How biometric authentication meets GDPR requirements

Companies that want to do business in the EU must adapt to the new data protection standards set forth by GDPR and PSD2, or prepare to face the consequences. But for many businesses, the prospect of adopting a litany of new security measures can seem daunting (and time-consuming). Between both sets of regulations, businesses are looking at many layers of necessary security and authentication for both their employees and their customers – an outlook which many find to be discouraging, to say the least. But there is an alternative: Biometric authentication. With the use of biometrics, user authentication can be whittled down from a laborious and inconvenient multi-phase process down to something far more simple.

Biometric authentication can be used to streamline the process of securing sensitive information and help prevent unauthorized access in a number of different ways. And with new regulations constantly looming overhead, a growing number of businesses are looking to step forward into the future of data protection now – rather than later.

Biometric authentication and GDPR

Experts agree that the high level of security biometric authentication offers, along with its ease of use, make it an easy winner when it comes to security. Passwords are quickly becoming a thing of the past, and are now mostly regarded as a vulnerability begging to be exploited. Weak, reused or compromised passwords are one of the biggest threats to security across the board. Whether its a data breach, identity fraud or account takeover, a faulty password is often to blame.

There are people out there still using “12345” as their password – and some of them might even be people you know. It should surprise no one that passwords are one of the easiest things to exploit.

As FIDO Alliance reports, 81 percent of data breaches in 2018 were accomplished using stolen passwords. A password alone is no longer enough to rely on – and that’s just one of many areas where biometrics can come in handy.

Billions of passwords have been leaked over the years, making their way to data dumps in the dark web. Clearly, password alone are not enough to meet the stringent security protocols called for by GDPR. While the legislation may not outline a specific policy on passwords, make no mistake: User authentication and authorization is an essential part of data protection that cannot be overlooked.

Biometric authentication may seem like a big step to take, especially given the new regulations for biometric data collection set by GDPR. Biometrics fall under its “special categories of personal data,” and processing that information will require explicit consent from users and proof of necessity.

Basically, this means GDPR stipulates that biometric data cannot be collected from users unless its for a necessary purpose that the subject has consented to. How that data is stored will also be under scrutiny. But the goal here is not to suppress biometrics, but rather to ensure that companies who use biometrics are behaving responsibly. GDPR’s stance on biometric data collection will essentially serve to strengthen biometric authentication.

GDPR makes it clear that personal data needs to be protected and that companies must take “appropriate” precautions to prevent unauthorized access. While the legislation doesn’t mandate specifics, the goal remains the same: Make personal information as secure as possible. Currently, biometric encryption is one of the best security solutions you can choose. And through the regulation of biometric data under GDPR, biometric authentication will reach an even higher level of security.

Across the board, experts say biometrics are what companies need if they want to stay ahead the regulation game.

What experts are saying

Insights from Samsung contends that GDPR compliance is just one of many reasons why business leaders should consider ramping up their authentication and authorization methods. GDPR requires companies to take appropriate measures to secure personal information. With an overwhelmingly majority of data breaches stemming from stolen passwords, it’s clear a password alone is no longer enough to rely on – and that’s just one of many areas where biometrics can come in handy.

“Not only will biometrics help enforce secure data access and control, but it will help in the auditing and forensics process as well by creating traceability,” James Stickland reports in a blog for Finextra.

“By utilizing biometrics, financial institutions will be able to recreate every step in a process from logging in, to data access and control, to time stamps, location stamps and right through exit and control and even distribution. Under the GDPR, this will require forensic analysis. Having a biometric identity stamp and certified stamp on each of these access and control records will mean financial institutions will have legal non-repudiation that they can stand on in court,” he explains further.

Stickland contends that a biometric data stamp is much stronger proof than just a timestamp from a user ID alone. While anyone can obtain access with the right ID and password, biometric data is unique to the individual.

Biometric data can be used for many purposes in addition to user authentication; it can also be used for authorization and data encryption. Businesses will need to comply with GDPR standards, and regardless of what steps they take to secure personal information, strong, multi-factor user authentication is going to be a necessity. Biometric authentication offers businesses a user-friendly approach to strong authentication – and one that is essentially going to be regulated under GDPR. Indeed, the stipulations on biometric data collection put forth by GDPR should ultimately serve to strengthen biometric authentication practices.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>