Home > Ask the Information Security Experts > Questions & Answers > What precautions should be taken if biometric data is compromised?
Ask The Security UK Expert: Questions & Answers
EMAIL THIS

What precautions should be taken if biometric data is compromised?

Joel Dubin, past SearchSecurity.com expert EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

Pose a Question
Other Security UK Categories
Meet all Security UK Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 29 November 2007
What happens if a biometrics database gets compromised? How do you recover from this event? What do you say to your customers?

>
The compromise of biometric data is very serious, no doubt about it. But there are two parts to this issue. On the one hand, stolen biometric data is like the theft of any other authentication credential. It allows unauthorized access to systems.

But, on the other hand, also like other authentication credentials, it's not really considered sensitive employee or customer information, whose loss might have to be reported under some state and federal legislation.

Either way, that doesn't lessen the impact of its compromise, and biometric data needs to be protected and secured. Though it's much harder to steal, replay and use than more traditional authentication credentials, such as user IDs and passwords, biometric data is still digital data than can be sniffed off the wire if not properly encrypted.

Biometric credentials, which start out as analog data in the form of fingerprints, voice recordings and images ranging from faces to retinas, must ultimately be converted into the same ones and zeros as any other data to be read and used by computer systems.

The other problem with compromised biometric data is that it's hard to replace. Unlike user IDs and passwords which can be reset, or tokens and smart cards which can be replaced, lost biometric data, such as fingerprints, is more difficult to replace. This is a fundamental problem with biometrics.

One solution is to have the biometric device only use a portion of the data. For example, rather than storing a whole fingerprint, the device would only use a random piece of the fingerprint. This way, if the biometric data on file is compromised, another part of the fingerprint can be used as a replacement.

Other things to consider when shopping around for biometric products is whether the device securely captures the data, encrypts it in transit to the authentication server and then stores it securely. Recent releases of Active Directory and LDAP mesh with biometrics products and have mechanisms for securely transporting and storing biometrics data.

What should you tell customers? Besides best practices and common sense, this is a legal issue. An attorney should be contacted for regulatory requirements on notification of breaches for authentication credentials, including biometrics.

For more information:

  • Joel Dubin discusses the positive and negative aspects of using keystroke dynamic-based authentication systems.
  • Learn how the combination of biometrics and electrophysiological signals can be used for authentication.


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Biometrics, Smart Cards, Tokens
    Preventing password fatigue with single sign-on (SSO) authentication
    Gridsure finds global deal for its pattern-based authentication
    Single sign-on system removes password chaos at East Kent NHS Trust
    Will physical security integrators work with IT departments?
    Tokenless two-factor authentication helps council with CoCo compliance
    Chip and PIN adoption serves lesson for U.S. payment industry
    Visa probes tokens, encryption for PCI card data protection
    Strong authentication methods, voice recognition systems make comeback
    Security on a budget: How to make the most of authentication tools
    Creating a secure platform for smart card programmers

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    Chip and PIN  (SearchSecurityUK.com)
    NO2ID  (SearchSecurityUK.com)
    UK Identity Cards Act  (SearchSecurityUK.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Access Management: Authentication, Biometrics, Password Security
    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2008 - 2010, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts