Subscribe by Email

Your email:

Browse By Date

Biometric Security and Control Blog

Current Articles | RSS Feed RSS Feed

The 7 Deadly Sins of “secure” fingerprint authentication systems


We have noticed that a majority of corporations experiencing data breach and workplace identity theft share similar weaknesses in their overall privacy fabric. Some are turning to fingerprint biometrics as a means of "tightening-up" access to secured data. However, many fingerprint authentication systems being sold in the commercial market are actually focused on being convenience-based vs. security-based, oftentimes leaving gaping security holes for new avenues of attack. Here we are exposing the "Seven Deadly Sins" of so-called "secure" fingerprint biometric systems and clarification of the desired features needed to assure the security and convenience of the fingerprint solution. Check to see which of the following features are provided in the biometric system you are evaluating or planning on implementing:

  1. Trusted Enrollment - does the biometric system allow for self enrollment? This may seem convenient, but how does the organization know whose fingers were actually enrolled? The solution should require attended enrollment by a trusted operator, who utilizes his own biometric identifier to authorize the enrollment for any given individual. Without this key feature, there can be no absolute trust or confidence as to "whom" the credential belongs to.
  2. Prevention of multiple identities - does the biometric system allow the same finger(s) to be enrolled under different UserID's? If so, any given biometric identifier could be associated with more than one UserID, which can lead to impersonation and potential fraudulent activity. Be sure the solution can prevent more than one enrollment of any given finger and that it provides a means of resolving any such attempts to do so in a way consistent with your corporate policies.
  3. Device Interoperability - does the biometric system allow for true or partial device interoperability? If not, you may be tied to a single hardware vendor, which can be dangerous when pricing and availability and eventual obsolescence become issues. Look for solutions that provide "true" device interoperability; meaning that enrollments can be performed on a device and authentications can be performed on the same or other devices from different manufacturers. This will future-proof your investment and enable a wider range of users to benefit from the technology.
  4. Elimination of Passwords - does the biometric system support a means of eliminating passwords for access to sensitive applications? Many systems simply release stored passwords with the biometric match, which often leaves the application vulnerable to circumvention of the biometric system. In some cases, elimination of the password may not be possible until the application is re-written to natively support the biometric system. In such cases, check to see if a potentially-corrupt administrator has the capability of changing the User's password without the User being aware of it. The User's awareness that his password is no longer working is a first-line of defense to knowing if the password was changed without the user's knowledge or consent. This could equate to impersonation and fraud. Look for solutions that provide an effective defense against such password manipulation.
  5. Exception alternative- does the biometric system provide an alternate means of strong authentication in the event an image capture devices is lost, stolen, out-of-order, or otherwise unavailable? Few providers of biometric solutions have even considered this or stepped to the plate to deal with this scenario. This has often stifled adoption. Look for innovative systems that can leverage the biometric system with alternate credentials in such cases. Some vendors classify this as an "Exception Mode".
  6. Duress handling - does the biometric system provide a means of identifying an authentication request being performed under duress? Because there are multiple fingerprints per user, certain ones can be designated for duress functionality if desired. This may not necessarily be a feature to be widely deployed, but rather for certain individuals who may have access to extremely sensitive data and are concerned about possible duress situations which may force them to access the data against their free will. Look for systems that can support a duress feature and provide limits to its use to certain Users so as to make Users accountable for any false alarms.
  7. Accurate matching - does the biometric system use advanced matching processes to ensure adequate accuracy? If the goal is to eliminate the need to specify a UserID during an authentication, then the system will need to support 1-to-many matching. There are only a few systems that have 1-to-many matching systems that exceed the accuracy of the standard FBI AFIS technology used by law enforcement and civil ID programs. Be sure to validate the vendor's claims against credible, independent 3rd-party reviews.

So, it comes down to this:  Look before you leap, and make sure that the biometric system you decide to use offers positive answers to the seven deadly sins listed above.  Otherwise, you may be deluding yourself into thinking that you have secured your most valuable assets.

Can Biometrics Be Used to Thwart Identity Fraud?


Identity fraud is a crime that costs all of us.  As measures have been increased in recent years to mitigate identity fraud, so too has the level of sophistication of the fraudulent acts.  Persons that were dedicated to committing fraud had the upper hand for some time, but technology is now catching up to these predators.

The Case to Utilize Fingerprint Biometrics:

Fingerprint biometrics are a leading digital technology that can be utilized in digital identity authentication.  Those in a point of service setting that use fingerprint biometrics do so by scanning a customer's ID through a system and instructing the customer to use a keypad to match fingerprints with a stored fingerprint identity.  Fingerprint biometrics can help increase the chances that the person in front of you presenting an ID is that ID's true identity.  The result is an ability to capture and link fingerprints to a single ID record, which will increase fraud prevention and help ensure fraudsters do not attempt to use multiple identities.

The Case to Implement Biometric Verification:

Those in a point of service setting pay for fraud twice, once stemming from the initial act of fraud and a second time as a result of cost of goods, services and even insurance rates increases.  Biometric verification can help resolve the problem of ID fraud and provide the point of service person that the customer presented is the actual person represented on the ID.  The benefit of a biometric verification is that legitimate multiple IDs can be linked to a single person through one unique biometric fingerprint record.  The additional benefit is that this unique biometric fingerprint cannot be utilized in multiple fraudulent IDs.

Security Elements Needed for Acceptance of Fingerprint Biometrics:

A sound fingerprint authentication system needs to have inherent protection against a number of types of common attacks and other compromised situations:

  1. The system should enforce trusted attended enrollment to establish a chain of trust as to whose fingers were enrolled for any given UserID.  This cannot be accomplished by self-enrollment.
  2. The system should not allow any given fingerprint to be authenticated to identify more than a single User.
  3. The system should have a secure exception mode to support emergency access when no working device is available.
  4. The system should support a duress function for a limited subset of the User base.
  5. The system should adequately secure the biometric identifiers both at rest and in transit to prevent replay, man-in-the-middle and denial-of-service attacks.
  6. The system should be adaptable to a variety of authentication interfaces.
  7. The system should support interoperability of devices from multiple manufacturers.
  8. The system should allow for actual elimination of passwords, not just releasing them to an existing password-authentication mechanism.

Technologies and products do exist which enable secure biometric systems to be implemented that meet these criteria to significantly reduce identity fraud potential.

All Posts