Keeping Biometric Information Secure

As all types of online fraud continue proliferating at a rapid rate worldwide, the consensus is that our cybersecurity and digital identity future is one built on zero trust and passwordless authentication. Security tools increasingly employ users’ individual biometric data to prove that each person and their device are legitimate. You may already use your fingerprint or face recognition to unlock your mobile phone or laptop or to access an app, or you may use your voice to activate a smart device.

There has long been talk of securing login information, usernames, and passwords. But now that your biometric data is being used more and more often to secure access to your various online accounts, how is that information being secured? Is your biometric data safe? Are there ways for you to improve the security of your biometric data?

Biometrics are measures or assessments of user traits that are unique to each individual. They can be based on physical features, such as your fingerprint, or on behaviors, such as the way you hold your phone.

Biometric characteristics used to confirm identity have to be unique, permanent (something that users consistently have access to over time), and measurable or collectable. These features make biometric data one of the most effective means of identifying users. Biometrics are also highly reliable for users because unique characteristics are not something we can lose or forget, as we can with a user ID/password combination.

Currently, commonly captured biometric data includes:

• Fingerprint templates

• Iris and retina templates

• Voice print

• 2D or 3D facial structure maps

• Hand and finger geometry maps

• Vein recognition templates

• Gait analysis maps

• DNA profiles

• Behavioral biometric profiles

Other biometrics that are not in widespread use but may have more applications in the future include:

• Body odor, unique chemical footprints each person carries with them

• Ear print or structure, which doesn’t change with age

• Gesture recognition, already part of Windows 10

• Lip prints, as each person has a unique pattern of lip grooves

As users cannot change their biometric data that is obtained by unauthorized parties, it is extremely important that it be handled with the utmost care.

To use biometric information for identity authentication, capturing this information is the first step. The captured information is converted into a mathematical rendering known as a biometric template, which is referenced against the live version presented by the user when necessary.

The act of capturing and converting or copying specific characteristics of any given biometric sample into a secure form takes the image or sample out of the equation, replacing it with a binary mathematical equivalent or algorithm. It is thus extremely difficult–some say nearly impossible–to replicate a piece of biometric data. The image of a fingerprint or iris or any given characteristic itself is discarded, and the live version the user presents is compared in real time to the captured characteristics in mathematical form.

A primary reason that biometric data is safe and secure is that in many cases, it is stored only on the user’s device. It is often not entered into or sent to external devices, databases, or servers, eliminating any single collection point where a hacker might steal it. Even if someone gains access to a device’s biometric data, it is impossible to reverse engineer the conversion that created it to produce an image that will be recognized and accepted by a biometric sensor.

Any sensor on a device typically has a file where the biometric template is stored. This file is protected by a randomly generated key encrypted into the system. Some sensors don’t rely on the OS for this, as they store biometric data on the sensor module and can carry out biometric matching of a user’s characteristic to the biometric template within the sensor itself.

Biometric data is usually stored securely using one of these methods:

• On a device 

• On a portable token

• On a control board

• On a biometric database server

• On both a server and a device

• Split across multiple pieces of hardware

How secure is your stored biometric data? That depends on how secure the means of storing it is.

All of the storage methods detailed above use encryption to protect biometric data, but anything that is encrypted can be decrypted. In the end, encrypted data of any type is only as secure and trustworthy as the people who have access to it.

Biometric data storage on a device is more secure than storage in a database. Database storage can be convenient and cost effective. However, with large numbers of biometric templates for users, databases can be an attractive hacking target, and if they are successfully hacked, a large volume of data becomes vulnerable. Encryption helps, but exercising control over who has access to data and how they use it is the key to risk reduction.

In extremely rare instances, the comparison of an unauthorized user’s trait to an authorized user’s biometric template can result in an unwarranted verification. The rate at which this happens–the false accept rate (FAR)--is considered one of the most important statistics by which the security of a biometric algorithm is measured. In contrast, the rate at which a biometric trait is rejected and fails to properly verify an authorized user is known as the false reject rate (FRR). Acceptable FAR rates are typically one or two in 100,000, while acceptable FRR rates are less than five or ten percent of attempts.

Another concern is the risk to privacy, as biometric data is likely to bring targeted advertising to the physical world, where in-store cameras collaborate with social media companies to identify you and display in-store ads to you specifically. Fortunately, some government bodies are aware of current trends, and laws are being created to control the way biometric data is used. The General Data Protection Regulation (GDPR) addresses these concerns in Europe, and a growing number of states are enacting or considering Biometric Information Privacy Laws (BIPAs).

As biometrics use becomes more common, your personal traits are likely to be stored in a growing number of places. It is important for users to stay vigilant about biometric security. Here are some things to consider when providing your biometric information.

• Don’t provide a piece of biometric information without carefully considering the need to do so, investigating the security in place, and determining the track record of any entity asking you to provide it.

   

• Don’t hesitate to ask questions and express concerns. 

   

• If you are uncomfortable providing your information to a device, a service, a product, or an organization, don’t give them any of your information, biometric or otherwise.

In all situations, remember that your identifying information, including biometric data, is exactly that: yours. Depending on where you live, laws and regulations are in place to protect you and your data and to require security standards and reporting requirements by any entity that requests and collects user data.

Other steps to take are to follow familiar, basic security and privacy recommendations that were widespread before most users even knew biometrics was a thing. Use strong passwords and change them periodically. Be sure to keep your device software current so that you get the latest updates and patches, which often address security flaws. Pay particular attention to your operating system and internet security software.

Unlike passwords, which can be changed, or ID cards, which can be replaced, each person’s biometric data is immutable. Thus, if this data is compromised, the repercussions are serious. Breaches of biometric data can’t be fixed by changing login credentials and account settings. If your biometric data is compromised, it is compromised forever. Thus, using the right tools to keep biometric data secure is imperative.

Does your organization want to use biometrics to provide a secure and seamless login experience to your customers and employees? Ping provides some of the largest organizations in the world with biometric authentication capabilities while protecting user privacy. To find out more about our passwordless options, including biometrics, please visit www.pingidentity.com/en/passwordless.html.