The new standard (ISO/IEC 24745:2011, Information technology – Security techniques – Biometric information protection) was released by the organizations today in an effort to develop security and privacy guidelines for the management and processing of biometric data used for authentication purposes.
“As the Internet is increasingly used to access services with highly sensitive information, such as eBanking and remote healthcare, the reliability and strength of authentication mechanisms is critical”, said Myung Geun Chun, project editor of ISO/IEC 24745, in a press release statement. “Biometrics is regarded as a powerful solution because of its unique link to an individual that is nearly or absolutely impossible to fake.”
Maintaining the security of biometric information is critical, the ISO said, because unlike other authentication methods – such as passwords or tokens – problems with compromised biometric data can be near-impossible to rectify. This is because biometric authentication relies on unique individual characteristics, including voice and face recognition, iris scans, and fingerprints, among others.
Biometric authentication has also faced an uphill battle in some quarters, Infosecurity notes, due to privacy concerns, a point Chun echoed in his statement.
“The cost of biometric techniques has been decreasing, while their reliability and popularity have been growing”, Chun noted. “But biometric identification raises unique privacy concerns.”
The new standard outlines specific “solid countermeasures” to protect the security of biometric data while ensuring personal privacy. Among them are: analysis of threats and countermeasures inherent in a biometric and biometric system application models; security requirements for binding between a biometric reference and an identity reference; biometric system application models with different scenarios for the storage and comparison of biometric references; and guidance on the protection of an individual’s privacy during the processing of biometric information.
“While the unchanging and distinct association with an individual on the one hand provides strong assurance of authentication, this binding which links biometrics with personally identifiable information, on the other hand, carries some risks, including the unlawful processing and use of data”, Chung added. “ISO/IEC 24745 is an invaluable tool for addressing those risks.”
The complete standard is available for download at the online ISO Store.