer useful for identity verification (IDV) for the rest of your life.

 That’s why it was so disturbing to read that white hat security researchers hacked into the Suprema Biostar 2 database, gaining access to fingerprints for over a million people as well as other biometric and personally identifiable information (PII). As recently as July, in Mitek’s The Future of Identity white paper, I was able to write, “Breach of stored biometric data have thus far been rare …” A month later, news about the hack broke. In fact, critics of India’s Aadhaar, at this point one of the world’s largest biometric identification systems, have been anticipating security breaches due to its infrastructural flaws for years.  Though biometric data was allegedly not exposed for purchase, names, addresses, emails, photographs and phone numbers were.

And while it’s good news the Suprema Biostar 2 database breach was perpetrated by white hats, the impending threat still looms. So, while biometrics has sometimes been talked about as a “silver bullet” for identity verification, questions are now being raised about the wisdom of relying on them too much.

I think caution is warranted. While biometrics are widely used in leading IDV solutions, they should, in my opinion, be just one element in a mix of technologies. In the case of Mitek Mobile Verify®, facial recognition biometrics are combined with other types of computer vision as well as machine learning and deep learning AI bots. While minimizing demographic bias, together they determine if an individual is submitting a photo of a legitimate government-issued ID, and if it matches a selfie submitted at the same time.   

During and after this self-serve IDV process, multi-layered encryption protects individual user data in transit and at rest. For each individual, the software creates a master-level encryption key, which is used to generate a time-limited transaction-level encryption key. Mobile Verify does not store any PII beyond what is necessary for IDV. Mitek has a minimum retention policy by default.

I believe this layering is one of the best approaches for secure customer onboarding today. I also fully expect new elements will continue to be added to the solution mix as technologies advance and business needs evolve. In addition to additional AI, behavioral biometrics and permissioned block chain distributed ledgers are very promising. If you’d like to find out more about the current state of identity verification and where it’s headed, download The Future of Identity white paper.