Prioritizing the Security of Biometric Authentication

The man responsible for the idea that a complicated password guarantees effective security admitted in a recent interview that he was wrong. Invalidating his eight-page guide on how to creatively secure passwords in 2003, Bill Burr attributed his mistake to research that mostly came from a white paper written in the 1980s.

Burr shouldn’t be too hard on himself because knowledge-based passwords, regardless of the complexity, seem close to becoming obscure anyway as biometric authentication shows increasing patronage among industries and governments across the globe. The market growth for biometric devices is the result of several factors: the integration of biometric authentication in smartphones, adoption of biometric system by government facilities, and the rising use of biometric technology in financial institutes and critical sectors, among others.

Based on its growing popularity, it's safe to assume that biometric authentication is here to stay. However, its prevalence also comes with rising concerns about the technology's level of security, and the possible implications that can stem from it if compromised.

Biometric systems can be compromised

The Chaos Computer Club (CCC) showed multiple times that fingerprint-based authentication devices could be bypassed. In 2013, the Europe-based association of hackers bypassed the iPhone 5S biometric feature (TouchID) by lifting a high-quality print. They did it again early this year when they bypassed Samsung’s iris-based biometric authentication feature.

At a cybersecurity conference in 2016, security and computer vision specialists from the University of North Carolina defeated facial recognition systems using a system that utilizes digital 3-D facial models displayed with mobile virtual reality technology. Instead of using the photos of the researchers for the test models, images of the volunteers were collected from search engines, professional photos, and public assets on social networks like Facebook, LinkedIn, and Google+.

The past few years have also seen large-scale breaches and leaks on databases that also stored biometric data.

The United States Office of Personnel Management (OPM), which serves as a human resources department for the U.S. federal government, suffered a major data breach and leaked 5.6 million fingerprint data in 2015. A year later in the Philippines, a hacker group compromised Commission on Elections’ (Comelec) database, leaking data of 55 million registered voters that include PIIs, and in some cases, passport details and text markers of fingerprints.

What happens when biometric data is stolen?

Raw biometric samples must first be converted into digital form before a computer can read them. If biometric authentication is device-based, the digital biometric data is stored on the device itself. If it is server-based, the digital biometric data is stored in a central repository or database, which means it is no different than any other data moving from one point to another. But does that mean it is also vulnerable to similar threats? The question brings up a bigger issue because if biometric data falls into the wrong hands, it cannot expire or be changed, unlike passwords. Biometric data is an unchangeable credential because it involves unique biological input. Moreover, recording another copy of a person’s biometric data (e.g., another set of fingerprints to replace the compromised ones) is not as convenient as changing a compromised password, because the person has to be physically in the same location where the recording takes place.

There is currently no evidence that criminals can use digital biometric samples for something other than to steal it and keep it hidden. However, federal agencies have looked into creating a working group to see how cybercriminals can use biometric data such as fingerprints.

In theory, templates of biometric data can be replaced with an impostor’s template, and physically spoofed using the original template. A stolen template can also be sent to the matching module to gain unauthorized access to the system, and if not properly secured, they can be used to cross-match across different databases to track a user without consent. Although these scenarios remain theoretical, the increasing reports of compromised biometric authentication and data should caution users, vendors, enterprises, and governments about the security risks to their biometric systems.

Mitigations and Solutions

The protection of biometric authentication starts with securing its most important component—the biometric data. How it is protected depends heavily on where it is stored. If it is stored on a drive, full drive encryption or file-by-file encryption must be done. If the biometric data is stored in a database, the entire database must be encrypted, but value-by-value encryption can also be implemented.

Here are other tips on how to secure biometric systems:

  • Encrypt biometric data during transmission to or from the back end servers. End-to-end encryption must always be implemented.
  • Implement live detection on the sensing device to prevent fake biometrics from tricking sensors (e.g., by making the sensing interactive with a challenge-response scheme).
  • Restrict administrative access to servers through proper assignment of groups and roles.
  • Turn off any unnecessary services on the database servers.
  • Secure a user’s privacy by avoiding cross-matching capabilities. A stolen fingerprint template can be used to search a criminal database or cross-link to a user’s health record.
  • Acquire diverse biometric solutions, such as one that requires a multi-factor authentication that combines biometric data, a smartphone, and GPS location to make it harder for criminals to crack the system's security.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.