Knowing who your users are today is more important than ever. This explains, in part, why integrating biometric usage into identity and access management (IAM) appears appealing. Throw in some artificial intelligence (AI) to help manage all these data points, and the future of biometrics looks pretty wild.

The appeal of using biometrics for identity and access management is high. They are hyper accurate, and as of now, difficult to edit or crack. But that’s not to say this situation can’t change, nor does it say anything about the data liabilities you are incurring if you employ biometrics in your enterprise in the meantime. And, the industry is moving beyond focusing solely on facial recognition tools.

So, what should security professionals know about the state of biometrics and how to manage biometric data? 

Basic Biometrics: Wearables

Most of us have probably carried some type of key card at some point in our life, but now, even wearables are becoming commonplace. Instead of using a radio frequency identification (RFID) key card in your wallet or purse, low energy Bluetooth devices may be able to perform the same tasks. You can still use your same token-type access, but once you start merging technologies, you get an entirely new set of possibilities.

For example, does your wearable have some sort of health monitoring capability? Don’t be surprised if your heartbeat or electrocardiogram record turns into your next “key” to the door.


On the topic of heartbeats, how about instead of a wearable you have a laser measuring your heart’s output? Now imagine you could detect that heartbeat from hundreds of yards away. It exists, and it even works through light clothes by detecting the surface movement on an individual’s body caused by the heartbeat. With an increased ability to identify and authenticate using cardiac measurement, facial recognition — which requires certain lines of sight and can still be manipulated — may soon become a thing of the past.

Eyes Don’t Lie

You may think you have the perfect poker face, but can you beat the AI? Biometric technologies can go far beyond simply recognizing you; they can detect your mood even when you wear a mask by focusing on your eyes. Iris-scanning biometrics capture a photo of the patterns in the circle of your eye to verify and authenticate your identity. 

Iris recognition is contactless and renowned for its accuracy. It also can be used at long distances, with some solutions requiring only a glance from a user.

Say That Again?

Believe it or not, speech recognition has been around for some time, dating back to the 1950s. The Shoebox Machine, developed by IBM in the early 1960s, was able to recognize 16 spoken words, the ten digits zero through nine, and a series of commands, such as “plus,” “minus” and “total.”  But we have come a long way.

Today, there are two types of ways to authenticate speech: text independent, where authentication occurs using any type of speech, and text dependent, where a specific passphrase is required. How does all this happen? Just like many individual features, our voices are unique, differentiated in the intensity, dynamic and pitch.

Physiological and Behavioral Nuances

From just these three examples, the future may appear less wild and, instead, feel creepier. We haven’t even discussed the abilities to detect your walking patterns (already being used by some police agencies), monitor scents, track microbial cells or identify you from your body shape. More and more organizations are looking for contactless methods to authenticate, especially relevant today.

What all these biometrics technologies have in common is that they are using some combination of physiological and behavioral methods to make sure you are you. There are certain things people just can’t fake. You can’t fake a heartbeat, which is as unique as a retinal scan or fingerprint. You can’t easily fake how you walk. Even your typing and writing styles give off a distinct and unique signature.

The Good News About Biometrics

If these technologies perform as advertisedwe may be heading towards an authentication revolution. Toss away those credit card-sized RFID badges and ID cards, because those lasers are going to be doing the work now as you’re walking down the street. 

It’s pretty easy to see the value of such hyper-unique authentication possibilities, especially when you integrate them into your physical security posture, as well. Threat actors will have a pretty hard time getting your heartbeat out of you. Or, will they?

The Risks Always Come from Data

Some of the best innovators are threat actors. They may not be able to replicate your heartbeat today, but what about tomorrow? The not-too-distant future could include a “Mission: Impossible scenario with 3D printers that generate a ‘body suit’ (think wetsuit) that can have a simulated heartbeat uploaded into it. 

This all may sound like science fiction right now, but not too long ago, would it have not been silly to think that your heartbeat could be identified through clothes using a laser from over 200 yards away? After all, legitimate researchers are demonstrating they can use AI to beat even facial recognition software. And don’t be fooled, the technologies can be beaten. Iris recognition can be beaten by a high quality picture, and a talented user with some basic audio editing software can trick voice recognition.

We can’t be short-sighted about biometrics for three main risk reasons.

Risk No. 1: Jurisdiction of Biometrics 

Your enterprise should be making efforts to make yourself more cyber resilient — and somewhere along that roadmap, authentication will be an issue. You always need to balance the risks of biometrics, along with any associated costs. For example, data handling practices are changing fast. In July, the European Court of Justice made a landmark ruling that completely alters how data outside of the bloc is handled. The pressure on organizations is high as they figure out how to manage data. Offshoring data, once done for cost saving purposes, may no longer be an option.

Risk No. 2: Big Data

Another big data issue is daunting for more reasons than one. First of all, if you decide to integrate biometric authentication tactics into your enterprise, you’re going to be collecting a lot of personal identifiable information (PII) on your staff. You’re also going to be collecting something else: personal health information (PHI). Do not be surprised if the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which currently applies to health care providers, health plans and health care clearinghouses, takes on some new form and applies to anybody holding biometric information.

Biometrics and big data also have a management issue. Plenty of this data may have some mobile element to it. Consider that your sensors are endpoints. Will somebody be able to install a sniffer or skimmer on these devices and scoop up all this biometric data? Do you want to hold all this PII and PHI as a liability on your data balance sheet? In the long run, that’s what all this data becomes as you collect it.

Risk No. 3: Biometrics and Privacy

Finally, surveillance overreach creates legitimate privacy concerns. The same biometrics technology used to ensure you are the legitimate user that is authenticating into a system can also be used to detect your every movement. Once you overlay powerful artificial intelligence technologies, any deviation from what are deemed your “normal patterns” may get you some third degree scrutiny. For now, your thoughts may be safe, but your brain waves can already ID you with 100% accuracy.

Before getting sucked into the lure of authentication, make sure biometrics are right for you, and be ready to manage a whole new set of risks and cybersecurity concerns. If you’re not ready, willing and able to thoroughly manage and secure this data, hold off. The cost to you may be high.

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…