Q
Manage Learn to apply best practices and optimize your operations.

How should enterprises react to compromised biometric information?

Securing biometric information is a crucial step for enterprises to take, but what happens if the data is still compromised? Expert Randall Gamby discusses biometric data security.

Biometric authentication technology seems as viable as it's ever been, but I'm concerned about potential hacks...

of a biometric database. If biometric data is stolen, can it be used to make fraudulent purchases from retailers using, for example, an iPhone, which uses biometric authentication? What actions can users and organizations take if biometric data is compromised?

Like any authentication data, biometric information needs to be protected against identity theft. However, not all biometric technologies are architected or handled the same way. In the example of an iPhone, the biometric information is encrypted and stored locally on the phone, so an organization isn't required to store the biometric information to authenticate the user. Therefore, in the case of the iPhone, an attacker would have to obtain the actual device -- rather than your fingerprint scan -- to make fraudulent purchases.

Biometric technologies include more than just fingerprint readers. Face and voice recognition are also becoming popular. The good news is, just like the iPhone fingerprint reader, the biometric authentication systems are moving toward locally stored and encrypted architectures for biometric data, making it unlikely that there would be a biometric database to be hacked.

In addition, frameworks like the FIDO Alliance Universal Authentication Framework (UAF) are being rolled out to support local biometric validations. With that said, until the security industry more fully adopts UAF, organizations need to continue to protect any biometric information they collect. Fortunately, like standard password storage, biometric storage methods normally use strong encryption hashes to obfuscate the information. However, to date there aren't any security standards that address minimum encryption hashes for biometric information protection, so it would be wise to ensure any selected vendor supports a well-known, strong hash as part of its product offering.

As far as what actions users and organizations can take if biometric data is compromised goes, already-defined investigation and remediation processes for personally identifiable information (PII) need to be followed. This includes: working with law enforcement if the information is stolen; engaging the public relations/communications team for any interactions with outside entities; working with clients and customers on any actions they should take; and any additional steps your organization has defined for loss of PII.

What's your question?
Got a question about identity and access management technology and strategy in your organization? Submit your question via email today and our experts will answer it for you. (All questions are anonymous.)

Next Steps

Find out why simple photography cracking biometric systems highlights the need for two-factor authentication.

This was last published in July 2015

Dig Deeper on Biometric technology

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Storing the biometric data on a mobile device or PC is NOT the way to "go". The Biometric data should be stored with the card issuer and/or service provider. A built-in scanner can then scan a person's thumb-print for example. Encrypt the message and send it to the authorizing agency. In the case of print-scanners. All scanners must have the ability to measure pulse rate and body temp to insure a live human is submitting a scan. Strong security is not convenient.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close