igor - Fotolia

Manage Learn to apply best practices and optimize your operations.

How should enterprises react to compromised biometric information?

Securing biometric information is a crucial step for enterprises to take, but what happens if the data is still compromised? Expert Randall Gamby discusses biometric data security.

Biometric authentication technology seems as viable as it's ever been, but I'm concerned about potential hacks of a biometric database. If biometric data is stolen, can it be used to make fraudulent purchases from retailers using, for example, an iPhone, which uses biometric authentication? What actions can users and organizations take if biometric data is compromised?

Like any authentication data, biometric information needs to be protected against identity theft. However, not all biometric technologies are architected or handled the same way. In the example of an iPhone, the biometric information is encrypted and stored locally on the phone, so an organization isn't required to store the biometric information to authenticate the user. Therefore, in the case of the iPhone, an attacker would have to obtain the actual device -- rather than your fingerprint scan -- to make fraudulent purchases.

Biometric technologies include more than just fingerprint readers. Face and voice recognition are also becoming popular. The good news is, just like the iPhone fingerprint reader, the biometric authentication systems are moving toward locally stored and encrypted architectures for biometric data, making it unlikely that there would be a biometric database to be hacked.

In addition, frameworks like the FIDO Alliance Universal Authentication Framework (UAF) are being rolled out to support local biometric validations. With that said, until the security industry more fully adopts UAF, organizations need to continue to protect any biometric information they collect. Fortunately, like standard password storage, biometric storage methods normally use strong encryption hashes to obfuscate the information. However, to date there aren't any security standards that address minimum encryption hashes for biometric information protection, so it would be wise to ensure any selected vendor supports a well-known, strong hash as part of its product offering.

As far as what actions users and organizations can take if biometric data is compromised goes, already-defined investigation and remediation processes for Personally identifiable information (PII) need to be followed. This includes: working with law enforcement if the information is stolen; engaging the public relations/communications team for any interactions with outside entities; working with clients and customers on any actions they should take; and any additional steps your organization has defined for loss of PII.

What's your question?
Got a question about identity and access management technology and strategy in your organization? Submit your question via email today and our experts will answer it for you. (All questions are anonymous.)

Next Steps

Find out why simple photography cracking biometric systems highlights the need for two-factor authentication.

This was last published in July 2015

Dig Deeper on Biometric technology