Maksim Kabakou - Fotolia

Security Think Tank: Proceed with caution on biometric authentication

How can organisations move to biometric authentication of users without running the risk of exposing sensitive biometric information?

Organisations often choose to combine multiple access control mechanisms to deliver stronger authentication. Biometric authentication can provide an important layer of control to provide defence-in-depth for mission-critical systems or sensitive information.

Biometric authentication provides a certain amount of convenience for the user and can be difficult for attackers to replicate.

However, it is not a perfect answer to security. Consider this: what happens if the system holding biometric data is compromised? Passwords can be reset – fingerprints cannot.

Biometric data is personal data and therefore must be protected in exactly the same way as other personally identifiable information that an organisation might hold about its employees or customers.

Organisations should be careful not to overlook the basics: this information, along with the systems and equipment on which it resides, should be protected and monitored and subject to regular integrity checking to ensure it hasn’t been compromised.

Incident management capabilities should deal with biometric data and an organisation’s security policy should cover the use of biometric authentication, providing users with rules, guidance and advice.

Organisations should consider obtaining regular (possibly annual) authorisation by employees to continue holding and using their biometric data.

Biometric authentication systems have been known to fail, and a backup capability is required – for example, a one-time password (OTP) to a registered mobile phone.

Read more from Computer Weekly’s Security Think Tank about using biometrics for security

Targeted use of biometric authentication is on the rise – voice recognition for telephone banking and fingerprint recognition for smartphones are now commonplace in the consumer world.

The movie industry is often keen to show us seemingly far-fetched examples of villains circumventing biometric authentication to conduct industrial espionage or steal national secrets. However, some of today’s biometric authentication mechanisms include checking for a pulse or, when conducting a retina scan, waiting for someone to blink.

Adoption of biometric authentication will continue to increase, but it must be considered in light of the potential pitfalls. ..... ...... ..... ..... ....

Maxine Holt is principal analyst at the Information Security Forum (ISF).

Read more on Identity and access management products