Biometric Authentication: Evolution and Legal Considerations

ESRA Board of Director member and USAA executive Curt Moy is an expert in the field of Biometric Authentication. At a recent ESRA event, he spoke at length about the definition, evolution, and legal considerations of this transformative technology.

“Why is authentication important?” Moy began. “Well, you need to know who you’re dealing with. It also helps fraud. In addition, regulators are asking for multi-authentication methodologies to assist with fraud prevention.”

He added: “In 2014, over 400 million personal records were stolen. Over 888 data breaches occurred in the first half of 2015 worldwide, with millions of records stolen.” As staggering as these figures are, they pale in comparison to massive breaches reported in 2016.

Moy went on to explain that today’s security measures, such as basic PINs, aren’t enough, especially with phishing scams and other schemes becoming more and more prevalent. “The bad guys have databases in the cloud now,” he said. “They probably know more about you than you realize.”

The biggest impacts, of course, at this point are convenience – it’s simply easy for someone to use a fingerprint to indicate who they are – and that technology has caught up with a process that can be consumerized. Who would have thought that in 2016, millions of people would access their mobile phones with a thumbprint indicator?

How biometric authentication is evolving

“Authentication is evolving,” Moy said. “We’re moving to what you are, which includes biometrics, and what you have, such as smartphones. That solidifies the identity of who you’re dealing with on a regular basis. USAA has included biometric authentication in our technology. We get your consent and couple that with registration of your device. Embedded in the mobile app is a tokenization program that ensures us that we’re dealing with you the customer.

“We say that it involves collecting your face, your touch, and your voice, and it becomes your choice. After you’ve supplied everything to USAA, you can choose what kind of biometric authentication to use on the mobile device to access your information.”

Moy continued: “We rolled it out in October 2014 in all 50 states. We started with voice and face and added touch in 2015. Touch is now the most popular, then face and then voice. We believe that we have a robust accessibility program a USAA, so voice gives a disabled person alternatives. For people who want to use standard PIN and password, it’s coupled to the token, so that’s an option too.”

He added: “We’ve received very good feedback. Members are pleased with it. Four out of five members approve of the use of the program.”

Moy went on to discuss other ways biometric authentication could be used in the future, including retinal eye scans, vein patterns, and heartbeat rhythms. Even the way someone walks could be used to authenticate them, as could the way someone interacts with their devices, since that could create a pattern of behavior.

“We could see three-, or four-, or five-factor authentication, which can help if we have doubt about the first or second method you try,” Moy said.

Legal considerations

Moy then moved on to the legal landscape, starting with “procure, secure, and ensure,” he said. “Those are the hallmarks of collecting, utilizing, and disposing of biometric information.”

He elaborated: “Procure is key: You must get consent from the customer. And you need a secure database system because biometric information is something that you cannot change. Once it’s breached, you can’t change it. If your relationship with a customer ends, there are laws about quick disposal of that information.”

He continued: “The data security laws impose standards on businesses. The FFIEC has published laws regarding banks, which need strong protection against forged credentials and processes in place for dealing with that.”

Moy then discussed what’s happening at the state level regarding biometrics and privacy. He said: “California, for example, has a criminal statute against using voice to determine if someone is telling the truth. Illinois has the most detailed law on the books: You have to have consent and have to explain exactly what you’re collecting. It expressly excludes financial institutions that are controlled or governed by the GLBA. Banks, for example, don’t apply to it because the GLBA is so strong and biometric would fall under identifiable information.

“In Texas, notice of consent is required. There’s no allowance for sale of biometric information, except in the case of a death or disappearance where law enforcement is involved. And you have to dispose of the information within a year if, for example, a customer takes their account elsewhere — the business has to remove the information from their database.

“North Carolina prohibits businesses from publicly publishing an individual’s personal information – biometric and fingerprints are included.

“Eleven states have disposal laws. Each has different variations. A business has to take reasonable steps to make information unreadable. Seven of 11 states have the Illinois exception regarding the GLBA and 48 states have data breach notification laws – Five of those specifically apply to biometric.”

Moy added: “A data breach involves unauthorized disclosure of first and last names along with unencrypted info like credit card number, Social Security number, etc. We’re recommending as a best practice that you have a database of biometric info that’s separate from customer database. Because of the purge requirements and potential for data breach, a separate database is best.”

Questions and answers

Moy then wrapped up with these questions from the audience:

Q: You can change a Social Security number. But if someone gets a database of a million thumbprints, people can’t change them. If that becomes the main identifier and your thumbprint is stolen, what do you do?

A: Behavior metrics might overtake thumbprints, so you can move to another methodology.

Q: That had to be a lot of work to build something like that. What were the business case and ROI?

A: The business case was the regulatory environment. On the mobile channel, incidents of fraud are very low.

Q: Fingerprint can be embedded in a document. With certain documents, there must be guidelines and laws about keeping them around. But there are also laws about keeping biometric information around if a customer leaves. So what do you do when you have a document that a bank must keep for a certain amount of time but the customer leaves?

A: The Texas law with the disposal requirement has an exception to that. The year to purge information also applied to the life of the document, so even if the customer leaves, the bank can keep the document for as long as necessary.

Q: Can someone with multiple devices use a different authentication method for each device?

A: You could. This is mobile device technology. You can have different methodologies per device.

Q: The fingerprint readers on phones produce somewhat different data from device to device. Could you register your thumbprint once or do you have to do it on multiple devices?

A: I think you have to register again for each device.

Q: You own and manage the data. Have you thought about using something like blockchain?

A: I would have to defer to our IT department fo that. I’d prefer to be more protective.