Home > Ask the Information Security Experts > Questions & Answers > What precautions should be taken if biometric data is compromised?
Ask The Security UK Expert: Questions & Answers
EMAIL THIS

What precautions should be taken if biometric data is compromised?

Joel Dubin EXPERT RESPONSE FROM: Joel Dubin

Pose a Question
Other Security UK Categories
Meet all Security UK Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 29 November 2007
What happens if a biometrics database gets compromised? How do you recover from this event? What do you say to your customers?

>
EXPERT RESPONSE
The compromise of biometric data is like the theft of any other authentication credential. It allows unauthorized access to systems.

But, on the other hand, also like other authentication credentials, it's not really considered sensitive employee or customer information, whose loss might have to be reported under some state and federal legislation.

Either way, that doesn't lessen the impact of its compromise, and biometric data needs to be protected and secured. Though it's much harder to steal, replay and use than more traditional authentication credentials, such as user IDs and passwords, biometric data is still digital data than can be sniffed off the wire if not properly encrypted.

Biometric credentials, which start out as analog data in the form of fingerprints, voice recordings and images ranging from faces to retinas, must ultimately be converted into the same ones and zeros as any other data to be read and used by computer systems.

The other problem with compromised biometric data is that it's hard to replace. Unlike user IDs and passwords which can be reset, or tokens and smart cards which can be replaced, lost biometric data, such as fingerprints, is more difficult to replace. This is a fundamental problem with biometrics.

One solution is to have the biometric device only use a portion of the data. For example, rather than storing a whole fingerprint, the device would only use a random piece of the fingerprint. This way, if the biometric data on file is compromised, another part of the fingerprint can be used as a replacement.

Other things to consider when shopping around for biometric products is whether the device securely captures the data, encrypts it in transit to the authentication server and then stores it securely. Recent releases of Active Directory and LDAP mesh with biometrics products and have mechanisms for securely transporting and storing biometrics data.

What should you tell customers? Besides best practices and common sense, this is a legal issue. An attorney should be contacted for regulatory requirements on notification of breaches for authentication credentials, including biometrics.

For more information:

  • Joel Dubin discusses the positive and negative aspects of using keystroke dynamic-based authentication systems.
  • Learn how the combination of biometrics and electrophysiological signals can be used for authentication.


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Biometrics, Smart Cards, Tokens
    Brits accept biometrics to prevent rise in identity theft
    Integrating biometric authentication with Active Directory
    Single sign-on implementation lets South Manchester doctors work more effectively
    Smart card overcomes static PIN
    Biometric authentication systems vs. token-based systems
    One in 10 Brits trusts the Government to guard data
    National DNA Database stirs racial tension
    ID card scheme hits more hurdles
    How to choose the right biometric security product
    Smart card deployment: How to know if it's smart for your enterprise

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    Chip and PIN  (SearchSecurityUK.com)
    NO2ID  (SearchSecurityUK.com)
    UK Identity Cards Act  (SearchSecurityUK.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    SEARCH 
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2008 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts