Our organization is considering the advantages and disadvantages of implementing biometric authentication, and...
we're concerned about what could happen if biometric data falls into the wrong hands. Which biometric identification tools present the least risk? Are there effective methods to mitigate the risks associated with biometric authentication?
Your fears about biometric data falling into the wrong hands are justified. Contrary to popular opinion, biometrics isn't foolproof. Biometric data, like any other authentication data, can be used to maliciously access a system.
Let's first take a quick look at what biometric authentication data consists of. Raw biometrics data, which starts out as analog data, consists of fingerprints, face scans, voice recognition, iris patterns or other anatomical imprints. Computer systems can only read digital data, so biometric systems convert analog information into digital information that computers can read. Though difficult to do, just like any other authentication credential, digital data captured from biometrics systems can be sniffed along the wire of insecure networks and then replayed for malicious access.
Biometric imprints that are more esoteric and harder to duplicate present the least risk of compromise. Iris patterns or electrophysiological signals are very difficult to duplicate, making devices using this type of biometrics harder to crack. Aladdin Knowledge Systems' BioDynamic Reader is an example of a biometric device relying on electrophysiological signals.
Fingerprints, on the other hand, can be lifted from an everyday object and used to gain access to a fingerprint reader. Fingerprints can also be copied and molded into gooey material, like chewing gum or putty. The same goes for voice and facial recognition, which can be recorded or photographed to create duplicates for fooling biometric systems.
Other biometrics devices, such as the BioPassword, measures a user's typing speed and style to create a unique profile.
Despite the different levels of risk for different biometrics systems, the best recommendation is to remain device agnostic. Also make sure all biometric data is stored on dedicated and secure servers to block malicious access. Most biometric devices integrate with Active Directory (AD) and LDAP for safe and secure storage of authentication data. AD and LDAP provide encrypted storage of authentication credentials for biometric data, as they do for other credentials, like user IDs and passwords.
Also, make sure biometric data, like other sensitive data, is encrypted in transit from the biometrics device to the directory or database housing the authentication credentials. Some biometrics readers are on USB keys or tokens that connect to the computer. These devices should provide encryption.
Whether at rest, or in transit, the key to protecting biometric data is encryption and then secure storage in a directory service such as AD or LDAP.
For more information
Dig Deeper on Biometric technology
Related Q&A from Joel Dubin
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading