Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > What precautions should be taken if biometric data is compromised?
Ask The Security Expert: Questions & Answers
EMAIL THIS

What precautions should be taken if biometric data is compromised?

Joel Dubin, past SearchSecurity.com expert EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 29 November 2007
What happens if a biometrics database gets compromised? How do you recover from this event? What do you say to your customers?

>
The compromise of biometric data is like the theft of any other authentication credential. It allows unauthorized access to systems.

But, on the other hand, also like other authentication credentials, it's not really considered sensitive employee or customer information, whose loss might have to be reported under some state and federal legislation.

Either way, that doesn't lessen the impact of its compromise, and biometric data needs to be protected and secured. Though it's much harder to steal, replay and use than more traditional authentication credentials, such as user IDs and passwords, biometric data is still digital data than can be sniffed off the wire if not properly encrypted.

Biometric credentials, which start out as analog data in the form of fingerprints, voice recordings and images ranging from faces to retinas, must ultimately be converted into the same ones and zeros as any other data to be read and used by computer systems.

The other problem with compromised biometric data is that it's hard to replace. Unlike user IDs and passwords which can be reset, or tokens and smart cards which can be replaced, lost biometric data, such as fingerprints, is more difficult to replace. This is a fundamental problem with biometrics.

One solution is to have the biometric device only use a portion of the data. For example, rather than storing a whole fingerprint, the device would only use a random piece of the fingerprint. This way, if the biometric data on file is compromised, another part of the fingerprint can be used as a replacement.

Other things to consider when shopping around for biometric products is whether the device securely captures the data, encrypts it in transit to the authentication server and then stores it securely. Recent releases of Active Directory and LDAP mesh with biometrics products and have mechanisms for securely transporting and storing biometrics data.

What should you tell customers? Besides best practices and common sense, this is a legal issue. An attorney should be contacted for regulatory requirements on notification of breaches for authentication credentials, including biometrics.

For more information:

  • Joel Dubin discusses the positive and negative aspects of using keystroke dynamic-based authentication systems.
  • Learn how the combination of biometrics and electrophysiological signals can be used for authentication.


    • BROWSE BY TAG
    Identity Management and Access Control,   Enterprise Identity and Access Management,   User Authentication Services,   Biometric Technology,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Identity Management and Access Control
    IT business justification to limit network access
    Prevent password cracking with password management strategies
    Is Identity Management as a Service (IDaaS) a good idea?
    How to log in to multiple servers with federated single sign-on (SSO)
    How to confirm the receipt of an email with security protocols
    Learn about enterprise strategy for server virtualization single sign-on
    Employee information security awareness training for new IAM systems
    Can you combine RFID tag technology with GPS to track stolen goods?
    Is there a free enterprise-caliber password-management tool?
    Cryptosystem attacks that do not involve obtaining the decryption key

    Biometric Technology
    Group to shed light on secure identity management threats
    Biometrics project studies ways to combat bank fraud
    Apple iPhone app could boost two-factor
    Vein-reader biometric authentication for health care, financials
    Exploring authentication methods: How to develop secure systems
    Biometric authentication know-how: Devices, systems and implementation
    Pre-boot biometric user authentication tools and strategies
    To what exactly would a request for biometric data from an insurance provider pertain?
    Keystroke recognition aids online authentication at credit union
    What are the possible benefits of microchip implants and RFID tags for employees?
    Biometric Technology Research

    Expert Archive: Identity Management and Access Control
    Enterprise password management policy: Finding the balance
    How to conduct a periodic user access review for account privileges
    Options for a mechanical door security system on a server room door
    Comparing access control mechanisms and identity management techniques
    User provisioning and SSO for PeopleSoft- and Unix-based products
    Could someone place a rootkit on an internal network through a router?
    Should a new user have to confirm an email address to gain access?
    Can home PCs provide a way for viruses and spyware to enter a corporate LAN?
    What should an enterprise look for in a password token and a vendor?
    Using batch files for temporary user access to the local admin group

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    biometric payment  (SearchSecurity.com)
    electro-optical fingerprint recognition  (SearchSecurity.com)
    false acceptance  (SearchSecurity.com)
    finger vein ID  (SearchSecurity.com)
    fingernail storage  (SearchSecurity.com)
    keystroke dynamics  (SearchSecurity.com)
    live capture  (SearchSecurity.com)
    multifactor authentication (MFA)  (SearchSecurity.com)
    password hardening  (SearchSecurity.com)
    ridge  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts