Our organization is considering the advantages and disadvantages of implementing biometric authentication, and
we're concerned about what could happen if biometric data falls into the wrong hands. Which biometric identification tools present the least risk? Are there effective methods to mitigate the risks associated with biometric authentication?
Your fears about biometric data falling into the wrong hands are justified. Contrary to popular opinion, biometrics isn't foolproof. Biometric data, like any other authentication data, can be used to maliciously access a system.
Let's first take a quick look at what biometric authentication data consists of. Raw biometrics data, which starts out as analog data, consists of fingerprints, face scans, voice recognition, iris patterns or other anatomical imprints. Computer systems can only read digital data, so biometric systems convert analog information into digital information that computers can read. Though difficult to do, just like any other authentication credential, digital data captured from biometrics systems can be sniffed along the wire of insecure networks and then replayed for malicious access.
Biometric imprints that are more esoteric and harder to duplicate present the least risk of compromise. Iris patterns or electrophysiological signals are very difficult to duplicate, making devices using this type of biometrics harder to crack. Aladdin Knowledge Systems' BioDynamic Reader is an example of a biometric device relying on electrophysiological signals.
Fingerprints, on the other hand, can be lifted from an everyday object and used to gain access to a fingerprint reader. Fingerprints can also be copied and molded into gooey material, like chewing gum or putty. The same goes for voice and facial recognition, which can be recorded or photographed to create duplicates for fooling biometric systems.
Other biometrics devices, such as the BioPassword, measures a user's typing speed and style to create a unique profile.
Despite the different levels of risk for different biometrics systems, the best recommendation is to remain device agnostic. Also make sure all biometric data is stored on dedicated and secure servers to block malicious access. Most biometric devices integrate with Active Directory (AD) and LDAP for safe and secure storage of authentication data. AD and LDAP provide encrypted storage of authentication credentials for biometric data, as they do for other credentials, like user IDs and passwords.
Also, make sure biometric data, like other sensitive data, is encrypted in transit from the biometrics device to the directory or database housing the authentication credentials. Some biometrics readers are on USB keys or tokens that connect to the computer. These devices should provide encryption.
Whether at rest, or in transit, the key to protecting biometric data is encryption and then secure storage in a directory service such as AD or LDAP.
For more information
Dig deeper on Biometric Technology
Related Q&A from Joel Dubin, past SearchSecurity.com expert
The security of RFID chips and smart cards may not be fully mature, but there are best practices to keep facilities safe. Identity and access ...continue reading
Picture passwords for mobile device security aren't a new idea, but they have been recently improved. Identity and access management expert Joel ...continue reading
Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.