China Standardization

京公网安备 11011402011482号

Hot Spots
2022 China EMC Week
Your Position:Home > News >
Cyber security: protecting biometric information
IEC 2022-02-21

Biometric security has been gaining traction as falling costs have been matched by a corresponding increase in reliability. Fingerprints, voice, iris patterns and facial recognition are nowadays regarded as viable and trustworthy methods of authentication.

They can be used digitally to identify and allow people access to countries, buildings, systems and devices. Used in airports and border control systems, facial recognition scans identify nationals and allow them to leave one country and enter another.

In other situations, this technology can open doors and give approved users access to high-level security areas. In homes, voice recognition is used to control heating, lighting and entertainment systems, and many of us use it to do rapid information searches.

Fingerprints offer a quick way to open smartphones and tablet devices. Though biometrics characteristics are harder to replicate, there are some security concerns surrounding systems that use them.

Just as passwords can be stolen, fingerprints and other biometric markers are also vulnerable to so-called presentation attacks. For example, a cybercriminal could use a fake fingerprint or wear a 3D printed mask made with a face scan to gain access to a system.

Unlike passwords, however, biometric markers cannot be changed, giving cybercriminals permanent access to any computer or electronic device requiring biometric authentication. The threat is real.

In 2019, security researchers breached a British database containing the fingerprints of more than a million people, as well as facial recognition information. Among the high-profile users of the database were the UK police, defence contractors and banks.

A newly updated international standard, IEC/ISO 24745, emphasizes that "appropriate countermeasures to safeguard the security of a biometric system and the privacy of biometric data subjects are essential." It offers guidance on the protection of biometric information under various requirements for confidentiality, integrity and renewability/revocability during storage and transfer.

The standard also provides requirements and recommendations for the secure and privacy-compliant management and processing of biometric information. Topics covered include:

  • analysis of the threats to and countermeasures inherent to biometrics and biometric system application models
  • security requirements for securely binding between a biometric reference (BR) and an identity reference (IR)
  • biometric system application models with different scenarios for the storage and comparison of BRs
  • guidance on the protection of an inpidual's privacy during the processing of biometric information.

This document does not include general management issues related to physical security, environmental security and key management for cryptographic techniques.

(Source: IEC)

Home Page