Overview [1]#

Biometric Data Challenges are additional to the normal Security Considerations for Security and Authentication

Credential Management of Biometric data is in general not mature. There are few standards and none of them are as robust as Password Management

Biometric data is difficult to perform:

• Credential Revocation and Credential Suspension is perhaps impossible? Some vendors may be able to by adding a Salt to the data
• Credential Reset - An Administrator can not put in "temporary" Biometric Template that you can replace later.

Our Position on Biometric Data Challenges#

For a variety of reasons, we can only see limited use of biometrics for authentication.

These include the following:

• Biometric False Match Rates (FMR) and False Non-Match Rates (FNMR) do not provide confidence in the authentication of the subscriber by themselves. In addition, FMR and FNMR do not account for Spoofing Attacks. (from NIST.SP.800-63B)
• Biometric Comparison matching is probabilistic, whereas the other Authentication Factors are deterministic. (from NIST.SP.800-63B) [3]
• Biometric Authentication protection schemes provide a method for revoking Biometric credentials that are comparable to other Authentication Factors (e.g., PKI certificates and passwords). However, the availability of such solutions is limited, and standards for testing these methods are under development. (from NIST.SP.800-63B)
• Biometric characteristics do not constitute secrets. They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from through objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns). While Presentation Attack Detection (PAD) technologies such as liveness detection can mitigate the risk of these types of attacks, additional trust in the Biometric Scanner is required to ensure that PAD is operating properly in accordance with the needs of the Credential Service Provider and the Relying Party. (from NIST.SP.800-63B)
• Requires a Hardware device for Biometric Enrollment and for Biometric Sensor and these devices must be Secure by design and use a Secure connection
• If you are using vendor "A"'s product and you change to vendor "B's" product, you need to re-register all Biometric Template
• Not usable for Internet facing application as the SAME vendor is required for Biometric Enrollment and Biometric Scanner.
• Biometric data lack Credential Revocation properties. If a token, Certificate or a password is lost or stolen, it can be cancelled and replaced by a newer version. (Some vendor use Cancelable Biometrics [4][5]
• Biometric data is bio-political tattooing
• Biometric data and Aging - Some Biometric data may require re-Biometric Enrollment or cause a higher False Non-Match Rates due to aging.
• Biometric data and injury or disease - Some Biometric data may require re-Biometric Enrollment or cause a higher False Non-Match Rates due injury or disease (Cataracts affect Retinal recognition)
• Biometric data equipment has an added cost for the Biometric Enrollment and Biometric Scanner and the security and maintenance.
• The typical Biometric Data Challenges is Biometric Enrollment sample of the physical Biometric data and not the full physical Biometric data.
• The typical Biometric Data Challenges is an Biometric Enrollment sample is different depending on the vendor implementation that captures the Biometric data. Changing products even products may require performing Biometric Enrollment for all Biometric Tokens

Biometric data Storage#

We have tremendous challenges with poor Storage of Passwords. Passwords are stolen from websites every second. Now you want to ask people Trust websites to store their Biometric data?

The U.S. Office of Personnel Management data breach is a prime example. Last year’s breach resulted in nearly 6 million federal employees’ fingerprint data being compromised. Those affected by this breach could feel the effects for years to come.[6]

More Information#

There might be more information for this subject on one of the following:

• Biometric
• Biometric Authentication
• Biometric Template
• Presentation Attack Detection
• What To Do About Passwords

---

• [#1] - Biometrics - based on information obtained 2017-03-30
• [#2] - Measuring Strength of Authentication - based on information obtained 2015-12-17
• [#3] - A fuzzy vault scheme - based on information obtained 2015-12-17
• [#4] - ISO 24745 -Biometric Template Protection - based on information obtained 2015-12-17
• [#5] - Revocable Biometrics - based on information obtained 2016-05-04
• [#6] - The Promise And Challenges Of Biometrics - based on information obtained 2016-05-04