Article

Can your fingerprint be compromised?

Hank Hogan, Contributing Writer

Biometric systems are presumed to be a strong form of security because they authenticate users through fingerprints, retinal patterns and other unique physical characteristics. But, what happens if that information is compromised?

With biometrics, what's transmitted and compared isn't an image but a digital template. These templates, due to lack of standardization, are tied to a given solution, and their compromise currently won't create a widespread problem.

However, it's still possible to launch an attack against an individual enterprise by compromising the templates through theft or fraud, rigging the matching algorithm to always yield a desired response or attacking the communication channel to intercept and plant information. But these risks can be lessened with planning.

"It's really just a matter of taking industry-accepted standard protocols that we use every day for secure Web sites -- for example, to prevent man-in-the-middle attacks -- and making sure that the biometrics system, if it's server-based, uses those same protocols," says Greg Jensen, CTO of biometric solution vendor Saflink. Jensen says that such measures include using a secure server behind a firewall, encrypted templates and authentication to the biometric device itself.

What if the biometric solution is self-contained and maintains the template database itself? Information security managers must demand evidence that the systems and templates are secure and tamperproof. Otherwise,

    Requires Free Membership to View

the situation would be similar to poor encryption key management.

"If the vendor of a biometric solution can't secure those templates, I'm sure as heck not going to buy it," says Rich Mogull, research director of Gartner Group's Information Security and Risk practice. "That's a must-have."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: