Getting personal: Why biometrics were needed in popular apps

Russia may introduce mandatory biometrics when identifying users of popular applications, according to a new bill on combating telephone and Internet fraud, which the government submitted to the State Duma last February. However, experts warn that the changes contain a number of risks, including leaks of personal data. For more information about how the appearance of mandatory biometric authorization in services will turn out, see the Izvestia article.

Why do I need biometric identification in apps?

The need to implement biometric authorization in applications is associated with an increase in the number of cases of online fraud using someone else's credentials to access important services.: Gosuslugi, online banks and other resources with sensitive information, Konstantin Gorbunov, a leading expert on network threats and web developer of the Security Code company, says in an interview with Izvestia.

— In response to the introduction of two-factor authorization, fraudsters actively come up with new schemes and, under various pretexts, find out one-time codes from users: someone through phishing in messengers, someone through spam calls, someone through mailing lists. However, in the case of biometrics, the user must be directly in front of the screen for authorization," says the specialist.

Photo: IZVESTIA/Anna Selina

Evgeny Yanov, head of the Audit and Consulting Department at F6, adds that biometric data cannot be forgotten like a password or PIN and lost like a device with added 2FA, which simplifies the interaction process and potentially reduces administrative costs for verifying user data.

What is the international experience of implementing biometrics in applications

There are already many examples of the implementation of biometric identification in applications in the world, says Evgeny Yanov. Among them is the Indian Aadhaar system, where biometrics is used to interact with the tax system and the banking sector, as well as to issue SIM cards. Or the Estonian e-ID, which is used to access most government services (healthcare, banks, voting, taxes, etc.). Similar systems exist in the UAE, Brazil, and a number of other countries.

In turn, Angara Security cybersecurity expert Nikolai Dolgov points out that the most common methods of biometric identification are face, fingerprint, and voice recognition. It is important to note that in most cases the technology is used on a voluntary basis, which minimizes the risks of data leaks and better protects the rights of users.

Photo: IZVESTIA/Anna Selina

At the same time, the experience of implementing biometrics turns out to be very contradictory, says Sergey Polunin, head of the IT infrastructure Solutions protection group at Gazinformservice. In particular, the local state registry of biometric information has been hacked more than once in India, and in 2024, data from the country's police service with all fingerprints, signatures and scans of individuals leaked online. On the other hand, electronic voting in elections is being actively implemented in European countries, where biometrics is the main way to confirm identity, the expert emphasizes.

The right to vote: the bill on biometrics in real estate transactions has reached the reading in the State Duma

When Russia will have additional verification of homeowners during registration

Can biometrics effectively protect users?

Contact information and full name are stored separately from encrypted biometrics, which reduces the risk of their leakage, says Vitaly Fomin, head of the information security analyst group at the Digital Economy League, in an interview with Izvestia. Even if the data falls into the hands of intruders, they will not be able to use it.

— It is difficult to fake a person's physiological and behavioral characteristics, therefore, with the proper implementation of biometric technologies, a high level of protection can be achieved. However, it is more effective to combine this method with other identification options to ensure complete security," the expert explains.

Photo: IZVESTIA/Eduard Kornienko

At the same time, as Vitaly Fomin notes, Russians are wary of innovations and are reluctant to hand over biometrics, as they are aware of fraudulent schemes involving its use. For example, deepfake technologies are actively developing now, which makes it difficult for ordinary users to identify a fake image or audio message when logging in by face or voice.

Technically, biometric identification in applications can be implemented in various ways: face scanning, fingerprinting, authentication by the iris, by voice, says Evgeny Yanov. The most common of these are face and fingerprint recognition. In general, you can use different options, the main thing is to work out a system of protection against counterfeiting and take into account the availability of devices with the necessary method for users.

— Whether biometrics can effectively protect users will directly depend on the implementation and protection measures taken. The Estonian system, for example, is based on the blockchain, and biometric data is stored on smart cards. The system in India uses centralized storage with multi—layer encryption," the source says.

Photo: Getty Images/Tero Vesalainen

Some other systems use the SSI storage model for decentralization. In addition, most of them do not contain biometric data per se, but use tokenization. It is also worth thinking about a secure way to transfer data in the system and adhere to the principle of "zero trust" in building its architecture.

Keep your face: to get an online loan, you will have to verify your identity using biometrics

The Central Bank supported this method of combating fraud, but the MFIs are categorically against it.

What are the risks of implementing biometric identification?

It is important to carefully implement this initiative, taking into account the interests and protection of private life and the identity of citizens, says Maxim Buzinov, head of the R&D Laboratory at the Solar Group Cybersecurity Technology Center. Obviously, machine learning mechanisms for voice and face recognition will be used to collect and process data. Measures should be taken to ensure the security of both the database of ML models themselves and the accuracy of recognition by algorithms.

"It is necessary to ensure that such a database is regularly updated and updated, to ensure that false alarms are corrected, and, of course, it is worth considering the risks of attacks that use digital twins completely generated by artificial intelligence (AI)," the source tells Izvestia.

At the same time, Evgeny Yanov considers the possible risks of shifting the vector of fraud from an attempt to steal data to forcing a person to commit certain actions, the purpose of which is the illegal collection of biometrics. And if the password can be changed quickly, then biometric data cannot be changed in case of compromise.

Photo: IZVESTIA/Anna Selina

In addition, modern neural networks make it possible to recreate images of people quite well, and a spoofing attack can be used for fingerprints (when one person or a program successfully disguises itself as another). To protect against it, it is necessary to check not only the actual correspondence of the papillary line pattern, but also to reliably determine that the applied finger is real, which creates additional difficulties for verification.

— It is necessary to take into account a number of behavioral factors, information about the network, about the device, in order to draw more correct conclusions about the authenticity of the source of the provided data at the time of the authentication attempt. Another nuance with the use of biometrics is the need to have a device that supports these methods — a face or fingerprint scanner — which can create difficulties for the older generation, the specialist concludes.