“Smash the biometric fingerprint reader and its trail of metadata, post haste!...”
An interesting finding from a recent survey that Liminal conducted — a quarter of the general population is so concerned about privacy that they intentionally never use mobile biometrics such as facial recognition or fingerprint scans. NEVER.
This is concerning on a number of levels...
Firstly, the average person has over a hundred online accounts, the vast majority of which require a unique password for authentication purposes. Since just 9% of the population uses a password generator according to our survey, we can safely assume the remainder are using a handful of variants to manage their logins, or, the same password over and over again. This is cybersecurity 101, page one — don’t use the same password, and certainly not for over a hundred logins.
Part of this is likely “breach fatigue”. The inability to connect the dots between solid cybersecurity hygiene and data breaches is probably getting worse — data breaches are up 38% in Q2, 2021, according to the Identity Theft Resource Center. Is it any surprise that consumers have a collective sense of apathy towards robust cybersecurity practices since they are largely powerless to prevent incidents from occurring, even if they are doing the right thing?
That this Achilles heel has not been sunset permanently is a separate discussion topic, but the inability for the industry to move on from passwords speaks to there being few viable alternatives. There’s single sign-on, as per services offered by Apple, Google, and Facebook, but these aren’t ubiquitous, and certainly, consumer trust in these brands with data privacy is a little lacking. Passwords can be and are strengthened by 2FA, but this adds extra friction and inconvenience. So, biometrics should be an eloquent solution to the problem, right? They check off the boxes of both secure AND fast authentication, with a UX that is convenient and requires virtually no training to use. Chances are your current smartphone has a fingerprint reader, so why not use it?
This avoidance goes beyond digital Luddism - it’s not just an aversion to new technologies. Lack of knowledge and education are limiting biometric adoption — so you’ve taken my fingerprint, now what? What happens to it? Where does it go? Who gets to see it? And, if it’s stolen, what happens then? Do I use another finger? What happens when I run out of fingers? All questions that the wary would probably want to have answered in a clear and concise manner.
Also, thanks to dystopian sci-fi, there are concerns that a “borrowed” digit or iris could be used to unlock accounts. I’m not sure how many master criminals are likely to take this approach to access TikTok accounts, but as our phones increasingly become receptacles for more valuable information and potential vaults for digital currencies, it’s not, not going to happen either.
Or… is biometric aversion one of the few areas where consumers can make a proactive choice about how and where their information is shared, and are simply exercising their right to opt out?
I spoke with Dr. Margaret Cunningham, Principal Research Scientist at Forcepoint, and an expert in human factors and behavioral psychology, on this topic for The Thesis webinar. She suggested that taking control back is empowering for consumers who generally don’t have a lot of leverage over their digital lives.
“We don't have a lot of control over our data anymore, and we're out there, we're browsing, we're being tracked on browsers, we've got ads targeted to what sometimes seems like something that was picked up from listening in my house,” says Cunningham. “It's very unnerving and so when we have that control, we can say, no thank you, I'm not going to do that, I refuse. In a way, it's exercising that last bit of control that we feel we have over our data, over who we are and how we're represented in a space that we don't understand. I don't know who owns all of my data points and I think that it's something that we can say no to still and that's very powerful for people.”
There may be some truth to this — data from the Liminal survey indicates that where consumers can exercise control, they choose to do so. Three-quarters of consumers with Apple devices chose the “Do Not Track” across third-party apps option when prompted to do so. Similarly, three-quarters of consumers were interested or very interested in having the ability to control which companies get to see and share their digital identity, and to revoke access at any time.
While there may be no quick answer to the biometric avoidance issue, systemically there are changes that can be made that could alleviate the larger issue of trust, or the lack thereof.
“I do think that there is a huge responsibility that's been somewhat shirked on the technology end and we owe each other a relationship that's built on trust,” says Cunningham. “If you want people to be trustworthy when they're using your technology, you have to act in a way that earns their trust. If you want to get to 85%+ adoption of different types of biometrics, the winner in that arena will be the one who provides information in a way that anyone can understand it.”
Fundamentally, organizations that are harvesting and sharing PII today need to do a much better job of articulating where data is shared with who, and why, in a manner that is not obfuscated with legal jargon and gratuitously long T&Cs. Otherwise, consumers will default to “no”, even when the solution being offered could be significantly to their advantage. Transparency will be foundational to building trust, and without trust, none of the more aspirational digital identity initiatives can truly come to fruition.
Biometric aversion should be considered the canary in the mine — we owe consumers a better understanding of how their identity is being used, even if that is counter to how the industry monetizes today. Consider ourselves warned.
1. ITRC, July 2021. https://www.idtheftcenter.org/data-breaches-are-up-38-percent-in-q2-2021-the-identity-theft-resource-center-predicts-a-new-all-time-high-by-years-end/.