Securing access to your smartphone requires the implementation of an authentication which can be a code, a diagram or, in some cases, a biometric device. In the latter case, the CNIL informs you about the conditions of application of such a system. Biometrics brings together all the computer techniques that make it possible to automatically recognize an individual on the basis of his physical, biological and even behavioral characteristics.
Some biometric authentication devices:
Fingerprint authentication: in the process of democratization, this functionality is offered by the main manufacturers as an alternative to the access code or the path. The publisher must ensure that the system is resistant to conventional hacking attempts, including the use of a flat print imprint.
Facial recognition: by taking a “selfie” using the front camera, your smartphone recognizes the contours of your face and unlocks access. The publisher of the biometric solution must ensure that the sensor resists attacks such as using a photo to fool facial recognition. With fido apk the options are open.
Where is your data hosted?
There are two possibilities:
Your biometric template is only stored locally, within the device. For example, if you use the authentication system of your Android or iPhone smartphone, neither the applications, nor the manufacturer of the phone or the operating system can access your template. In addition, this feature can only be used for one and the same purpose: that of recognizing the owner of the smartphone. This data cannot be extracted from the device or cross-checked with others.
Your fingerprint is saved in a Cloud, which can be handled by applications or even recovered by a third party. The person concerned therefore does not have mastery of the biometric template.
Can we refuse to use biometrics?
The use of biometrics to access an application must be the sole choice of the person concerned, and can in no case be an obligation. In any case, you should be offered an alternative to the non-biometric authentication method. The supplier of an application wishing to control the access of its users by biometric authentication must therefore allow them to authenticate themselves by another means for example entering a code without additional constraints.
What about security?
The application provider must in any case ensure that the biometric authentication solution to which it uses (and with which its application can communicate) is sufficiently reliable. The safety measures are listed in this sheet dedicated to professionals to find out about other techniques for securing access to your smartphone (PIN, locking, encryption), go to our practical sheet.
Biometric devices offered to individuals subject to the GDPR
When the biometric recognition device offered to the person on their device works in interaction with remote servers controlled by a third party organization, the organization must comply with the obligations provided for by the GDPR:
- Whether he is the decision maker for the implementation of biometric authentication in a given context;
- If he or she controls all or part of the biometric processing means (for example, a biometric reader or a base for storing the template).
The organization must in particular examine whether the proposed processing of personal data is likely to create a high risk for the rights and freedoms of individuals and, in such a case, carry out an impact assessment relating to data protection (AIPD). In particular, it must take into account the sensitivity of the data processed and the innovative nature of the technologies used. The AIPD must be sent to the CNIL for consultation if the level of residual risk remains high.