Ask the Expert

What risks are associated with biometric data, and how can they be avoided?

Our organization is considering the advantages and disadvantages of implementing biometric authentication, and we're concerned about what could happen if biometric data falls into the wrong hands. Which biometric identification tools present the least risk? Are there effective methods to mitigate the risks associated with biometric authentication?

Requires Free Membership to View

Your fears about biometric data falling into the wrong hands are justified. Contrary to popular opinion, biometrics isn't foolproof. Biometric data, like any other authentication data, can be used to maliciously access a system.

Let's first take a quick look at what biometric authentication data consists of. Raw biometrics data, which starts out as analog data, consists of fingerprints, face scans, voice recognition, iris patterns or other anatomical imprints. Computer systems can only read digital data, so biometric systems convert analog information into digital information that computers can read. Though difficult to do, just like any other authentication credential, digital data captured from biometrics systems can be sniffed along the wire of insecure networks and then replayed for malicious access.

Biometric imprints that are more esoteric and harder to duplicate present the least risk of compromise. Iris patterns or electrophysiological signals are very difficult to duplicate, making devices using this type of biometrics harder to crack. Aladdin Knowledge Systems' BioDynamic Reader is an example of a biometric device relying on electrophysiological signals.

Fingerprints, on the other hand, can be lifted from an everyday object and used to gain access to a fingerprint reader. Fingerprints can also be copied and molded into gooey material, like chewing gum or putty. The same goes for voice and facial recognition, which can be recorded or photographed to create duplicates for fooling biometric systems.

Other biometrics devices, such as the BioPassword, measures a user's typing speed and style to create a unique profile.

Despite the different levels of risk for different biometrics systems, the best recommendation is to remain device agnostic. Also make sure all biometric data is stored on dedicated and secure servers to block malicious access. Most biometric devices integrate with Active Directory (AD) and LDAP for safe and secure storage of authentication data. AD and LDAP provide encrypted storage of authentication credentials for biometric data, as they do for other credentials, like user IDs and passwords.

Also, make sure biometric data, like other sensitive data, is encrypted in transit from the biometrics device to the directory or database housing the authentication credentials. Some biometrics readers are on USB keys or tokens that connect to the computer. These devices should provide encryption.

Whether at rest, or in transit, the key to protecting biometric data is encryption and then secure storage in a directory service such as AD or LDAP.

For more information

  • Security expert Joel Dubin examines how authentication credentials, such as biometric data, are in need of more protection.
  • Learn important aspects to consider when purchasing an authentication product.
  • This was first published in July 2007