Maksim Kabakou - Fotolia

Security Think Tank: Biometrics have key role in multi-factor security

How can organisations move to biometric authentication of users without running the risk of exposing sensitive biometric information?

In offering an additional method of authentication, biometrics provide an extra factor of security. This represents a significant opportunity for organisations to reduce their reliance on traditional passwords and their inherent flaws, not least of which is that users write them down.

However, although biometrics accordingly offer an attractive proposition, there are limitations.

First, biometrics may not be secret. For example, fingerprint authentication is the most popular biometric method, yet people’s fingerprints are everywhere. 

Second, biometric data is personally sensitive, and the handling of this data represents a significant risk in itself.

When looking at the privacy of biometric data, it is important to understand how it tends to be used. A scan will take specific data points and record them in a format that is appropriate for that supplier. The data should then be encrypted so that if it is subsequently compromised and decrypted it is likely to be of limited use.  

More dangerous is when more identification information than necessary is taken – full fingerprints, full iris scans, complete voice analysis, etc. If this information is compromised, then a much larger data set may be leaked, which could be used to defeat other authentication schemes reliant on that particular biometric attribute.

Risk delegation

One way to manage this risk is to transfer it to the user. Many modern smartphones have fingerprint recognition capabilities and it is possible to set up a trust relationship to allow these devices to authenticate the user for corporate networks and systems.

In a BYOD scenario the device on which the biometric data is stored belongs to the user and remains their responsibility. This could be a practical way of tapping into the power of biometrics without the organisation taking on the responsibility of physically storing biometric data. Similarly, issuing the user with a biometric authentication device that they retain possession of may be an alternative to BYOD reliance.

Storing biometric data

Regardless of the device used, a key issue centres round how the biometric data is stored.

For biometrics, as with fingerprint recognition for laptops/phones, it is assumed that the data is held within the device itself, which means that only the user’s data would be compromised if a hack occurred. However, if data is backed up or held centrally, then potentially all of the user’s information would be stored centrally. 

This leads to a significant difference in the risk impact, requiring additional security controls to be considered. Such controls include high-powered encryption protocols for the biometric data, restrictions on access to the central store, further firewalls or gating of access to that central repository, and regular housekeeping and purging of data that is no longer required.

The limitations

In summary, biometrics are good as an additional security factor, but have limitations, particularly around what data is collected and how it is stored. This should not deter companies from using biometrics, but they must ensure there are adequate safeguards, including knowing exactly what data suppliers’ products take and how they use it.

If deployed well, biometrics have a significant role to play, but the focus should be on a multifactor security environment where biometrics provide an additional validation to help prove identity rather than act as a single source for all.

Richard Hunt is managing director of Turnkey Consulting.

Read more on Identity and access management products