Issue 31 – September 2011
Biometrics provide a unique link to an individual that is nearly or absolutely impossible to fake and include recognition technologies based on face, iris or palm images, voice patterns, and the like – for example, fingerprint scans used to access a computer, or iris scans to cross border control. Biometrics are increasingly being used to automatically identify individuals and as a reliable way to authenticate online transactions. Information technology – Security techniques – Biometric information protection ISO/IEC 24745:2011is a new Standard toensure security and privacy when managing and processing biometric information.
'As the internet is increasingly used to access services with highly sensitive information, such as eBanking and remote healthcare, the reliability and strength of authentication mechanisms is critical,' says Myung Geun Chun, Project editor of ISO/IEC 24745. 'And the technology has come of age. The cost of biometric techniques has been decreasing, while their reliability and popularity have been growing. But biometric identification raises unique privacy concerns.
'While the unchanging and distinct association with an individual on the one hand, provides strong assurance of authentication, this binding which links biometrics with personally identifiable information on the other hand, carries some risks, including the unlawful processing and use of data. ISO/IEC 24745 is an invaluable tool for addressing those risks.'
With biometrics, if the authentication information is compromised, usual solutions such as issuing a new password or token are not available because biometric characteristics are difficult or impossible to change. Moreover, as more personal identifiable information is linked with biometric references, and this data is shared across international borders, it is crucial to safeguard the security of a biometric system and the privacy of data subjects with solid countermeasures as outlined in ISO/IEC 24745.
ISO/IEC 24745 provides guidance for the protection of biometric information under various requirements for confidentiality, integrity, and renewability/revocability during storage and transfer. Additionally, ISO/IEC 24745 provides requirements and guidelines for the secure and privacy-compliant management and processing of biometric information.
- Biometrics for identifying people – new ISO/IEC report clarifies issues, media release, 9 March 2009