Best Privacy Practices When Using Biometric Matching For Authentication

  • Nok Nok Labs, an innovator in modern
    authentication and a founding member of the FIDO (Fast IDentity Online)
    Alliance, today published a White Paper from PwC Legal comparing key privacy
    implications of on-device and on-server matching of biometric data.

    For organisations considering biometrics as they move away from reliance on
    usernames and passwords, the report highlights why device-side matching of
    biometric data is a compelling approach to satisfy key privacy requirements
    on cross-border personal data transfers, as well as providing the benefits of
    individual choice and control around such personal data.

    Biometric data is considered to be sensitive personal data and some
    jurisdictions have already specifically referenced it in privacy guidance and
    legislation. This paper emphasises key privacy considerations, sets out the
    implications of processing biometric data in the EU, Switzerland, Canada, USA
    and the Asia-Pacific region, and touches on best practice recommendations in
    these jurisdictions.

    “Biometric authentication and verification can be one of the most secure
    ways to control access to restricted systems and information,” said Stewart
    Room, partner at PwC Legal. “Unlike authentication based on traditional
    passwords, authentication through biometric data is easier to use in
    practice, and can be far more secure.

    “However, this is a double-edged sword, because biometric data is extremely
    sensitive due to its uniqueness and how intrinsic it is to a specific
    individual. Additional efforts must be made to keep this data secure
    including choosing a proper compliance system and infrastructure, training
    staff how to handle it and protecting it from unauthorised access or

    Other key findings in the White Paper include:

    Freely given, informed user consent is required before processing biometric
    data in almost every jurisdiction covered in the White Paper
    With centralised storage of biometric data, the potential for large-scale
    loss of data is significantly increased
    On-device authentication will generally avoid international cross-border
    biometric data transfer implications. Conversely, on-server authentication
    for a global network of biometric users results in international transfers of
    data; transfer of personal data, including biometric data, out of a
    jurisdiction is generally restricted
    “Biometrics are a compelling way to improve mobile application usability
    and avoid the security pitfalls of username/passwords, but significant
    privacy concerns come into play,” said Phillip Dunkelberger, President &
    CEO of Nok Nok Labs. “With biometrics, it is crucial to understand the
    difference between on-device and on-server matching, as the difference
    between the two approaches significantly affects the risk and exposure of
    data in a breach. The on-device approach, as used by Nok Nok Labs technology,
    ensures optimal privacy for biometric information.”

    The full report can be found here: