When Biometrics Fail

Digital fingerprintAuthentication is most certainly a challenge. With the introduction of Apple’s iPhone 5s and its built-in fingerprint reader, there has been more talk about biometric authentication. Even though these methods may gain popularity, I think one particular concern should be raised.

While I think there can be very secure implementations of biometric authentication, my concern is what happens to the ecosystem when one service is implemented poorly. Today, we still see many poor implementations of password based authentication. In some cases, unsalted password hashes are leaked into nefarious communities. In the worst cases, clear text passwords are leaked.

So what could a failed biometric implementation leak? I think the answer to this question is the typical “it depends”. In some cases, some type of hashed or unhashed digital fingerprint or region data could be leaked. In other cases the digitization of data could happen closer to the service. In those cases something looking much more like an image could be leaked.

When this is leaked into the wild, there may be some ability to reconstruct something that resembles the original element used for authentication. Additionally, there may be ways to replay the digital artifacts through authentication controls employed by other services.

Unlike other forms of authentication, biometrics cannot be changed (or at least changed very easily). Therefore once a biometric element is compromised, it can no longer be trusted. In essence, using biometrics for authentication requires every single installation to be securely implemented from end to end.

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Other. Bookmark the permalink.