What is a biometric template? Is it secure?

A biometric sample is the data that is obtained by a biometric system’s capture device. This biometric sample is collected during enrollment and it is the first time when an individual uses the biometric system. This data could be an image (or multiple images) of the shape of the individual’s hand to his finger, iris or retina, or a recording of his voice. This data then becomes a master-profile from which the unique features of the individual’s hand, finger, iris or voice are extracted, analysed and then converted into a mathematical file. These mathematical files come to be known as the biometric templates and not the images or the voice recording that were originally captured and stored.

So, a biometric template is a digital representation of the unique features that have been extracted from a biometric sample and is stored in a biometric database. These templates are then used in the biometric authentication and identification process.

Biometric systems are preferred to other traditional access control methods due to a variety of factors. These factors include universality, uniqueness, permanence, reliability and so forth. However, biometric systems are not full-proof and have their vulnerabilities. To avoid any possible security breaches, we need to understand how a biometric system works, the vulnerabilities at each stage and identify possible solutions.

The biometric sensor scans the user’s biometric data. The second block performs some pre-processing, if required to enhance the quality of the captured biometric trait. The third module is very important as the salient features need to be extracted in the most optimal manner from the scanned biometric data. From this, the template is created which can be a vector of numbers or an image with particular properties and stored in the templates database. This is known as the enrollment phase where the biometric trait is captured and stored in the templates database.

The template database may contain a millions records and could be geographically distributed. Maintaining the security of the templates database is crucial if the biometric system is to be robust.

In verification or authentication mode, the biometric system performs a one-to-one comparison of the captured biometric trait with the specific template stored in the biometric database to ascertain the correct individual. If the biometric sample matches with the template, it means the individual is the person who they claim to be. A common use of the verification mode is positive recognition which prevents multiple persons from using the same identity.

In identification mode, the biometric system performs a one-to-many comparison against a biometric database in order to establish the identity of an unknown individual. Identification mode can be used either for positive recognition or negative recognition. In positive recognition, the user need not provide any information about the template to be used. In negative recognition, the system establishes whether the person is who he/she denies to be.

Maintaining the security of the biometric templates is of utmost importance as any attack on the biometric templates can lead to a failure of the biometric system.

So what happens if a user’s biometric template gets stolen or hacked into? From a general standpoint, the hacker cannot do much with a series of zeroes and ones or a probability curve. It’s not straightforward as stealing a user’s credit card.

Also, biometric device vendors use one-way encoding of biometric data in their devices. This means the template cannot be used to reconstruct the original biometric pattern.

Biometric templates are more secure than other traditional authentication systems, such as the token –based and knowledge-based systems. However, at a deeper technical level, biometric templates, just like any other technology, are also prone to failures and hacking.

1. A template can be replaced by an impostor’s template.
2. A physical spoof can be created from the original template.
3. The stolen template can be relayed to the matching module to gain unauthorized access to the system.
4. If not properly secured, biometric templates can be used by adversaries to cross-match across different databases to covertly track a person without their consent.

The major challenge in designing a biometric protection scheme is that it should be able to handle intrauser variability in the acquired biometric identifiers.

A robust biometric template protection scheme which is capable of handling intrauser variability should ideally have the following four properties.

A stolen fingerprint template from a bank’s database can be used to search a criminal database or cross-link to a user’s health records. To stop such unauthorized access, secure biometric templates should not allow cross-matching across databases. Hence user’s privacy is protected.

If a biometric template gets compromised, it should be straightforward to revoke the template and generate a new one based on the same biometric trait.

The biometric template protection scheme should use one-way encoding for the biometric data thus making it computationally difficult to reconstruct the biometric pattern from a stolen template. This will also prevent a hacker from creating a physical spoof of the biometric trait.

The performance of the biometric system should not get degraded due to the biometric template protection scheme.

Let us look at the different biometric template protection techniques to prevent adversary attacks on biometric templates. The diagram given below shows the different categories of Biometric Template Protection schemes.

Biometric template protection schemes are broadly classified into two categories – Feature Transformation Approach and Biometric Cryptosystem

In the feature transformation approach, the acquired biometric template is transformed using a transformation function and only the transformed template is stored in the database. The same transformation function will also be used to transform the query and then will be matched against the transformed template in the database. The parameters of the transformation function are usually derived from a random key or password.

The feature transformation approach is further sub-divided into two categories, depending on the characteristics of the transformation function – Bio-hashing or salting and Noninvertible transform. In salting, the transformation function is invertible which means the original template can be restored if one can gain access to the key and the transformed template. Hence, the security of the salting scheme is dependent on the key or password.

On the other hand, noninvertible transformation as the name suggests is not invertible. It is a one-way function which makes it computationally difficult to invert a transformed template to the original template even if the key is known.

In this template protection scheme, helper data is stored. Helper data is some public information about the biometric template and does not reveal any significant information about the stored template. Biometric cryptosystems are also known as helper data protection methods. The helper data is required to extract a cryptographic key from the query biometric template and then matching is performed indirectly by verifying the validity of the extracted cryptographic key. Error coding techniques will be typically used to handle the intrauser variations.

Depending on how the helper data is obtained, biometric cryptosystems are further classified into two categories: key binding and key generation systems. In key binding biometric cryptosystem, the helper data is obtained by binding a key with the biometric template. It is difficult to obtain either the key or the original template using only the helper data. Hence, security of stored templates is maintained. In a key generation biometric cryptosystem, the helper data is derived only from the biometric template and the key is generated from the helper data and the query biometric features.

When one or more template protection approaches are used, it is known as hybrid template protection scheme.

Let us look at each of the template protection schemes in further detail and their advantages that make biometric templates extremely secure and robust.

In salting or biohashing, the features from a biometric template are transformed using a transformation function defined by a cryptographic key or password. This key or password is specified by the user. This key needs to be securely stored and remembered by the user for future authentication. This additional requirement of remembering the key increases the entropy of the biometric template and makes it difficult for the hacker to reconstruct the original template.

The advantage to using a key results in lower false acceptance rates. Also, since the key is user-specific multiple templates can be generated for the same user by using different keys. If a template gets stolen, a new template can be generated easily by using a different user-specific key and the compromised template can be revoked.

In noninvertible transform, a one-way function is used to secure the biometric template. This one-way function is easy to compute but very hard to invert. The parameters of the transformation function are defined by a key and it must be present at the time of authentication. With this approach, the hacker cannot recover the original template even if he has the stolen key and the transformed template because it is computationally difficult.

The noninvertible transform protection scheme provides better security as compared to the salting approach, since the original template cannot be recovered even when the key is compromised. Diversity and revocability can be achieved by using application-specific and user-specific transformations respectively.

Noninvertible transformation functions leave the biometric template in the original space even after the transformation. In this approach, intrauser variations are handled by applying the same biometric matcher on the transformed features as on the original feature set. Templates that lie in the same feature space even after the application of a transformation function are referred to as cancellable templates. Three noninvertible transformation functions can be used to generate cancellable fingerprint templates – Cartesian, poplar and functional. These functions can be used to transform fingerprint minutiae data such that a minutiae matcher can still be applied to the transformed minutiae. In Cartesian transformation, the fingerprint image is projected as a rectangular grid and each cell is shifted to a new position in the grid corresponding to the translations set by the key. The poplar transformation is similar to Cartesian transformation except that the image is now tessellated into a number of shells and each shell is divided into sectors. These sectors can be varying in size and restrictions are placed on the translation vector generated from the key so that the radial distance of the transformed sector is not very different than the radial distance of the original position.

In all the three transforms, it is quite possible that two or more minutiae can map to the same point in the transformed domain. In the Cartesian transformation, two or more cells can be mapped onto a single cell. The upside to this is even if an adversary knows the key and hence the transformation between cells, he still cannot figure out the original cell to which a minutia belongs. So the transform becomes noninvertible and deters hackers.

In this template protection scheme, the biometric template is secured by binding it with a cryptographic key. This is then stored as a single entity in the templates database as helper data. This helper data is usually a combination of an error correcting code and the biometric template. This helper data does not reveal much information about the key or the template and it is computationally infeasible to decode the key or the biometric template without knowing the user’s biometric data.

The advantage of this approach is that it is tolerant to intrauser variations in biometric data.

In this approach, the cryptographic key is derived directly from the biometric data. There are two key generation techniques – secure sketches and fuzzy extractors. The secure sketch is helper data that provides some information about the biometric template which is sufficient enough to exactly reconstruct the template when presented with a query that is close to the template. The fuzzy extractor generates a cryptographic key from the biometric features. The idea of directly generating cryptographic key from biometrics seems a very appealing template protection technique and can also be very useful in cryptographic applications.

We have discussed different biometric template protection schemes in detail and explained the robustness of these techniques. Usually, hackers target biometric templates when attacking a biometric system. Securing biometric templates is critically important to the success of a biometric system and the approaches discussed above are excellent template protection schemes. This template protection schemes make it extremely difficult for hackers to afflict the biometric templates.