Per the examples noted in the question, biometric data is unique to each employee, and like their user IDs and passwords, it's often used by companies and government agencies for ensuring secure access to network and computer systems. Biometric data should be considered employee data, which conversely is guarded by policies and regulations. The problem is that unlike a user ID and password, biometric data is considered to be an authentication credential, and there are no policies demanding that authentication credentials be kept secure.
Current regulations, such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA) require security and access controls for customer and employee data, but not necessarily for authentication credentials.
Stepping to your main concern, biometric data -- regardless of regulations -- needs to be protected. Like user IDs and passwords, it is stored as digital data in directories like Active Directory (AD) or LDAP. Similar to other authentication credentials, it can be sniffed, stolen or compromised and then used to maliciously access your system.
Biometric data isn't as easy to compromise as a plain user ID and password, which can be typed into a login page to gain system access. But, if unencrypted, the digital representation of biometric data can be replayed, and used to access a system..
There are three criteria for securing biometric data. First, it should be gathered on a secure device that only passes data to your system, without storing it. Second, like any other authentication credentials, it should be transmitted with encryption and never in clear or plain text. Third, it should be stored and encrypted in a secure directory service, such as AD or LDAP.
For more information:
Dig Deeper on Two-factor and multifactor authentication strategies
Related Q&A from Joel Dubin
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.