What Happened to My Biometric?

Thursday, November 18, 2010

Guy Huntington


Over the past two years, there has been a significant increase in the use of biometrics for authentication.

It is becoming more commonly used to purchase groceries, to gain access to physical premises, passing through passport control and for logging on to computers.

There are some dangers with this trend and that's what this blog discusses.

First of all, a biometric is no secret. It's a piece of who you are. Therefore, the use of biometrics to authenticate an identity poses risk to the identity if their biometric is stolen.

What are you going to do if your digital finger scans or prints are stolen?

Relying solely on a biometric for authentication is therefore not recommended especially in instances where the identity is in one physical place and digitally logging on to access something that is held elsewhere,

There is also the issue of privacy. Let's say that the enterprise you work for uses a fingerscan to gain access to certain facility areas of the enterprise. You leave the enterprise.

What current legal requirements are there on the enterprise to remove the digital fingerscan registration from their databases? In most countries currently....none.

What happens to the identity when the database is broken into in the future and the data is compromised? Will the identity even be notified that the database has been compromised? In most cases currently, no.

I think that technology is moving far faster ahead of our current state, national and international laws.

The identities need to know that when they give up a portion of who they are to authenticate, that they can be sure that the identity data will not be mis-used and when they terminate or express to a commercial use to desist using their biometric (like for a grocery store checkout) will be deleted.

Cross-posted from Authentication World

Possibly Related Articles:
Biometrics Privacy Access Control Identity Management
Post Rating I Like this!
John Trader Guy - appreciate you writing this article and bringing attention to biometric technology. However, your logic is not correct and you do not portray the true science behind biometric technology accurately.

Anyone who works in the biometric industry can attest to the fact that there is never an image of a user's fingerprint stored. The truth of the matter is that biometric enrollment templates stored on a server are not actually an image of the fingerprint at all. They are a mathematical representation of the data points that a biometric algorithm extracts from the scanned fingerprint. The algorithm then uses the template to positively identify a user during subsequent fingerprint scans. No image of the fingerprint is ever stored or transmitted across a network. In addition, the algorithm is “one way” which means that the template that is extracted is nearly impossible to be used to recreate the original fingerprint image. In other words, it is nearly impossible to reverse engineer the data that is sent to positively identify a user and successfully “steal” their biometric identity.

With that said, where is the fear of identity theft? Privacy? What exactly would a hacker/criminal do with someone's fingerprint image in the unlikely event that they were to achieve the herculean effort needed to recreate it?

It is exactly these types of articles that you and others in the media publish that propel misconceptions about biometric technology and essentially falsify the truth about the science which in turn plants unfounded and false fear in consumers. It's very disappointing and those that work in the industry and constantly fight to spread the TRUTH about the technology are always dismayed when they read blog posts like yours.

I hope that in a future post you will perhaps correct your opinions and give a true depiction of the science behind biometric technology.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.