Authentication usually relies on statical processes like the use of passwords, cards, or any biometric trait of the person. The main aim is to verify the identity of users at the beginning of the delivery of a service or at the entrance of a specific area. Contrasting with this approach, continuous authentication aims to repeat this verification throughout a specific time frame during the delivery of an electronic service or during the presence of a person in a certain area.
Biometric continuous authentication is a type of continuous authentication that verifies a user’s identity by using biometric traits or behaviours. Examples include facial images, typing, screen tapping, walking patterns or voice. Applications of biometric continuous authentication can be seen in banking services, identification of stolen mobile devices or authentication on smart home devices.
Positive foreseen impacts on data protection:
- Improved security: in case of particular high risk within a data process operation, this solution can improve the certainty that an individual is duly authorised to access specific data.
- Improved user experience: authentication is done in a seamless way, without stopping the users’ experience with the service.
Negative foreseen impacts on data protection:
- Risk of repurposing users’ biometric data: controllers could use stored biometric data for different purposes, such as unlawful tracking of employees for disciplinary purposes, or creation of profiles.
- Excessive data collection: depending on the purpose, the amount of data collected (even if not stored) could be excessive, contradicting the principle of data minimisation.
- Risk of chilling effect: users might fear that they are being tracked and profiled, while using a system that continuously relies on their biometric feature for the continuous use of a service.
- Lack of transparency and valid legal ground: organisations might not properly inform individuals that the captured biometric traits are used for training artificial intelligence algorithms without properly informing the individual and without choosing valid legal grounds.
- Low data accuracy: the adaptability of algorithms to changes of users’ behaviours - as a result of users realising they are continuously monitored - could lead to the acceptance of irregular patterns of behaviour and trigger false positive results in user authentication. Moreover, low accuracy of the involved algorithm could lead to depriving users of accessing a service.
- Low control of data and high impact of data breaches: A data breach involving stored biometric data can have an important impact on individuals. Users are not able to control when this technology is applied, as they are not in a position to change their biometric data.
- A. Krašovec, D. Pellarini, D. Geneiatakis, G. Baldini, V. Pejović, Not quite yourself today: behaviour-based continuous authentication in IoT Environments, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol, 4, 2020 - https://doi.org/10.1145/3432206
- N. Memon, How biometric authentication poses new challenges to our security and privacy, IEEE Signal Processing Magazine, 2017 - https://ieeexplore.ieee.org/document/7974880
- A. E. Ahmed, Continuous Authentication Using Biometrics: Data, Models, and Metrics, IGI Global, 2012
- K. Niinuma, P. Unsang, A. K. Jain, Soft biometric traits for continuous user authentication, IEEE Transactions on information forensics and security 5, no. 4, 2010 - https://ieeexplore.ieee.org/document/5570993
Tech Champion: Konstantina Vemou