The security model for biometrics
I just came across an article that talks about how the use of biometric data for identification can cause a security problem. Here's what this article said:
When biometrics get down to the local gym, however, serious questions must be raised. Your biometric identifiers are immutable and, once stored on a computer, impossible to take back. So if the 24-Hour Fitness database gets hacked and some enterprising Black Hat team of computer experts makes off with this sensitive information, many people could forever lose control of this permanent identification marker. Of course, you could scrape off your fingerprints and replace them with new ones. (This is probably possible). But that's getting a little too close to Total Recall for my taste.
This seems to miss the point of biometrics. Biometric data isn't secret and the security model of biometric identification systems doesn't assume that it is. Instead, biometrics need to ensure that the data that they capture is fresh instead of stored. This subtlety seems to have been missed by the author of this article.
Comments