Protect Biometric Data

Biometrics, like fingerprints and iris scans, are being used more and more as a reliable form of authentication for online transactions. But how can we be sure that this data won’t be compromised?

To ensure security and privacy when managing and processing biometric information, ISO has published a new International Standard, ISO 24745:2011, Information technology – Security techniques – Biometric information protection.

Biometrics refers to the automated identification of individuals based on their behavioral and physiological characteristics. It includes recognition technologies based on face, iris, or palms image, voice patterns, and the like.

Mr. Chun, Project Editor of ISO 24745 explains, “As the Internet is increasingly used to access services with highly sensitive information, such as e-Banking and remote healthcare, the reliability and strength of authentication mechanisms is critical. Biometrics is regarded as a powerful solution because of its unique link to an individual that is nearly or absolutely impossible to fake.

“And the technology has come of age. The cost of biometric techniques has been decreasing, while their reliability and popularity have been growing. But biometric identification raises unique privacy concerns.

“While the unchanging and distinct association with an individual on the one hand, provides strong assurance of authentication, this binding which links biometrics with personally identifiable information on the other hand, carries some risks, including the unlawful processing and use of data. ISO 24745 is an invaluable tool for addressing those risks.”

With biometrics, if the authentication information is compromised, usual solutions such as issuing a new password or token are not available because biometric characteristics are difficult or impossible to change. Moreover, as more and more personal identifiable information is linked with biometric references, and this data is shared across international borders, it is crucial to safeguard the security of a biometric system and the privacy of data with solid countermeasures as outlined in ISO 24745.

The standard specifies:

  • Analysis of threats and countermeasures inherent in a biometric and biometric system application models
  • Security requirements for binding between a biometric reference and an identity reference
  • Biometric system application models with different scenarios for the storage and comparison of biometric references
  • Guidance on the protection of an individual’s privacy during the processing of biometric information.

You can order ISO 24745:2011 at this web page of the ANSI e-StandardsStore.