How to Use Facial Recognition Without Violating User Privacy

Q5id Industries

April 29, 2021

Facial recognition technology is deeply controversial for several reasons. One of the biggest is privacy protections: using this technology while also protecting the privacy of the people who use the system. With something as personal, and unchangeable, as your face, using it for security purposes can make some people uneasy.

As uneasy as people may feel about using facial recognition for cybersecurity purposes, it’s hard to argue against the fact that using biometric authentication can dramatically improve cybersecurity.

So how can your company take advantage of the benefits of biometrics while also protecting user privacy?

Detach the Personally Identifiable Information from Biometrics

While you’ll need quite a bit of PII to prove the identity of a new employee, once they’ve onboarded into your system, that information can be segregated from their regularly used biometrics. Date of birth, home address, home or cell phone number – these things aren’t needed for day-to-day interactions in your system. Ensure that any use of biometrics for daily authentications, whether it’s face images, voice, or palm prints, are disconnected from PII once the user has been enrolled.

In an ideal situation, your employees or end-users would be able to simply use their biometrics to gain access, with no ties to even usernames or passwords. Facial recognition technology would recognize that a given face is enrolled in the system and simply use that to permit or deny access.

While your biometrics on their own are a sort of PII, the way they are processed in this type of authentication flow is not a direct match or search of faces or images. Rather, a scan is taken of a given biometric (face, palm, or audio of your voice), and proprietary algorithms are run to generate a “template”, or string of numbers, that represents that given biometric measurement. It’s this numerical template that later authentications are verified against, not your actual original images or audio recordings.

Don’t Keep Images or Recordings of Initial Enrollments

If you’re going through the steps of ensuring a user’s PII is not attached to their biometric templates, you should be thorough and check that the original enrollment captures are not being stored after enrollment is completed. This can sound like common sense, but some providers will let you select to keep the original image after enrollment for the sake of ‘convenience’ in case a user needs to re-enroll later.

While the risk of a breach or theft of the enrollment images and the templates generated from them is quite low, it’s not non-existent. Less than 2 years ago, Suprema suffered a data breach exposing fingerprints, facial recognition data, as well as PII of employees, and unencrypted user names and passwords. Your organization can minimize the risk of such a breach by following good data hygiene and deleting any data (such as facial images) once enrollment has been completed.

The argument for convenience is outweighed by the one in favor of security, particularly when quality biometric authentication providers such as Q5id allow users to enroll in less than 3 minutes.

Review Security Processes and Procedures

If you’re incorporating biometrics and similar technology internally, you’ll need to ensure that your organization has strict cybersecurity protocols in place. Alternatively, ensure that your third-party biometric services provider is at least SOC 2 compliant. Ask what their cybersecurity protocols are, how they protect your data, and what their plan is in the event of a threat or breach.

Additionally, confirm that they delete data and enrollment images or recordings by default.

Ensure that Biometrics are Used to Verify, Not Identify

One of the most problematic uses of facial recognition is to identify people based on varying levels of accuracy. It’s one thing to be incorrectly identified if it’s just to try and gain access to a building; it’s life-ruining if someone is incorrectly identified in a law enforcement use-case.

In your organization, you’re not exactly serving warrants, and the most concerning elements of facial recognition can be prevented outright. Don’t use facial recognition or biometrics to track your employees, whether at home or in the office. Doing so erodes morale and employee engagement on top of increasing the amount of data that could potentially be stolen in a data breach.

Instead, leverage the power of biometrics as a secure, nearly impossible to steal credentials to gain access to sensitive information or systems. Users control when they present themselves to be verified, and if they are denied access when they should be granted it (false negative), they can re-submit or contact IT.

You can more easily guard against a false positive (someone gaining access who shouldn’t) by adding an additional biometric authentication type. At Q5id, this is why we enroll users with 3 separate biometric readings: face, palm, and voice. Your organization can select the security level most appropriate for your use case.

Use Biometrics for Cybersecurity While Also Protecting User Privacy

With careful consideration and the right third-party biometrics service provider, your organization can benefit from the improved security offered by biometrics while avoiding the pitfalls of improper use. By being mindful of user’s data, practicing good data hygiene, and following a few best practices, biometrics become a powerful and convenient way to securely prove a person’s identity and allow them to verify themselves.

If you’d like to discuss how to incorporate biometrics into your identity and access management flow, let’s talk! You can set up time to discuss with the Q5id team by emailing us at contact@Q5id.com.  

You may also like…