<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview [1]
[{$pagename}] are additional to the normal [Security Considerations] for [Security] and [Authentication]

[Credential Management] of [Biometric data] is in general not mature. There are few standards and none of them are as robust as [Password Management]



[Biometric data] is difficult to perform:
* [Credential Revocation] and [Credential Suspension] is perhaps impossible? Some vendors may be able to by adding a [Salt] to the data
* [Credential Reset] - An Administrator can not put in &quot;temporary&quot; [Biometric Template] that you can replace later.

!! [Our Position|ContactUs] on [{$pagename}]
For a variety of reasons, we can only see limited use of [biometrics] for [authentication].

These include the following:
* [Biometric] [False Match Rates] ([FMR]) and [False Non-Match Rates] ([FNMR]) do not provide [confidence|Level Of Assurance] in the [authentication] of the subscriber by themselves. In addition, [FMR] and [FNMR] do not account for [Spoofing Attacks]. (from [NIST.SP.800-63B])
* [Biometric Comparison] matching is probabilistic, whereas the other [Authentication Factors] are deterministic. (from [NIST.SP.800-63B]) [3]
* [Biometric Authentication] protection schemes provide a method for revoking [Biometric] [credentials] that are comparable to other [Authentication Factors] (e.g., [PKI] certificates and passwords). However, the availability of such solutions is limited, and standards for testing these methods are under development. (from [NIST.SP.800-63B])
* [Biometric] characteristics do not constitute __secrets__. They can be obtained online or by taking a picture of someone with a camera phone (e.g., facial images) with or without their knowledge, lifted from through objects someone touches (e.g., latent fingerprints), or captured with high resolution images (e.g., iris patterns). While [Presentation Attack Detection] ([PAD]) technologies such as liveness detection can mitigate the [risk] of these types of [attacks|Attacker], additional [trust] in the [Biometric Scanner|Biometric Sensor] is required to ensure that [PAD] is operating properly in accordance with the needs of the [Credential Service Provider] and the [Relying Party]. (from [NIST.SP.800-63B])
* Requires a Hardware device for [Biometric Enrollment] and for [Biometric Sensor] and these devices must be [Secure by design] and use a [Secure connection]
* If you are using vendor &quot;A&quot;'s product and you change to vendor &quot;B's&quot; product, you need to re-register all [Biometric Template]
* __Not__ usable for [Internet] facing [application] as the SAME vendor is required for [Biometric Enrollment] and [Biometric Scanner|Biometric Sensor].
* [Biometric data] lack__ [Credential Revocation] __properties.  If a [token], [Certificate] or a [password] is lost or stolen, it can be __cancelled__ and replaced by a newer version. (Some vendor use [Cancelable Biometrics] [4][5]
* [Biometric data] is [bio-political tattooing]
* [Biometric data] and Aging - Some [Biometric data] may require re-[Biometric Enrollment] or cause a higher [False Non-Match Rates] due to aging.
* [Biometric data] and injury or disease  - Some [Biometric data] may require re-[Biometric Enrollment] or cause a higher [False Non-Match Rates] due injury or disease (Cataracts affect [Retinal recognition])
* [Biometric data] equipment has an added cost for the [Biometric Enrollment] and [Biometric Scanner|Biometric Sensor] and the security and maintenance.
* The ''typical'' [{$pagename}] is [Biometric Enrollment] sample of the physical [Biometric data] and not the full physical [Biometric data].
* The ''typical'' [{$pagename}] is an [Biometric Enrollment] sample is different depending on the vendor implementation that captures the [Biometric data]. Changing products even products may require performing [Biometric Enrollment] for all [Biometric Tokens]

!! [Biometric data] [Storage|Data At Rest]
We have tremendous challenges with poor [Storage|Data At Rest] of [Passwords]. [Passwords] are stolen from [websites] every second. Now you want to ask people [Trust] [websites] to store their [Biometric data]?

The U.S. Office of Personnel Management data breach is a prime example. Last year’s breach resulted in nearly 6 million federal employees’ [fingerprint|Fingerprint recognition] data being compromised. Those affected by this breach could feel the effects for years to come.[6]


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Biometrics|Wikipedia:Biometrics|target='_blank'] - based on information obtained 2017-03-30
* [#2] - [Measuring Strength of Authentication|http://www.nist.gov/nstic/NSTIC-strength-authentication-discussion-draft.pdf|target='_blank'] - based on information obtained 2015-12-17
* [#3] - [A fuzzy vault scheme|http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=1023680|target='_blank'] - based on information obtained 2015-12-17
* [#4] - [ISO 24745 -Biometric Template Protection|http://biometrics.nist.gov/cs_links/ibpc2010/workII/4buschB_IBPC-ISO-24745-100305-2p.pdf|target='_blank'] - based on information obtained 2015-12-17
* [#5] - [Revocable Biometrics|https://pomcor.com/documents/RevocableBiometrics.pdf|target='_blank'] - based on information obtained 2016-05-04
* [#6] - [The Promise And Challenges Of Biometrics|https://www.forbes.com/sites/forbestechcouncil/2016/12/22/the-promise-and-challenges-of-biometrics/|target='_blank'] - based on information obtained 2016-05-04

</pre>