“It is not true we have little time: the truth is that we lose of it” – De Brevitate Vitae,    Lucius Anneus Seneca.


Time never seems to be enough, and if from one side technological evolution sped access to some services, from the other one it had to deal with security problems and dangers. For this reason, we passed from a single “user name” and “password” authentication to long and complex procedures with “pin codes” insertion, associated to the user through a “grid card”, the use of tokens (OPT= one-time password) or other tools aiming to prevent e-fraud and which, logically, have slowed down the procedure and even the availability of the service.
Of course, the knowledge from the experience gathered with those identification methods (MFA= Multi Factor Authentication) and the necessity to remember many passwords made an obstacle to the propagation of this kind of electronic instruments. In Italy, for instance, e-commerce is slowly growing but cash payments remain preferred, the user perceiving the reliability of the transaction he is going to do as both secure and immediate.
For those reasons, the world leaders of the online market are trying to simplify the more than possible use of electronic payments, in order to boost their use and augment their profits. It is sufficient to think how Amazon introduced the single-click method of sale (of course after having associated the credit card credentials), or the new “Dash Button” which allows, through a small physical button, to place the order for the chosen product without even turning the laptop on. In a very near future, mainly banks will see their business switching more and more towards digital payment methods, and hence they are implementing solutions of “Cybersecurity Fraud Prevention”, warrant of the trustworthiness of the system through protected authentications.
For solving diverse problematics, may it be for online buyings or for physical or logical access to an infrastructure, we are trying to go towards biometric recognition systems as, by nature, they are directly, univocally and in a time-stable method linked to the individual through a profound relation between body, behavior and identity of the person.
Biometry (from Greek “bios” = life and “metros” = measure) is defined as the discipline that studies biophysical greatness in order to identify functionality mechanisms, to measure the valor and to induce a desired behavior in specific technological systems. Conventionally, those authentication systems are extracted from “biological properties, behavioral aspects, physiological characteristics, biological treats or repeatable actions where such characteristics or actions are not only proper to a certain individual but measurable, even if the methods used in reality to measure them technically comport a certain degree of probability”. (ISO/IEC 2382-37 “Information Technology – Vocabulary – Part 37: Biometrics”).
For their peculiar specificity, it is necessary to warrant adequate protections when data are handled; as a matter of fact, according to the chosen technique, the context of its use, the number and the typology of the potential users, the modalities and finalities of the treatment can comport specific risks for fundamental rights and freedoms. These recognition systems reflect in an absolute way the requisites of exclusivity (distinctive capacity for each person), permanence (inalterability in time or slow modification) and universality (presence in every individual) but, unfortunately, they are still too weak and vulnerable.
For instance, if, in the case of stealth or loss of the traditional login credential, it is possible, simply, to enable new ones, the biometric data is impossible to change (besides its natural mutation in time), resulting unique of its kind. A fundamental factor will hence be to add an appropriate cryptography to keep safe this information. The risks related to biometric data impose, in coherence with the European Norm eIDAS ruling the identifications, authentications and digital signatures, the obligation to inform the Warrant of Privacy about violations of data or informatics incidents within 24 hours of being aware of the fact – following the scheme of the guidelines of the General Normative enforced in the biometric field (12th of November 2014, Annex B) – at the email address indicated by the national authorities (ex.: in Italy, databreach.biometria@ pec.gpdp.it).
Among the different categories of biometric data ( Table 1), the recognition system based on fingerprint represents around 90% of the already used technologies, which win market shares day after day. As examples, we can quote their use on diverse mobile devices, for enabling the access to information services or also the ones designed to grant physical access into infrastructures (such as banks, libraries or reserved areas in companies). In any case, the Warrant imposes that this type of recognition can be used only to “facilitate scopes”, and always with the approval of the concerned person and above all with the obligation to grant alternative access modes for anyone refusing to benefit of such biometric instruments.
From a juridical point of view, the use of biometric data imposes to respect some principal aspects of the law (permission, necessity, finality and proportionality) as we speak of personal “semi-sensitive” data, able to make an individual identified or identifiable. Prior to the enrolment phase (acquisition of the biometric record, its memorization and its extraction to generate the archived reference data) the citizen must be given by the data taker the compulsory informative sheet concerning the desired finalities (f.i. the use of the fingerprint to access a reserved area cannot be used to control the access time of the employees), the methods of processing, the precautions used (security measures implied) and, last but not least, the timeframe of preservation of the data. Following several state Privacy Rules, it is necessary to obtain from the Warrant authority a preliminary verification of the informative sheet, some few sectors being exempted.
Important news is awaited after the enforcement of the European rules GDPR (General Data Protection Regulation) and PSD2 (Payments Service Directive 2), to become compulsory in 2018. The Union’s privacy rule, besides defining which data is important to be protected (f.e. the biometric data becomes part of the category of the sensitive data), requires also a risk analysis to avoid discriminatory uses of this instrument, which could quickly transform from a security resource into a generalized control instrument to gain information on health, ethnics or race. It is requested, as such, to privilege the use of biometric systems which require the willing cooperation of the concerned person and, when possible, with the minor quantity of information associated, in a way to reduce a hypothetic reconstruction of the record during its treatment phase. Very important is also the rule on electronic payments, which requires “strong” authentication to warrant the security of the transactions. Since February the 23rd, 2017, the Final Report (Draft Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication under Article 98 of Directive 2015/2366) specifies all the technical norms regarding authentication and communication. From the abovementioned rule we can deduce the obligation of every member State to watch over the service providers in order that they apply strong client authentication when: one accesses one’s paying account online; one makes an order of payment online or whenever one makes an action, through a distant channel, which can imply a risk of payment fraud or other forms of abuse. The introduction of the new payment services (PISP and AISP) will have to be made contemporaneously with the application of new systems able to warrant security without possibility of error.
Unfortunately, a delicate topic related to the biometric systems is represented exactly by the possibility of an error. As a matter of fact, the used technology has a certain predisposition to errors during the phase of recognition, when the system generates a pointing named “score” based on how much the template is similar to the reference record acquired during the enrollment phase.
The “score” is set in front of a predefined minimal pointing, named “matching score”, which can vary according to the settings of the different devices. On this very point, the Working Group of the European Warrants, in its Opinion n. 3/2012 on biometric technologies developments affirmed that “with a correct setting of the system and an exact adjustment of the settings it is possible to reduce errors to a minimum”.
If we consider these considerations, the margin of error should hence take into account the finality of the treatments, in a way that an elevated FRR (False Acceptance Rate) could be set in relation to the security only in certain precise cases.
For what regards the data conservation, the regulations do not specify a particular methodology of archiving. For instance, the data could be kept by the individual, preserved in a centralized database (like a Hardware Security Module), into digital workplace tools, or even on the same secure biometric acquisition devices (like a token or a smart card) hence placed under the direct and exclusive responsibility of the users and warranted by adequate cryptographic capacities, certified for the requested functionalities in conformity with the technical norms ISO/IEC 15408 or FIPS 140-2. The raw biometric data generated during the process of biometric capture will have to be erased from the temporary memory zones in order to guarantee an absolute security and confidentiality.
The recognition of the user, hence, can be based on a biometric verification (process during which the individual declares his/her identity and the system makes a control between the recorded biometric model and the memorized one corresponding to the declared identity) also called “one-to-one confront” or on a biometric identification (process during which the system confronts the given model with all available models to individuate the subject’s identity) “one- to-more confront”, a much more complex operation. In both cases, as it is underlined by the ENISA recommendations, the data has to be protected by cryptographic instruments or in databases supporting record or column encryption.
In a near future, we foresee avant-garde projects, like the PIDaas program (Private Identity as a Service), which implies the implication of employees of the Information System Consortium who, to be able to see a salary transfer or other documents, may use the biometric recognition. In the same way we should read the statement made by Augustin de Romanet, Head of Aéroports de Paris, who declared, speaking about biometric recognition, that “in perspective it is a solution we could probably look forward”, a sentence recorded before de Romanet’s trip to Ben Gurion – Tel Aviv airport to study the methods used by the security forces there.
As we have seen, a proper discipline is not yet enacted, but certainly the new regulations to be enforced in 2018 will set the basies for a clear, transparent and uniform interpretation of this topic. It is clear that the quickness of authentication will be an essential driver to seduce the market in this direction, but data security, to be understood as integrity, availability and confidentiality, is a fundamental right which has to be protected at all costs.

Michele Gallante | Researcher at the Global Cyber Security Center

Other Magazines