Police: Access control is the basis of all security. The right people must be allowed to enter and the wrong people must be kept outside. This is done by confirming – or authenticating – the identity of the person seeking access and then verifying that the person is authorized to enter.
Authentication is the process of verifying an identity, using one or more factors. The different factors are usually related to something you know (like your username and password), something you own (for example your phone, where a unique password is sent), or something you are (a form of biometric recognition, such as fingerprints).
However, if a criminal acquires a person’s user ID or password, and uses this data to impersonate them, the criminal is automatically authorized to gain access. Therefore, strictly speaking, a password does not authenticate the user itself, it simply authorizes a device, regardless of who is using it. But does the same apply to biometrics?
Can facial biometrics be stolen and tampered with?
In the event that a biometry is stolen, for example, it cannot be changed as easily as a stolen password can be changed. But what about the fingerprints or facial scans used to authenticate users in public places? Can they be a threat to data security and people’s privacy?
Facial recognition in public places
Physical biometrics has long been considered a safe, low-friction alternative to provide users with access to systems. Specifically, facial biometrics – much appreciated by governments and law enforcement agencies, who use it to authenticate (or, more likely, recognize) individuals – can solve fundamental security problems, as it is the person being identified. But is it a good idea to use technology for this purpose?
When public organizations or governments use biometric recognition, they compare the digitized sample to huge control scan databases. However, this only works as a form of recognition and authentication if the scanned image is included in the database.
In legal terms, this means that “innocent” checks are included in the checks of known criminals. It reverses the long-held principle that people are innocent until proven guilty, because it assumes that people are guilty until the biometric database proves their innocence.
Large databases of biometric controls may be among the main targets of cybercriminals
While it is difficult to falsify biometric data, we must not forget that large databases are always extremely attractive to cybercriminals.
For this reason, we should not wait for a major leak to assess the privacy regulations and security standards in the industry. Any institution, public or private, that engages in biometric authentication, must be held responsible for the personal data of the users it stores.
It must be kept in mind that, regardless of the best intentions, the data can inevitably end up in places that were not foreseen, especially due to the actions of cybercriminals and unscrupulous rulers. Therefore, it is always necessary to measure the risks of where they may end up.