How is biometric data stored?

You probably use biometrics data every day without realising that it’s your unique genetic makeup that is enabling you to access your phone, clock-in for work, or authorise a financial payment. If you are a smartphone user – and there are an estimated 2.87 billion of these worldwide – it’s likely that you use your fingerprint or face to access your device. But have you ever stopped to question who holds your biometric data and how?

 

What is biometric authentication?

Simply defined, biometric authentication is the use of unique characteristics of a person’s body or behaviour to verify identity. It can be used to control access to technology, buildings or services. The types of characteristics that can be used for identification can be broadly categorised into physical characteristics including fingerprints, eye scans and face recognition, and behavioural characteristics including voice recognition, keystroke patterns and engagement patterns. Biometric identification systems work on either a recognition or authentication basis. Fingerprint scanner authentication is the most popular method, although facial and voice recognition is becoming more common in certain sectors such as crime prevention and travel.

Biometric technology offers a very high level of detection and security. This is because a fingerprint, iris scan or voice cannot easily be duplicated or falsified. Using a biometric means of authentication is less time consuming, dependable (you can’t forget your finger), user-friendly and requires almost no training. Biometrics can be used to automate processes such as recording employee hours, which are prone to falsification and error.

When it comes to fingerprints, skin falls into two types – smooth skin which covers most of the body and friction ridge skin. Friction ridge skin extends from the fingertips to the wrist and from the tips of the toes to the heel. Each area of friction ridge skin is unique to that person. So, fingerprints are undoubtedly and irrefutably unique to the individual. They are even unique to the finger, thumb or area of palm print of the person.

Can you fake it?

You may well ask, however, if it is possible to use the fingerprint of someone who is deceased, create a false face or imitate someone’s voice. The simple answer is no because biometric scanners, such as a fingerprint scanner, have liveness detection built into them. Liveness detection is any technique used to detect a spoof attempt by determining whether the source of a biometric sample is a live human being or a fake representation. This is accomplished through algorithms that analyse data collected from biometric sensors to determine whether the source is live or reproduced.

 

 

Capturing biometric fingerprint data

When storing, processing and using biometric data for authentication, the first stage is the capture of a person’s fingerprint. Once a piece of biometric data is captured it cannot be amended. Unlike a password, you can’t forget your fingerprint or voice. Once this data has been captured, it is then analysed and converted into a biometric template. This is a binary mathematical representation of the original fingerprint based on an analysis of the minutiae – usually endings and bifurcations of ridges. This template cannot be backwards engineered into a picture of a fingerprint.

Storing biometric data

A hardware-based recognition system is where the data is stored on a specific piece of hardware and works with the device to recognise the data, without storing the data on the device itself. This offers a fast response during user authentication as the biometric templates are stored locally and the recognition system does not require any external response.

A portable token system uses a fob or a smart card to store biometric data. This means that your fingerprint, once captured, is stored within the token. The benefits of storing biometric data on a portable token are that it doesn’t need to be transferred over a network for verification purposes, and so this reduces the risks that can come with network-related vulnerabilities. When using this method, the user will need to present their card or fob and then their biometric data as a two-step authentication process.

Biometric data can also be stored on an end user’s device. This is most common on smartphones that use touch ID fingerprint sensors, such as Apple’s iPhone. On-device storage can be used to store biometric data through a chip that holds the data separately to the device’s network. Many of the new biometric bank cards which have been trialled in the last few years work using this system. When storing the data on the authentication device itself, the organisation implementing the biometric verification process doesn’t have control over it.

A biometric server is another way to store data, although it is more susceptible to cyber-attack. As data is held on an external server it allows for multi-location verification. To reduce the risk of data being breached, it must be encrypted when being transferred over the network. The issue with encryption is deciding where encryption keys will be stored and who will be trusted with access. With the recent implementation of GDPR, there are increased responsibilities of managing and storing data with the potential for penalties should the data become compromised. One major flaw with this method is that should a hack take place, all of the user’s biometric data could be leaked at once. This happened to Equifax, British Airways and Uber.

Distributed data storage is a further method which stores the biometric templates on a server and a device. By storing the data this way, it makes it harder for a cybercriminal to access the data, as they would need to get into both points. This method offers security and privacy without sacrificing usability or scalability. However, it is really only suitable for companies looking to maintain complete control over the data and willing to accept the risks and liabilities associated with storing end-users’ biometric data themselves.

 

 

 

The Almas Solution

We take security very seriously at Almas. We design, test and build our own biometric fingerprint scanners and we are quite proud of them! Our biometric templates are stored in a binary format and encrypted within a database. Our Optima Box runs a Linux distribution called Fedora Heisenberg which has a MariaDB installed. MariaDB has a plugin for MySQL and is blocked by the firewall so that no other connections than the Optima Box can access data. Our system effectively has three levels of security preventing fingerprint data from being access by anything other than the biometric reader for the purposes of verification.

We never store pictures of fingerprints. That also includes images of scans taken with our facial access control readers designed to strengthen security in and around your site.

If you want to harness the power of biometric fingerprint technology within your business, contact us today for a consultation. We will advise you and help you every step of the way, including making sure that you are GDPR compliant. Give us a call on 0333 567 6677 (UK) or 01 68 333 68 (Ireland), or drop us an email at [email protected].