Authentication usually relies on statical processes like the use of passwords, cards, or any biometric trait of the person. The main aim is to verify the identity of users at the beginning of the delivery of a service or at the entrance of a specific area. Contrasting with this approach, continuous authentication aims at repeating this verification throughout a specific time frame during the delivery of an electronic service or during the presence of a person in a certain area.
Biometric continuous authentication is a type of continuous authentication that verifies a user identity by using biometric traits or behaviours. Examples include facial images, typing, screen tapping, walking patterns or voice. Applications of biometric continuous authentication can be seen in banking services, identification of stolen mobile devices or authentication on smart home devices.
Positive foreseen impacts on data protection:
- Improved security: in case of particular high risk within a process operation, this solution can improve the certainty that a subject is duly authorized to access specific data.
- Improved user experience: authentication is done in a seamless way, without stopping the users’ experience with the service.
Negative foreseen impacts on data protection:
- Risk of repurposing of the users’ biometric data: controllers could use stored biometric data for different purposes, such as unlawful tracking of employees, for disciplinary purposes or creation of profiles.
- Excessive data collection: depending on the purpose, the amount of data collected (even if not stored) could be excessive, contradicting the principle of data minimization.
- Risk of chilling effect: users might fear being tracked and profiled while using a system that continuously rely on their biometric feature for continuing the fruition of a service.
- Lack of transparency and valid legal ground: organisations might not properly inform data subjects on the fact that the captured biometric traits are used for training artificial intelligence algorithms without properly informing the data subjects and without choosing valid legal grounds.
- Low data accuracy: the adaptability of algorithms to changes of user behaviour - as result of users realising, they are continuously monitored - could lead to accept irregular patterns of behaviour and trigger false positive results in user authentication. Moreover, low accuracy of the involved algorithm could lead to depriving users from accessing a service.
- Low control of data and high impact of data breaches: users are not able to control when this technology is applied, while a data breach on the stored biometric data can have an important impact, as they are not in the position to change their biometric data.
Further readings:
- A. Krašovec, D. Pellarini, D. Geneiatakis, G. Baldini, V. Pejović, Not quite yourself today: behaviour-based continuous authentication in IoT Environments, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol, 4, 2020 - https://doi.org/10.1145/3432206
- N. Memon, How biometric authentication poses new challenges to our security and privacy, IEEE Signal Processing Magazine, 2017 - https://ieeexplore.ieee.org/document/7974880
- A. E. Ahmed, Continuous Authentication Using Biometrics: Data, Models, and Metrics, IGI Global, 2012
- K. Niinuma, P. Unsang, A. K. Jain, Soft biometric traits for continuous user authentication, IEEE Transactions on information forensics and security 5, no. 4, 2010 - https://ieeexplore.ieee.org/document/5570993
Tech Champion: Konstantina Vemou