A digital security point of view for the digital business era

How can Biometric Systems work effectively whilst at the same time comply with Privacy Requirements?

19 Jan 2018

The cameras and biometric sensors in smartphones and tablets are bringing many more people into contact with biometric systems.

Apple pioneered this revolution with Touch ID allowing fingerprint scans to be used as passcodes and Samsung followed closely with the fingerprint sensor enabled Galaxy S5 handset.

MasterCard’s Identity Check App can use both facial and fingerprint scans to authenticate online transactions. During a “selfie pay” authorisation, the user shows their face to their smartphone camera and the resulting picture, in which the user has to blink to prevent printed images from being used, is compared to the photo uploaded to MasterCard at registration time.

Voice authentication could be considered as the most natural biometric to use over the mobile channel and a number of companies are now using voice biometrics to validate customer’s access to call centre services.

Whilst the use of biometrics can be more efficient than the simple user id and password combination, there are sure to be questions regarding privacy. Do people care about that? For sure there will concerns about possible compromise when the data is stored centrally and the possible fallout that results if the data is lost or stolen.

To counter these concerns, the ideal biometric system should have the right level of accuracy for the purpose, should be easy to use and provide a good level of privacy protection to prevent the individual’s identity from being compromised.

Unfortunately, the most widely used biometric systems are based on external bodily features that can be captured without the knowledge of the individual (fingerprint, face, iris, voice etc.). If the biometric data is stored locally, such as on the smartphone handset, privacy is not such a big issue and the user remains in control of their data. If however the data is stored centrally, individuals could well be concerned about its safety especially in the event that biometric databases are being created at Government level.

For business applications requiring strong authentication, Vein ID provides a good compromise. The biometric data used for finger vein authentication is inside the body and cannot be captured without the consent of the individual. The finger vein image is never stored anywhere and a template is derived from the scanned image and encrypted before being sent for validation.

Contrast this for example with facial recognition where an individual’s data could be used by any video analytics application without the knowledge or consent of the individual. The big technology and social media companies are very active in the use of facial biometrics across their platforms. Facebook has probably collected the world’s largest privately held database of consumer biometric data and whilst users voluntarily “agree” to the conditions on sign up, they are largely unaware of the power of the company’s facial tagging and deep learning face matching tools. Being able to connect together different photos of the same person across the internet and linking to facial recognition technology means that it could become possible to identify people as they go about their daily business.

With Vein ID, the individual can decide what applications their biometric data should be used for and remains in full control regarding the use of their data. It is fast and simple to use and is often deployed to authenticate high-value transactions and manage access to critical infrastructure. It is a fully privacy compliant biometric system.

With the implementation dates for GDPR looming in May 2018, the handling of personal data will become even more critical. For further information on how Vein ID can be used to help build a privacy compliant biometric authentication system, please contact us via