t cht lk
Compromised biometric data poses
unique risks
To understand the sensitivity of biometric
data and why it should be a part of your
conversations, consider the potential risk. You
are a person. Typically, you have one single
identity. One could argue that, even if you
are a spy or have a criminal alias, you still
only have one identity since, regardless of
your aliases or the names you impersonate,
you only have one set of biometric data.
You cannot change your fingerprints, voice,
face, eyes, EKG or even veins in your arm.
“
YOUR MOST
PRIVATE AND
SENSITIVE DATA,
YOUR DNA, IS
NOW IN THE
HANDS OF A
THIRD PARTY.
stop to password re-use attacks that rely on
the compromised password.
However, if biometric data is compromised,
you cannot change it. Your eyes, face or
fingerprints are permanently linked to your
identity (excluding bio-hacking which is a
topic for another day). Any future hacks that
solely rely on compromised biometric data
can be an easy target for threat actors.
Biometrics alone should never be used to
authenticate or authorise action or commit
a transaction. Biometrics should be paired
with a password or, better yet, a two-factor
“
IF BIOMETRIC
DATA IS
COMPROMISED,
YOU CANNOT
CHANGE IT. YOUR
EYES, FACE OR
FINGERPRINTS
ARE
PERMANENTLY
LINKED TO YOUR
IDENTITY.
When Information Technology uses biometric
data for either authorisation or authentication
(and yes, they are different), it needs to
compare the results with a stored profile of
your biometric data. The storage is electronic.
While extraordinary safeguards can be
placed on the storage and encryption of
biometric data, at some point it needs to be
reassembled (at least in parts) to compare
78
INTELLIGENTCIO
to assessed input. If the storage is flawed
by design, has vulnerabilities, or the host
system is misconfigured, we have a potential
exposure of the most sensitive biometric data.
However, the biggest problem with biometric
data is not the storage or authentication
technology used, rather it is the static nature
of biometric data itself. If a password is
compromised, you can change it, putting a
or multi-factor authentication solution for a
higher degree of confidence.
Assessing how your biometric data is
being used and accessed
Some vendors emphasise security for
biometric data (Apple Secure Enclave),
while others treat biometric data with little
safe regard. If you think my latter claim is
www.intelligentcio.com