Return to

Biometrics are only as secure as how they're stored


I’m not familiar with the system, but would it not have made more sense to have it running on site for most installations, with a secure backup being made every day? It’s not like the web interface can’t be hosted on a local network - get rid of the most obvious point of failure.



Or you know, not use biometrics as security measure, at least not a primary one in any use case that is critical (though one wonders why you’d implement it just for the ‘fun’ of it).

The underlying problem is that people can’t fundamentally change their biometrics, therefore when this data is leaked (and it’s almost inevitable it will), or more likely a weakness in the sensors used is exploited, then it’s basically rendered useless.

I’ve always thought it a bit strange that countries like to collect all sorts of biometric data on their citizens but then chastise corporations for collecting data on consumers. “Do as we say, not as we do” and all that.



I’d make the argument that using it as a way to enter a building isn’t critical, as long as accessing IT once inside requires actual logins.

Just funny that a company whose business is security is so bad with security.



But having physical access to a machine makes logins largely irrelevant? Well, assuming there’s no security personnel and they have the time to mess with the machine. Or did you mean as a means to accessing the server room itself?



Server room itself. Users’ accounts with no root access aren’t as big of an issue, until you get into sending malware in emails/chat software.



This has come up because the information is held on remote servers and allowing it to be held off premise.

The whole system is a complete failure at every level when you read into it. Bad system security, bad security around storing passwords, fingerprints, etc. and bad practices on how that information should be managed.

Actually using biometrics isnt the problem. This company is a problem because there systems is utterly useless.

I prefer biometrics to be kept on device, and never leave that device.



Well, I get the point that their implementation was a farce. And I’m not saying a key, keycard, or whatever kind of security device is better (in fact the electronic versions tend to be complete garbage). I just meant that now that the data is out there the biometric devices are largely useless. You can rekey a lock or change a password but short of drastic measures one can not change their fingerprint, face, etc.

1 Like


This is ture, and unfortunately we’ve seen multiple breaches like this that have rendered a lot of biometrics for many people largely useless. I think this is partially down to incompetence and the lack of understanding of new technology. Eventually we wont see anything like this again, and all things like biometrics will be basically on-device within secure enclaves. But were not there yet.



I guess I’m just a bit pessemistic on this point. Even when there is plenty of known good practice for securing websites you still see people fail at it. When personal data breaches are everywhere nowadays I am skeptical biometric data will share the same fate.



Well, i mean, the internet is also new technology. The fact that basically anyone can do it also means there will also be problems.

What i have noticed is that stupidly heavy fines help companies implement these solutions properly. The contract that people had with this company should have included the equivalent of an incompetence clause with heavy penalties.



Well, fines do work as a future deterrent (unless your a google), but they don’t really help put the genie back in the lamp.

Oh, well. There’s no such thing as absolute security anyways. Can only lower your risk and hope for the best. Well that and have a plan for the worst case scenario.



in Europe Google would be fined 2% of their anual global turnover

So Google for example would be fined if i got it right, $2.7 billion for a GDPR breach.

Its always about balance. but i think its fair to say this particular incident is a complete failure on every level, there simply wasn’t any security, at all.



Suprema is the security company responsible for the web-based Biostar 2 biometrics lock system

How do you see “web-based”, “biometric”, and “security” in the same sentence and not immediately run for the hills?

As a side note, one thing I perpetually cannot understand is why articles like this stress “Much of the usernames and passwords were not encrypted”. Encryption is completely irrelevant here! Passwords should never be encrypted they need to be hashed, with a salt!

For non-password data, encryption itself is still quite meaningless, unless you understand how the decryption key is stored. An encrypted database is quite meaningless if the password is stored right alongside it. Theoretically, it can be worse than plain text as there is the potential that people might be more careless about what data they store there because they were assured that “it’s encrypted”.



For end user equipment, I totally agree, but for a building, would it really make sense to have each door scanner have its own registry of fingerprints/iris scans?

From what I understand, the Apple TouchID model is that fingerprint data never leaves the Secure Enclave, and never enters it except through an authenticated Home button (FaceID might be more precarious, since the camera is multipurpose, unlike the dedicated fingerprint reader). To pull off something similar for a building security system, you would need to have users scan their biometrics into each door terminal separately.

I suppose you could treat entire buildings as a single distributed system, but then you start to eat away at the advantages of a TouchID/Secure Enclave-style model.

Admittedly, I am comparing this to my imagined ideal of how a TouchID system would work; for all I know, the
fingerprint sensor hardware → Secure Enclave
connexion is really insecure, and could easily be tapped or spoofed.



I’m the building scenario I suppose the ideal method would probably be a HSM like device for biometrics on a more isolated network. Certainly not on the internet. But I think part of the problem is the lack of understanding of how vulnerable biometrics can be.



Because it’s easier to say that than explaining the intricacies of hashing and salting to someone drinking their morning coffee haha



Then explain what hashing is in a foot note? Educate the average citizen so they themself demand change.

1 Like