Biometric data has long been a controversial approach to data security. However, it is also a popular one. Survey data indicates that 86 percent of organizations will utilize some form of biometric authentication technology by 2020. This number points to an increasing trend from the 62% of companies who were using biometric authentication technology in 2018. With a recent data breach circulating in headlines, a renewed conversation about biometric data security has been spurred. How secure is biometric data and should we be using it? Let’s take a look at the conditions surrounding the data breach and some implications of using biometric data.
The Suprema Data Breach
First of all, the Suprema data breach involved much more than simply biometric data security. Reports reference usernames, passwords, access logs and personally identifiable information (PII). The unprotected nature of this data was further exacerbated by the fact that an alarming amount of it was unencrypted. This allowed security researchers to access plain-text usernames and passwords and even alter or add new users. While it was beneficial that researchers found the breach rather than a malicious hacker, the realization that so much data was left vulnerable was a harsh wake-up call.
What are the Types of Biometric Data?
The most common forms of biometric identification are fingerprint authentication and facial recognition. Other forms include scanning the iris or retina of the eye, voice recognition and DNA matching—used in legal investigations, for example. A separate form of biometrics involves behavioral authentication, such as identifying the way people walk, type or sign their name. The Biometrics Institute lists and describes the different forms of biometrics as part of their mission to promote “the responsible and ethical use of biometrics and biometric analysis.”
Why is Biometric Data Particularly Vulnerable?
Biometric data breaches are particularly concerning due to the nature of the data. While biometric data is unique to the user, it cannot be changed like a username or password. Log-ins using biometric data are becoming more common. Eventually, this can leave users more vulnerable to identity theft and data breaches due to the centralizing nature of this approach. While it is recommended to vary your passwords across accounts, this is a problem with biometrics, as it is not possible to change your biometric data.
What are Biometrics Used For?
Fingerprint scanning and facial recognition software are becoming more popular for smartphones and other device log-ins. Ease of use is one of the largest benefits. Why take the time to type in a password if you can simply pick up your phone and start using it? It’s like the benefit of not having a password while still having a password. And, sure, friends or kids can wave your phone at your face or try to borrow the use of your thumb. However, this may be a welcome alternative to waiting for the time to pass after too many failed log-in attempts.
Biometric data can also be used to access facilities. Part of the Suprema data breach involved access logs and security clearances. When you pair access to facility logs with the ability to manipulate user information, the breach begins to sound like the plot of a sci-fi movie. Think of the ability to add your own biometric data and create a new account. Rather than stealing someone else’s fingerprint, you could just use your own. The breach could have moved from the online space into actual facilities around the world.
As the use of biometric data becomes more popular, we may start to see it branch out to other forms. The BBC shared a video recently about a debit card that has a fingerprint scanner built-in. While a self-contained biometric verification system is an interesting spin, the cost-benefit analysis of implementation and use still remains to be seen.
A Closer Look at Fingerprint Authentication
As the most common form of biometric data, fingerprints deserve a closer look. Unfortunately, fingerprints can be copied which could render this specific type of biometric data permanently compromised. Your data doesn’t even need to be stolen. When you pair 3-D printed molds with police databases, your biometric data can be subject to the law. In other instances, you can be legally required to grant access to your device if you have a fingerprint logged—no copy required. We also leave our fingerprints all over the place throughout our day. If someone wants to make the effort to copy and replicate, they can gain access to any location or device where you’ve registered your fingerprint.
For day-to-day use, there are times when the reader acts finicky and won’t read your fingerprint anyway. But what happens if you lose or damage your fingertips? There are cases where this can happen but they are not common. For minor injuries, the damage will not be deep enough or permanent to the point where the fingertip and print would not repair itself. Kasey Wertheim, a fingerprint expert, notes that there are certain professions that can wear down your fingerprints. Prints can also become more difficult to read as we age. However, any damage that permanently alters your fingerprints can serve as a new identifying factor.
Thankfully, devices that allow fingerprint access also require an additional password to set up this feature, so you will always have that alternative as a back-up.
Is Biometric Data Completely Vulnerable?
After examining the implications of using biometric data, some issues and concerns remain. Is biometric security really secure? The answer depends on the context. In order for this to be an effective security measure, the data needs to be encrypted in a way that the original data is not accessible. One form that this takes is called a hash. A hash translates the data into a different value and that value becomes what is stored. When someone goes to log-in, for instance, their password attempt can also be converted and matched against the stored hash. This keeps the original password from being reverse-engineered; Any data breach that may occur will only lead to the hashed values and will not reveal the original passwords.
What made the Suprema data breach so concerning was that the passwords and other biometric data were not stored in this format. So the problem was not that biometric data is completely vulnerable; this type of verification just requires security measures that are necessary for the storage of any important data. However, it is still important to remember that biometric data can be rendered permanently compromised.
How 7T Approaches Data Security
At 7T, security is one of our top priorities. SSL encryption ensures that data is protected during transfer while multi-factor authentication verifies that users are truly who they say they are. Our team also has experience working with blockchain, which utilizes cryptographic hashes for maximum security.
We offer a STAX framework with 4096-bit SSL encryption, combined with our Brigade messaging and security platform to provide you with military-grade security features and geofencing capabilities. We know that security is an integral part of the development of any mobile app or piece of custom software—not a last-minute addition. To discuss your mobile app or custom software development project, reach out to our team today.