Biometric authentication has long been a polarizing subject: some see it as the key to a frictionless and secure future, while others imagine a dystopian nightmare. The coronavirus pandemic has brought this conversation to the fore as governments and corporations explore how to use biometrics as a way to track disease, even amid fears that traditional forms of biometric authentication may be disease vectors.
Below, we’ll discuss the potential and the pitfalls of biometrics, as well as how they are likely to evolve once the pandemic has passed.
Contact-Based Biometrics Suffer
Before the coronavirus, entering a building by pressing your fingerprint into a scanner seemed futuristic. But these days, the notion of hundreds of people touching the same scanner seems like it belongs to the pre-pandemic past.
This shift has rocked the biometric world, and a recent report from ABI Research predicts that the biometric device market will lose $2 billion in 2020 due to the pandemic. This loss is coming chiefly from contact-based biometrics used in public settings, like fingerprint and palm readers used to access buildings. The NYPD has halted its fingerprint security procedures for officers, New York City municipal workers have pressured employers like the MTA to stop using fingerprint-scanning time clocks, and CSO Online reports that condo associations are dropping their biometric building-entry procedures.
But this damage to contact-based biometrics is not universal. ABI Research has clarified that fingerprint sensors for personal devices like smartphones and laptops will feel less of an effect from coronavirus, since those scanners are typically used by only one person.
"Would you still touch a fingerprint scanner? Sr. Director of Governance, Risk, and Compliance Adam Nunn on how the pandemic is re-shaping biometric authentication."
If you’re a business considering using contact-based biometrics as a form of authentication, deciding whether or not to move forward is all about context. If you want users to be able to use the fingerprint scanner on their smartphone for multi-factor authentication, you may not need to change your plans. But any form of biometric authentication that requires multiple people to touch the same surface may be a public health concern in the post-pandemic world.
Using Contactless Biometrics to Fight the Pandemic
Contactless biometrics such as facial recognition and touch-free fingerprint scanners have come into prominence because of their ability to identify virus carriers and assist in contact tracing.
Biometric digital IDs may have a role to play in administering the (hoped for) coronavirus vaccine, especially for people with no other form of identification. According to the Center for Global Development Senior Fellow Prashant Yadav, “The initial COVID-19 vaccine supply will be limited, so it will be essential to verify each dose reaches a real patient. Corruption, leakage, and even accidental duplication waste precious supply and are deadly,” he said. “Biometric digital IDs can be a gamechanger,” he added. “They can help governments target population segments e.g. healthcare professionals or elderly populations, verify people who have received vaccination, and have a clear record.”
Facial recognition technologies are also undergoing a dramatic evolution during the pandemic, with multiple companies touting software that can identify people even when they’re wearing masks. This could have major public-health benefits, such as the ability to quickly identify people and move them through security without packing them together in confined spaces, such as airports.
Even before the virus, China was in the midst of an aggressive rollout of facial-recognition cameras in public settings. China is now coupling that technology with infrared temperature scanning, allowing the government to identify and track individuals with COVID-19 symptoms. For instance, public buses in Guangzhou are now being equipped with tablets that take passengers’ photos and temperatures, a step that is mandatory. Supporters of such measures argue that they have been instrumental in containing the spread of the virus.
The Privacy Pitfalls of Biometrics
In a world still searching for ways to identify carriers of coronavirus and let healthy people get back to their lives, biometrics may be part of the solution. However, this type of data collection also raises a host of privacy concerns, including the troubling specter of biometrics being employed as a tool for authoritarian governments to quash dissent.
We’ve already seen the potential for data misuse during this pandemic, even without biometrics. In South Korea, the government has publicly shared updates on the activities of patients by using a combination of interviews, video surveillance, phone location tracking, and credit card transactions. The result has been a spate of online harassment, not just of suspected carriers but of people whose data caught them in a lie or an act of infidelity. The BBC reports that in a survey of 1,000 South Koreans, researchers found that people were more afraid of the stigma associated with infection than of the virus itself.
Concerns over government overreach, unscrupulous corporations, or snooping neighbors mean that data collection efforts are likely to meet with resistance. A poll by the Jean-Jaurès Foundation found that over half of French people (53%) would refuse to download the proposed “StopCovid app” over privacy concerns.
The Post-Pandemic Future of Biometrics
Without a doubt, the coronavirus has altered the balance between an individual’s right to privacy and the public’s right to safety. Now, governments and businesses must carefully consider what the “new normal” version of that balance will look like and what role biometric identification will play.
When it comes to government use of biometric data, it’s crucial to have a public dialogue about the level of surveillance citizens should tolerate once the crisis has passed. Toby Norman, CEO of Simprints, a UK-based biometric nonprofit, addressed those concerns to Reuters: “National governments don’t have a very good record of giving up new powers once a crisis has passed. Technology we use for disease surveillance today should not become tools for state surveillance at a later date.”
In many countries, there are laws already on the books, which should act as safeguards against biometric abuse. For instance, many U.S. states, such as Illinois, have biometric privacy regulation laws, which require consumers to consent to their biometric data being collected. This would rule out things like temperature scans on city streets but might still allow for voluntary participation in airport security.
"What’s the post-pandemic future of biometric authentication? Sr. Director of Governance, Risk, and Compliance Adam Nunn takes a look at COVID-19’s current and potential impact."
In the EU, the European Data Protection Board (EDPB) has issued guidelines for app developers for using health data to combat coronavirus without violating the GDPR. The guidelines state that “data and technology used to help fight COVID-19 should be used to empower, rather than to control, stigmatise, or repress individuals.”
For companies that are interested in using biometrics to keep their workplaces safe, it’s vital to acknowledge and address privacy concerns. Implement transparent policies regarding how you plan to use biometric data, who will be able to access it, and how long it will be kept.
Balancing Collective Safety With Individual Rights
Like most technology, biometrics are only as good or as evil as how we choose to use them. For many people, the thought of paying for lunch by smiling into a facial-recognition screen suddenly seems much more comfortable than making physical contact with a card reader. Likewise, a temperature scanner that knows you’re running a fever before you do may have broad appeal in office buildings and public transportation. But most people would be uneasy with an app that records your vital signs without your consent and then texts the information to everyone on your block.
The difference between biometrics as a public health boon and as a privacy nightmare is evolving, and the only way to make sure we wind up on the right side of that line is through continuous conversation with experts and the public at large. At Auth0, we will continue to explore biometric authentication by adhering to our core principles of security and transparency. To discuss how these precepts can play into your biometric strategy, please reach out to our team.
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.