The Myth of Biometrics Enhanced Security - part 2

(28/02/2009)

Biometric standards can be obtained only if the common information is unconcealed. That, in and of itself, creates system wide vulnerability, and thereby renders the system unsecure. At present, each biometric scanner's vendor generates their own encryption method. Raw biometric data is critical data. It should not be exposed or stored in public space. As difficult as it might be to create a secure standard for identical encryption paths, it is seemingly not possible to create standards for non-identical encryption paths. Overcoming the encryption matching hurdle is the see-saw that creates the security blind spots because the template can be tapped during the authentication process.

Traceable biometric authentication systems extract features from scanned biometric elements and pattern match it with an enrolled template. Theoretically, a system cannot authenticate strangers to its data store. The other side of that theory is exactly where the hackers look. The inability to “recognize” strangers is an opportunity to breach the authentication barrier. If a biometric authentication system has a blind spot, it can then be take advantage of and used to clone or rob ID. It also means that when the real ID owner will try to use their legitimate ID, they might find that they have been revoked from the system without understanding why. An electronic chip that contains identity elements is only one of the many threats facing traceable biometric authentication systems.

Template leakage is an even bigger problem because once that information is gotten a hold of, the ability to prevent illegitimate copies and “fake originals” of legitimate ID’s is gone unless the template is changed. Any change to the template requires changing ALL associated ID’s, just as is the case when a “master key” is lost. The only solution is to change the key and distribute new keys to all who use it. Can one possibly imagine if such an instance were to occur with Driver’s Licenses? Now try to imagine if it were to happen with Passports. Unfathomable! At least with keys, the ability to change the template or lock is not ideal, but possible. That is not the case with biometrics as biometric elements are with the individual for life. Dear security decision maker, how can you sleep at night?

People want to be able to draw a circle around their personal information, and do not want parts of their body electronically stored in databases. Our system of government tells us that we are entitled to control all that falls inside this circle; we ought to be able to regulate how, to whom, and for what reasons the information within this circle is disseminated. Some people object to biometrics for cultural or religious reasons. Others imagine a world in which cameras identify and track them as they walk down the street, following their activities and buying patterns without their consent. They wonder whether companies will sell biometric data of their body parts the way they sell email addresses and phone numbers. People may also wonder whether a huge database will exist somewhere that contains vital information about everyone in the world, and whether that information would be safe there.

Cloneable, traceable or collectable biometric systems could be designed to have the capability to store and catalog information about everyone in the world. The violation of privacy created by the collection of biometric data creates a prophylactic paradox; the bigger the privacy violation, the farther away it moves away from its intended goal.

How then can the power of biometric authentication be made useful without bumping up against these numerous serious challenges?

Innovya's Traceless Biometrics approach, using non-unique remedies and a Real Time Reactive Authentication process solves all such cloneable, deflectable and privacy challenges. The Traceless Biometric workflow uses the time tested photo ID concept, wherein you match a picture to a person, no different than in any typical biometric authentication process. In a very simplistic way, just as in a mirror reflection, anyone can “authenticate” a stranger’s reflection without the need to compare the reflection against any other source of stored information. It does so, however, in a manner that is, as its name suggests, traceless, without storing any biometric data anywhere.

Innovya’s Traceless Biometric Authentication process consists of a comparison of only a portion of predetermined biometric elements against the users’ associated access device, wherein the “instructions” for which such portions and their mathematical modifiers are stored on the access device, somewhat similar, in an oversimplified sense, to the PIN on an ATM card. Unlike the ATM card, however, the system will not authenticate unless that specific user is the one seeking authentication because positive identification is derived from biometric elements on the user’s person, and therefore becomes useless without the user. Should the access device be hacked exposing the numerical string derived in the Traceless Biometric Authentication process, an alternative Traceless Biometric Authentication element can easily be programmed and reissued to the user.

Therein lays the essence of Innovya’s novel approach. Innovya has overcome the major challenge of creating a secure and efficient authentication solution that is stronger and less disturbing than electronically cloning human intrinsic characteristics on databases or electronic chips by eliminating them from the equation altogether. Additionally, because only a portion of the total biometric data is used in the process, should that data be compromised, the ability to recreate the biometric element from which it was derived is simply impossible.

Today, most systems are designed to work specifically in place where they are located, like office buildings or hospitals. The information in one system isn't necessarily compatible with the other’s, although several organizations are trying to standardize biometric data. Once identical information is stored outside of governmental boundaries, the potential of using it commercially is huge, especially by hostile governments that might be willing to pay a lot for these otherwise indiscoverable information elements. Above all the advantages and disadvantages this technology, we will unintentionally be creating ripples in the field of security and privacy.

Adopting traceless guidelines by using real-time reactive authentication process methods for current biometric authentication systems will result in an efficient and unobtrusive authentication solution, wile treating personal privacy as the critical issue that it is. Biometric scanning, not storage, as is necessary for the limited purpose of authenticating a user should suffice. Authentication systems should dismiss all biometric information or traces thereof from the scanning devices immediately after the authentication process, and mustn't use any external storage systems. Innovya has developed the solution to all of these challenges.

Although there are severe restrictions on collecting, creating, lodging, maintaining, using, or disseminating records of identifiable personal data, there are no legal restrictions on the processing of biometric authentication systems. Biometric authentication processes must be recognized for the risk that they pose, and must therefore be done so only in ways that are Traceless and Anonymous.

Related topics:  Crime and Fraud Prevention   Eye biometrics   Face biometrics   Fingerprint biometrics   Hacking and intrusion prevention   Hand biometrics   Other biometric systems   RFID   Smart card   Surveillance 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources