Do you use your fingerprint to log into your banking app? What about for authenticating a payment? Does your work use face or iris recognition for accessing secure facilities? Do you unlock your phone with a biometric? If so, you might be wondering where that data is stored. And for those of you worried about privacy, if that data is being sold to the highest bidder.
Is Biometric Data a Commodity?
Companies selling user data is all the rage today, and this isn’t a new trend. Social media sites like Facebook and Twitter have been selling user data for nearly a decade, and now more firms are following suit. Google sells search data. Mobile games sell your user data. Amazon sells your purchase data. It’s one of the biggest industries that very few consumers have actually heard of. But data-brokering firms are some of the largest companies on earth today because we are constantly putting new information out on the Internet to be siphoned off, categorized, and sold to the highest bidder. And that doesn’t even touch on the black market.
FREE WHITEPAPER: MULTI FACTOR AUTHENTICATION: THE PATH FORWARD FOR SECURITY
But when it comes to biometric data, in many cases you’re safe. For one, mobile apps that use your fingerprint or face to log into don’t actually access your biometric data. The template you generate when you enroll your fingerprint or face is securely stored on your smartphone, and only used for matching purposes. The actual biometric isn’t sent to the company at any point. So rest easy knowing that your biometrics are safe from this data brokering.
But what about the device manufacturers themselves?
Biometric Data as Identity
When you use your fingerprint, face, or now iris, on a smartphone, you’re storing highly sensitive personal data on the device. Typically, that data is secured on the device itself and never accessed by outside sources. However, Apple, Google, and other mobile device manufacturers do have access to your device for pushing updates and security. Could they access and steal your biometrics as well?
Simply put, no.
Much like the secure storage of passwords, biometric data collected on a mobile device should always be stored encrypted, and all the major players follow this practice. This means when you scan your finger, face, or irises, a template is created and encrypted to protect it, even from the manufacturer, and the original images are destroyed. Those encrypted templates are what is stored and used for matching later on, not the original, unprotected scan. If Apple or Google did take that template for whatever reason, it would be useless to them as standalone data.
In current practice, your use of biometrics is incredibly safe and secure. At the end of the day, you still own your biometric data when it is properly secured and stored using encryption methods. To continue ensuring this safely we need to keep iterating on existing methods and systems for secure biometric authentication, however. Systems that use advanced cryptography, such as visual cryptography and distributed data models, will provide significantly more security and privacy for end users and companies alike.