Recent data breach highlights need for biometric best practiseJason Tooley | August 16, 2019
Cyberattacks have doubled in the first half of 2019, and companies are increasingly looking for ways to mitigate security risks. One way they are doing this is by moving to a passwordless environment to lower the chances that either employee or customer passwords could be leveraged by threat actors. As recent security incidents have shown, passwords no longer protect a firm’s data.
Authentication has evolved from using what you know, such as a password, to what you are, relying on your fingerprints or retina scan for verification. For example, Microsoft is championing passwordless authentication by replacing passwords with biometrics for employee access this year and expecting other companies to follow suit within six years.
However, it’s imperative to take a strategic and secure approach when using biometrics to avoid increasing the risk of a cyberattack instead of reducing it. This week, security researchers discovered a trove of unsecured biometric data, including 1 million fingerprints and facial recognition data. This information was found on a publicly accessible database. Whether attackers accessed this data before it was secured is unclear.
Researchers discovered this data on Suprema’s BioStar 2, a security platform that lists the Metropolitan Police among its clients. According to the researchers, the potential for biometric data to be stolen was disturbing, saying: “Facial recognition and fingerprint information cannot be changed. Once they are stolen, it cannot be undone.”
As companies look to use biometrics for passwordless authentication, this breach highlights the importance of secure, encrypted and distributed storage of all biometric information. Instead of saving people’s actual fingerprints, which can be copied for malicious purposes, companies must save this information as a binary representation of the biometric template – that then cannot be reverse engineered.
This sensitive information should not be stored on a centralised database, regardless of its form. Veridium’s platform has the in-built capability to fragment and then distribute the fragments of biometric data across multiple locations, further mitigating the risk of compromising biometric data.
As consumers and employees are increasingly looking to biometric authentication as a secure form of security, companies have to ensure their back-end storage capabilities are reliable and totally secure. Only then can the move to a passwordless society take full momentum!