How much security does your data need?
The knee-jerk response (and the one your CISO would love the most) is, “All of it.” Maybe in a perfect world, where money is no object, that’s true, but here in the real world cost must be balanced out by several other factors – including how important it is and what legal liabilities might be attached to it.
For example, there’s no reason to put your list of the 50 best Adele songs under Fort Knox-level protection. But at the other end, your company’s newly patented method of widget making should have security that makes the nation’s chief gold depository look like a mall on Black Friday.
Biometric authentication is less expensive and more secure than tokens and passwords and requires storing data like fingerprint and iris templates, which can’t be reset like a lost password. That’s why an effective biometric authentication platform must provide security in ways that reflect your organization’s risk tolerance and legal requirements.
These are the three different ways biometric data can be stored. Which one best fits your needs?
On Device
One of the more popular methods for storing biometric data is to do it on the end user’s device. Until recently, this strategy worked solely on mobile devices, where native fingerprint sensors were the primary method used for biometric authentication, though recent developments with Windows 10 and Windows Hello have added personal computers to the mix. This lets the end user retain control over their data and simplifies compliance with data privacy regulations like the GDPR, putting the responsibility for security in the hands of the individual. iPhones and Android devices utilize a secure hardware storage mechanism that makes this a convenient and cost-effective strategy as well. However, for some businesses, it isn’t always an ideal one.
When biometric data is stored solely on the device it also means that the authentication mechanism happens on-device as well. This means that the organization has no control over the process. For financial services organizations and those dealing with highly-sensitive data access, this may be a bit too rigid for their security requirements.
On a Server
Businesses requiring more direct control over the authentication process may consider performing matching and storing data on a centralized server.
However, there are some flaws with this model as well. Should that central repository be compromised, all of the end users’ biometric data could be leaked at once, much like what happened in the United States Office of Personnel Management (OPM) breach in 2015. This might not be the best solution for businesses looking for tight security.
There is a way to make storing data on a server more secure, by using a distributed data model as described below. This method would work for companies looking to maintain complete control over the data and willing to accept the risks and liabilities associated with storing end users’ biometric data themselves.
Distributed Data: A Secure Storage Solution
The third option for storing biometric data is a distributed data model, which stores the biometrics on both server and device for a more secure solution.
Using visual cryptography, biometric data is broken up into files of miscellaneous noise upon enrollment, with those files stored in separate places, such as on the server and the secure storage area on the end user’s phone. This makes it harder for biometric data to be compromised during a hack and still offers organizations control over the authentication process, logging, and auditing.
Thus the distributed model is able to offer security and privacy equally, minimizing risk for businesses and their end users without sacrificing usability or scalability.
