What risks are associated with biometric data, and how can they be avoided?

BROWSE BY TAG Identity Management and Access Control,   Enterprise Identity and Access Management,   User Authentication Services,   Biometric Technology,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Is Identity Management as a Service (IDaaS) a good idea? How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Biometric Technology Group to shed light on secure identity management threats Biometrics project studies ways to combat bank fraud Apple iPhone app could boost two-factor Vein-reader biometric authentication for health care, financials Exploring authentication methods: How to develop secure systems Biometric authentication know-how: Devices, systems and implementation Pre-boot biometric user authentication tools and strategies To what exactly would a request for biometric data from an insurance provider pertain? Keystroke recognition aids online authentication at credit union What are the possible benefits of microchip implants and RFID tags for employees? Biometric Technology Research Expert Archive: Identity Management and Access Control Enterprise password management policy: Finding the balance How to conduct a periodic user access review for account privileges Options for a mechanical door security system on a server room door Comparing access control mechanisms and identity management techniques User provisioning and SSO for PeopleSoft- and Unix-based products Could someone place a rootkit on an internal network through a router? Should a new user have to confirm an email address to gain access? Can home PCs provide a way for viruses and spyware to enter a corporate LAN? What should an enterprise look for in a password token and a vendor? Using batch files for temporary user access to the local admin group

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary biometric payment  (SearchSecurity.com) electro-optical fingerprint recognition  (SearchSecurity.com) false acceptance  (SearchSecurity.com) finger vein ID  (SearchSecurity.com) fingernail storage  (SearchSecurity.com) keystroke dynamics  (SearchSecurity.com) live capture  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) password hardening  (SearchSecurity.com) ridge  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Your fears about biometric data falling into the wrong hands are justified. Contrary to popular opinion, biometrics isn't foolproof. Biometric data, like any other authentication data, can be used to maliciously access a system.

Let's first take a quick look at what biometric authentication data consists of. Raw biometrics data, which starts out as analog data, consists of fingerprints, face scans, voice recognition, iris patterns or other anatomical imprints. Computer systems can only read digital data, so biometric systems convert analog information into digital information that computers can read. Though difficult to do, just like any other authentication credential, digital data captured from biometrics systems can be sniffed along the wire of insecure networks and then replayed for malicious access.

Biometric imprints that are more esoteric and harder to duplicate present the least risk of compromise. Iris patterns or electrophysiological signals are very difficult to duplicate, making devices using this type of biometrics harder to crack. Aladdin Knowledge Systems' BioDynamic Reader is an example of a biometric device relying on electrophysiological signals.

Fingerprints, on the other hand, can be lifted from an everyday object and used to gain access to a fingerprint reader. Fingerprints can also be copied and molded into gooey material, like chewing gum or putty. The same goes for voice and facial recognition, which can be recorded or photographed to create duplicates for fooling biometric systems.

Other biometrics devices, such as the BioPassword, measures a user's typing speed and style to create a unique profile.

Despite the different levels of risk for different biometrics systems, the best recommendation is to remain device agnostic. Also make sure all biometric data is stored on dedicated and secure servers to block malicious access. Most biometric devices integrate with Active Directory (AD) and LDAP for safe and secure storage of authentication data. AD and LDAP provide encrypted storage of authentication credentials for biometric data, as they do for other credentials, like user IDs and passwords.

Also, make sure biometric data, like other sensitive data, is encrypted in transit from the biometrics device to the directory or database housing the authentication credentials. Some biometrics readers are on USB keys or tokens that connect to the computer. These devices should provide encryption.

Whether at rest, or in transit, the key to protecting biometric data is encryption and then secure storage in a directory service such as AD or LDAP.

For more information