The International Organization for Standards (ISO) and the International Electrotechnical Commission (IEC) have together published a new standard for governing the use of biometric authentication technology.
The newly issued standard, designated as the ISO/IEC 24745:2011, Information technology – Security techniques – Biometric information protection, is designed to provide guidance for the implementation of biometric technology to further protect sensitive online transactions.
“As the Internet is increasingly used to access services with highly sensitive information, such as eBanking and remote healthcare, the reliability and strength of authentication mechanisms is critical. Biometrics is regarded as a powerful solution because of its unique link to an individual that is nearly or absolutely impossible to fake," said Myung Geun Chun, Project Editor of ISO/IEC 24745.
“And the technology has come of age. The cost of biometric techniques has been decreasing, while their reliability and popularity have been growing. But biometric identification raises unique privacy concerns," Chun continued.
The privacy concerns center around the need to collect, process, and store sensitive biometric information from users of such systems.
Unlike other authentication systems, the breach of biometric data is difficult to remedy. Users can not simply alter the authenticating data used to access secure networks, as one would with usernames and passwords - the data is permanently and uniquely identifiable to the individual user.
“While the unchanging and distinct association with an individual on the one hand, provides strong assurance of authentication, this binding which links biometrics with personally identifiable information on the other hand, carries some risks, including the unlawful processing and use of data. ISO/IEC 24745 is an invaluable tool for addressing those risks," Chun stated.
According to the ISO website, the new standard specifies:
- Analysis of threats and countermeasures inherent in a biometric and biometric system application models
- Security requirements for binding between a biometric reference and an identity reference
- Biometric system application models with different scenarios for the storage and comparison of biometric references
- Guidance on the protection of an individual’s privacy during the processing of biometric information.