Tackling biometric breaches, the decentralized dilemma

A recent discovery by vpnMentor revealed a worst case scenario for biometrics: a large cache of biometric data being exposed to the rest of the world. In this case web-based biometric security smart lock platform, BioStar 2, was breached.

This breach surfaces a common flaw that many of the established providers of biometric authentication have built into their system. Many biometric providers store biometrics in a large centralized database. To avoid a biometric dystopia, adoption of mechanisms and schemes that reduce the risk of biometric breaches is paramount, with decentralized biometric databases being top of the list.

Biometrics are risky by nature

Biometrics are both permanent and unique. These attributes make biometrics very useful for authentication. They are also the prime contributors to biometric risk.

Nefarious individuals and organizations which obtain biometric data can sell it forever. This is a very different scenario from passwords which lose their value over time. Breaches are discovered and users change their passwords. Despite this, user credentials are very valuable assets. According to an NBC News report in March of 2018, passwords for online bank accounts sell for an average of 160.15 USD. This is why centralized credential stores with millions of credential records are such prized targets.

Biometrics are also prone to cryptographic attack over their lifetime. Even the strongest encryption algorithm used today to store biometrics will likely be crackable in twenty years. For biometrics, this is a serious problem.

Mitigating biometric risk

The best possible mitigation against the risks posed by a centralized biometric store breach is not to have a centralized store at all. Pushing the data to the edge and utilizing decentralized biometrics removes the need for a massive repository of credentials.

Fortunately, a trusted method for storing and validating decentralized biometrics has been around for years. Many smartphones, tablets and laptops have very secure decentralized data storage for biometrics and very accurate biometric validation mechanisms. The WebAuthn working group at the World Wide Web Consortium, a.k.a. W3C, has developed an authentication protocol for utilizing biometrics on those devices in a secure and reliable manner. It even has support in the most popular browsers. Furthermore, adding the Client to Authenticator Protocol (CTAP) to communicate with trusted devices providing biometrics is the basis of the decentralized protocol FIDO2.

Establishing a trust threshold

How well you can trust a device will be dependent on the implementation. For example, with a bring your own device, or BYOD, strategy, it’s not possible to be absolutely certain who is providing a biometric being authenticated. It could be anyone the user allowed access to their device via a biometric.

That level of trust is acceptable for the majority of use cases. For the remainder of use cases, adding factors of knowledge or possession can assure that authentication by any person other than the user was intentional. For example, a second form of authentication like a locally stored and verified PIN or seeing if a person is wearing a paired smart watch. If biometrics is absolutely required to be tied to the user, issuing users a managed device in which the identity of the biometrics on the device can be restricted will meet that need.

The future is now

Tech giants are bought in on distributed biometrics protocols WebAuthn and FIDO2. In fact, decentralized biometrics solutions based on these protocols are available at a number of big name tech companies. By moving to decentralized biometrics solutions, companies are not buying into a false sense of security provided with centralized biometrics. Centralized biometrics stores are not more secure. They are not more reliable. They may be more familiar. That doesn’t make them better. The risk is too high to have a mainframe vs. client server vs. web type of conversation about biometric authentication.

As regulators and customer demand start driving the conversation around biometric authentication, make sure they are driving you towards a brighter future.