Maksim Kabakou - Fotolia

Security Think Tank: Research biometrics thoroughly before deploying

How can organisations move to biometric authentication of users without running the risk of exposing sensitive biometric information?

A year or three ago, the thought of using biometric authentication as a general or run of the mill mechanism for authentication was a thing of dreams. It was only to be used for access to the most sensitive areas or systems.

But now a number of smartphone makers are offering fingerprint access to their devices as standard. The technology has moved to the mainstream and is likely to come to a building or datacentre near you soon. 

Unlike a password or a one-time password device, a biometric factor cannot be changed. An index finger fingerprint is an index finger fingerprint. That means storage, handling and processing of a biometric is of crucial importance. The risk of compromising that biometric data must be much lower than is acceptable for a password.

However, as Tsutomu Matsumoto, who taught mathematics and cryptography at Japan’s Yokohama National University, showed back in 2002, it is fairly easy to defeat a fingerprint reader.

Since then, technologies have improved by being able to detect whether the fingerprint is attached to a living human being, for example. But is the fingerprint technology used in a smartphone suitable for protecting a building or access to corporate IT resources? It’s a risk decision that should not be taken lightly.

There are many biometric security systems available including fingerprint, voice, facial recognition, retinal scans, hand geometry and DNA. They all have their pluses and minuses.

For example, if someone has a cold or sore throat, that will cause a problem for voice recognition; an accident could damage a person’s finger that is used for biometrics; and retinal scanning has low user acceptability and can generate a large volume of data. 

A biometric factor is a sensitive piece of personal information. It needs to be stored, handled and processed to a much higher level of security than a password.

Strong encryption for storage and transmission between the reader/input unit and the processing unit should be used, for example, and there should be very good physical security for both the reader/input unit and processing unit to prevent tampering. 

Read more from Computer Weekly’s Security Think Tank about using biometrics for security

Remember that as a biometric is personal information, it is covered by the EU’s general data protection regulation (GDPR).

A biometric used on its own is still only a single authentication factor. So while it might be acceptable to replace passwords for normal non-sensitive areas of work or for accessing a non-sensitive building or building space, a case could be made for a second factor where sensitive information needs to be accessed.

At the time of writing, fingerprint biometrics is the favoured technology.

Again, it’s a question of understanding the risks associated with the technology and what it’s being used to control access to. Before taking any decisions, make sure you do the research.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Identity and access management products