How Secure is Your Stored Biometric Data?

Biometrics is the measurement of life based on unique individual traits. Biometric information is digitized by converting biometric data (the ridges on a fingerprint, for example) into biometric templates using special mathematical formulas.

Digitizing biometric data is of great advantage in today’s technology-driven world. Digital biometric templates improve security, speed accessibility, and confirm identity better than any other authentication tool used today, but they are not without risk or concern. Of note is the perceived vulnerability of biometric information because it represents actual people – not accounts or faceless entities – making biometric data breaches especially concerning.

Theoretically, biometric data should always be securely stored to prevent identity theft and other malicious attacks. So just how secure is biometric data after it’s been captured and stored? Today we’ll discuss how biometric data is stored and accessed to determine which biometric storage method is most secure and advantageous to its users.

Though the specific way in which biometric data is collected varies greatly (a signature on a piece of paper is vastly different than an iris scan, for example), the overall collection, or enrollment, process is pretty standard. First, the data is captured using special technology or even a little ink and paper. Next, it is converted into a mathematical file called a biometric template.

To be clear, a biometric template is not an exact copy of the biometric data but rather a converted file representing unique numerical data points of the data. Hence, digital biometric data is more secure than an exact copy.

After a biometric template is created, it’s stored for later retrieval. When retrieved, it is compared against a fresh scan to either confirm or deny a match based on the same algorithmic pattern used to initially capture and convert the information.

Biometric captures themselves are not the primary security focus, yes, actual fingerprints can be stolen 007 style but the process is so involved that it’s hardly a threat to average consumers. The real issue regarding biometric data security relates to the location of stored biometric templates.

Whereas some storage systems are relatively secure, others may pose a threat to a large number of users. Here, we discuss the security of each biometric storage system.

Biometric templates are often stored on local devices as is the case with most fingerprint readers on mobile devices. This type of biometric storage is especially secure because it does not store any sensitive data on servers with large databases. Only the device, itself, can be hacked which, in the rare case that it is successful, will cause damage at a very small scale. If locally-stored biometric data does get hacked, the device’s internal storage should be deleted (remotely if need be) as soon as possible.

At times, local device storage is not feasible. Large corporations who use biometric authentication to grant special user access and permissions, for example, might prefer biometric database storage as opposed to local device access only. This allows companies to grant user-specific access in multiple locations and also tracks behavior to help flag suspicious activity. Examples of suspicious activity might include users who access secured areas at odd hours of the day or those who interact with the information in unexpected patterns.

Biometric database servers are also more cost-effective than other storage options but come with a higher security risk. Because servers house multiple templates (often thousands or even hundreds of thousands), their susceptibility to hackers is also high. Should information be compromised, a large number of people — and their irreplaceable biometric information will be at risk for malicious behavior. Though encryption significantly improves biometric security, determining who has access to the encrypted data (and how they use it) is the real crux of the issue.

Biometrics stored on portable tokens — security cards or USB drives, for example — work in much the same way that on-device biometric storage does. Biometric information is stored on a single device and that device must be presented during authentication for verification purposes. Biometric tokens tend to be a bit more costly to implement than the alternative because they require both the token and a separate biometric scanner, though the added step also adds another line of security to the mix, as well.

Another method of double-backed biometric template storage is called distributed data storage. This method stores biometrics on both a local device and a server, both of which must be accessed concurrently for authentication. Because of the split nature of this biometric storage method, hacking biometrics that utilizes distributed data storage is nearly impossible to hack and therefore highly secure.

For optimum security, personally identifiable information (like biometric templates) should be encrypted and stored off the blockchain in lieu of off-chain storage systems. Encrypted biometric templates can further be protected by splitting the information into “shares” and storing each individual “share” in separate locations. For example, part or “share” of a person’s biometric template can be stored on the individual’s mobile device and the other on a server or blockchain.

Biometric data can also be stored via blockchain though not without special consideration. Specifically, biometric data itself is not blockchain compatible (you don’t want the entire scope of the internet to have access to your biometric profile, after all), but encrypted, segregated bits of biometric data certainly are.

Blockchain is a form of decentralized data storage. The concept of blockchain comes from the notion that publically stored blockchain data cannot be manipulated without altering other data sets along the “chain”. For examples, if the exact same data set is accessible throughout the entire digital sphere, alterations to the data should be easily traceable. This makes it extremely difficult for hackers to succeed in an attack thus increasing data security through a decentralized approach.

Biometric data security is at the forefront of biometrics discussions and concerns. Yes, individuals must be careful of who they share their biometric data with but the real burden falls on biometrics companies who are entrusted with such valuable information. Before any company or organization acquires biometric information from users, their biometric software should be tested for accuracy and security.

To remedy this concern, many biometrics companies are opting for tokenized biometric data rather than encrypted data. Unlike encryption that uses a special mathematical formula to alter data in a standardized manner, tokenized biometric data uses “tokens” or randomized alphanumeric characters to hold the place of sensitive data. Because they are completely random, tokens cannot be decrypted. Instead, the token itself is either encrypted or destroyed after a single use.

We’ve discussed many different ways biometric data is stored but one thing remains constant among them all: they rely on encryption to protect user data. However, anything encrypted can be decrypted or returned to its original form. By its own design, encrypted data can be reversed using the same algorithm used to alter it in the first place. In other words, no matter how advanced the mathematical formula, encrypted data is only as secure as those who have access to it.