Skip to content
Inherent Privacy Logo Inherent Privacy

Biometric Records

Introduction

Biometric authentication has become increasingly prevalent since Apple introduced Touch ID in 2013, followed by Face ID in 2017. While these technologies offer convenient and seemingly secure ways to unlock devices and authenticate transactions, they also present unique privacy challenges because, unlike passwords, biometric data cannot be changed if compromised and represents a permanent, unique identifier of an individual.

Providers

Apple Face ID/Touch ID

Apple’s biometric systems store data in a secure enclave on the device. However, in 2021, researchers demonstrated that Face ID could be fooled using specially crafted masks, though the attack was complex. The company’s privacy policy prevents third-party apps from accessing raw biometric data.

Google Fingerprint API

Android’s biometric framework has faced security concerns. In 2019, a vulnerability in some Android devices allowed unauthorized fingerprint enrollment. While Google requires secure hardware for biometric storage, implementation varies across device manufacturers.

Windows Hello

Microsoft’s facial recognition system has experienced security issues. In 2021, researchers bypassed Windows Hello using modified USB cameras. The system stores biometric data locally but integrates with Microsoft accounts for authentication across devices.

Clear (Airport Security)

The airport biometric system collects and stores facial recognition and fingerprint data centrally. In 2019, a data breach exposed 2.2 million records of biometric data, highlighting the risks of centralized biometric databases.

Recommendations

  1. Prefer devices with local biometric storage over cloud-based solutions
  2. Use alternative authentication methods for sensitive accounts
  3. Be cautious about sharing biometric data with third-party apps
  4. Understand the legal protections for biometric data in your region
  5. Consider hardware security keys as an alternative
  6. Regularly review which apps have access to biometric authentication

Actions

  • Review which apps have access to biometric authentication
  • Disable biometric login for sensitive accounts
  • Check if your biometric data is stored locally or in the cloud
  • Consider using hardware security keys for critical accounts
  • Research your jurisdiction’s biometric data protection laws
  • Remove unnecessary biometric enrollments from devices
  • Set up alternative authentication methods as backup