Protecting Biometrics at Rest, an Essential Tutorial

Biometric authentication is fast and convenient. Touch your phone and it is unlocked. Look through an iris scanner and enter a secure room. Speak into your phone for hands-free authentication. Governments, law enforcement, airports, and corporations use it. However, is biometric authentication that simple? Not really when you consider the policy issues, privacy concerns, and complexity of biometric data protection.

A survey released by Spiceworks reports that 62 percent of companies already use biometric authentication, and another 24 percent plan to deploy it within two years. Why? It provides a reasonable level of confidence that those seeking network access are who they say they are with little to no user friction.

Biometric identifiers can be subject to fraud, attacks, and misuse at rest and in transit during data collection, processing, storage, and access. Plus, there are more obvious usability issues. You can reissue a password but cannot regenerate somebody's fingerprint (or you actually can with biometric tokenization, read more below).

Biometric Authentication Pros and Cons

In information security, there are no absolutes. Anything can be compromised, given the right level of focus, workload, and time. Despite the risks, biometric authentication holds excellent promise. Here are some pros and cons of the methods used today and into the future:

  • Fingerprints: 57 percent of companies in the Spiceworks survey used fingerprints. However, casting or 3D-printed molds can fool the system. False negatives and false positives are not unusual.
  • Face recognition: 14 percent of companies surveyed use face recognition, but pictures and mannequin heads can fool scanners.
  • Voice recognition: This method is popular, but it can fail if a voices change with illness or fatigue, there is ambient noise, or fraudulent voice recordings are used.
  • Behavioral and contextual methods: Behavioral metrics analyze how users interact with devices (keystroke patterns, finger pressure). Contextual identifiers analyze where and when devices are used (time of day, the device used). Privacy and disclosure issues abound with these nearly invisible methods.

Primary Considerations for Biometric Authentication

Authentication must balance security, convenience, and privacy for data at rest and in transit. One primary consideration is whether to approach biometric authentication from a centralized or decentralized perspective.

With decentralization, any one device is better protected. Users enroll using their own device with no central biometric template storage. This method leads to lack of scalability and the inconvenience of requiring users to enroll for each device. Roaming (the ability to use multiple devices, some of which the user has not enrolled in) is significantly inhibited.

With centralized enrollment and template storage, a user only has to enroll once to generate a single biometric representation for use on multiple devices and both physical entry and digital access. The potential downside is that a breach of biometric templates could look a lot like a breach of a password database. Or could it?

Biometric Safeguards to Look For in a Vendor

When evaluating biometric authentication providers, look for vendors that offer a wide variety of options for maximizing security, including:

  1. Third-Party Cloud Solutions: A high-quality provider delivers encryption strength, secure servers, and fewer internal threats. The cloud makes sophisticated solutions available to smaller organizations.
  2. Biometric Tokenization:A stored biometric template is substituted for a non-sensitive equivalent that is randomized and lacks extrinsic meaning. Tokenization ensures secure enrollment and significantly reduces the vulnerability of data theft and misuse. In effect, a stolen database of biometric templates will be worthless in the hands of an attacker. There is no ability to reverse engineer or perform a hash-like comparison with other stolen biometric templates. Biometric tokenization helps enable the case for centralized enrollment.
  3. MFA (multi-factor authentication): Using multiple authenticators leads to earlier detection and escalation of warning signs. Biometric authentication should supplement other methods, at least until the technology becomes more reliable.

With a vendor that offers MFA, data centralization, cloud solutions, tokenization, and a reputation for quality—your organization can have secure authentication with the ease of biometrics.

Explore HID’s biometric authentication solutions.

Get the latest blogs on identity and access management delivered straight to your inbox

Jeff Carpenter is Director of Cloud Authentication at HID Global. In his 15+ years in cybersecurity, Jeff has held positions with several top tier cybersecurity and technology companies including Crossmatch and RSA, a Dell Technologies company. He holds both a Certified Information Systems Security Professional (CISSP) and a Certified Cloud Security Professional (CCSP) designation.