But, on the other hand, also like other authentication credentials, it's not really considered sensitive employee or customer information, whose loss might have to be reported under some state and federal legislation.
Either way, that doesn't lessen the impact of its compromise, and biometric data needs to be protected and secured. Though it's much harder to steal, replay and use than more traditional authentication credentials, such as user IDs and passwords, biometric data is still digital data than can be sniffed off the wire if not properly encrypted.
Biometric credentials, which start out as analog data in the form of fingerprints, voice recordings and images ranging from faces to retinas, must ultimately be converted into the same ones and zeros as any other data to be read and used by computer systems.
The other problem with compromised biometric data is that it's hard to replace. Unlike user IDs and passwords which can be reset, or tokens and smart cards which can be replaced, lost biometric data, such as fingerprints, is more difficult to replace. This is a fundamental problem with biometrics.
One solution is to have the biometric device only use a portion of the data. For example, rather than storing a whole fingerprint, the device would only use a random piece of the fingerprint. This way, if the biometric data on file is compromised, another part of the fingerprint can be used as a replacement.
Other things to consider when shopping around for biometric products is whether the device securely captures the data, encrypts it in transit to the authentication server and then stores it securely. Recent releases of Active Directory and LDAP mesh with biometrics products and have mechanisms for securely transporting and storing biometrics data.
What should you tell customers? Besides best practices and common sense, this is a legal issue. An attorney should be contacted for regulatory requirements on notification of breaches for authentication credentials, including biometrics.
For more information:
This was first published in December 2007