What precautions should be taken if biometric data is compromised?

Ask the Expert

What precautions should be taken if biometric data is compromised?

What happens if a biometrics database gets compromised? How do you recover from this event? What do you say to your customers?

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

The compromise of biometric data is very serious, no doubt about it. But there are two parts to this issue. On the one hand, stolen biometric data is like the theft of any other authentication credential. It allows unauthorized access to systems.

But, on the other hand, also like other authentication credentials, it's not really considered sensitive employee or customer information, whose loss might have to be reported under some state and federal legislation.

Either way, that doesn't lessen the impact of its compromise, and biometric data needs to be protected and secured. Though it's much harder to steal, replay and use than more traditional authentication credentials, such as user IDs and passwords, biometric data is still digital data than can be sniffed off the wire if not properly encrypted.

Biometric credentials, which start out as analog data in the form of fingerprints, voice recordings and images ranging from faces to retinas, must ultimately be converted into the same ones and zeros as any other data to be read and used by computer systems.

The other problem with compromised biometric data is that it's hard to replace. Unlike user IDs and passwords which can be reset, or tokens and smart cards which can be replaced, lost biometric data, such as fingerprints, is more difficult to replace. This is a fundamental problem with biometrics.

One solution is to have the biometric device only use a portion of the data. For example, rather than storing a whole fingerprint, the device would only use a random piece of the fingerprint. This way, if the biometric data on file is compromised, another part of the fingerprint can be used as a replacement.

Other things to consider when shopping around for biometric products is whether the device securely captures the data, encrypts it in transit to the authentication server and then stores it securely. Recent releases of Active Directory and LDAP mesh with biometrics products and have mechanisms for securely transporting and storing biometrics data.

What should you tell customers? Besides best practices and common sense, this is a legal issue. An attorney should be contacted for regulatory requirements on notification of breaches for authentication credentials, including biometrics.

For more information:

  • Joel Dubin discusses the positive and negative aspects of using keystroke dynamic-based authentication systems.
  • Learn how the combination of biometrics and electrophysiological signals can be used for authentication.
  • This was first published in December 2007