Protecting Biometric Data

One of the big challenges of biometric authentication is that once an attacker has stolen your raw biometric data, it is hard for any access control system that relies on your biometric data to trust that the “applicant” using your biometric data to authenticate is really you. Outside of radical, Al Capone-style surgery, you cannot easily change your fingerprints, hand geometry or retina veins.

Biometrics get stolen all the time. The biggest biometric heist is the June 2015 fingerprint heist (https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach) from the U.S. government. Anyone who had applied for a U.S. government security clearance prior to that date, who had provided their fingerprints as required during the application process, had their fingerprints records in the possession of a foreign government. This included me. This included my wife, who had received a government security clearance decades ago when she worked in a shipyard just after high school. It included anyone who worked for our intelligence agencies, including spies under deep cover. It is far from the only time biometric data has been compromised. Here are some other instances:

·????????https://www.vpnmentor.com/blog/report-biostar2-leak/

·????????https://www.fastcompany.com/1790444/dark-side-biometrics-9-million-israelis-hacked-info-hits-web

Biometric theft came up again in the news recently when a law firm announced that a ransomware attack exfiltrating data could have taken biometric data: https://www.biometricupdate.com/202107/potential-biometric-data-exposure-from-ransomware-incident-prompts-law-firm-notification.

The potential theft of biometric data is a big deal. There are many databases around the world with hundreds of millions of fingerprints and, now, DNA data. The larger the database, the greater the number of people who have access to it. Each of the big biometric databases promises great security around those systems, but let’s be real, they are probably compromised by unauthorized parties right now. There are likely unauthorized people and groups who have and are siphoning off biometric data right now. I have no proof of this, but it is just playing the odds. You cannot have tens of thousands of people distributed across countries with access to these databases, like is the case with these databases, and not have unauthorized access and theft. I would love to be wrong, but I am probably not wrong.

But biometric data can be protected from unauthorized viewing, even if stolen. How?

The Solution

By transforming the raw biometric data into some other form that only makes sense to the system it is stored in. In some cases, that means simple encryption, but really the better protection is transforming the data into some unique representation of the raw data that only works in one system.

You can liken it to a salted password hash. A salted password takes the original plaintext password (let’s liken this to a raw collected fingerprint), adds a random value to it (i.e., the salt), then cryptographically hashes the result into the final stored, salted, hashed result. If an attacker steals the hash, the result is harder to solve back to the plaintext password. It may not be impossible, especially if the attacker steals the salt, which must be stored or calculated somewhere in the original system, but it makes it harder to do. And any time we can complicate an attacker’s work effort without unduly burdening the access control and authentication system, we should do it.

Here is another example, this time using biometric fingerprint data. Scanned in fingerprints may be stored as the raw fingerprint images, but are often stored to something more akin to star constellations. Most fingerprint biometric systems put a “dot” on every fingerprint swirl peak and valley change to create a bunch of dots that are in a particular place. The spacing and geometry of the dots becomes the stored “fingerprint”. Authenticating the newly submitted fingerprint is simply a matter of comparing the submitted set of dots to the stored set of dots, and figuring out if one “map” matches the stored map. And different fingerprinting systems will require a certain number of matched points (e.g., four-points, five-points, etc.) to confirm a fingerprint. The more points that are required, the more accurate the fingerprint authentication system. More required points also, unfortunately, creates more false negatives (or what the biometric industry calls Type I errors).

Note: Your phone’s fingerprint scanner is not that accurate.

Now, storing either the raw fingerprints or the “star constellation” representations is just begging hackers to steal them. Instead, biometric fingerprint vendors should transform those representations to something else to make it just a little harder to use outside the system. One example is to perhaps map the fingerprint constellations to a row of grids, numbered across the columns and lettered across the rows. Thus, each point of the constellation becomes something like A2, B13, C1, D30, etc. A fingerprint vendor can store the coordinates instead of the constellation or the fingerprint. Or even better, hash the coordinates or hash, salt and then hash again. That would allow the fingerprint biometric vendor to quickly compare any newly submitted fingerprints against the transformed stored fingerprint data, but make the data, if stolen, either worthless or at least less valuable. Either way, an attacker stealing the data would not have people’s raw fingerprints, essentially causing authentication risks for the rest of that person’s life.

There are biometric vendors that already do this and many more that do not. Favor biometric vendors that go to great lengths to protect your raw biometric data.

Every biometric vendor should be taking defensive steps to ensure that biometric data stolen from their database is worthless to an attacker. If you have a biometric solution, ask your biometric vendor if they do something to protect and transform the collected biometric data? Encryption and access control is a start. That should be the bare minimum. But ask if they transform the data so that if it is stolen, it is worthless outside the system. Do not let your biometrics be stolen and useable to an attacker forever.