Biometrics are lauded as among the most secure and accurate methods of verifying identites, but they are not foolproof. Fingerprint recognition systems have been fooled by Gummi Bears and I expect that dozens of people are toiling away in basements trying to figure out how to trick other forms of biometric identification.
Another threat to biometrics is the security of the database against which physical characteristics are compared. If you crack that database, you'll have all the datapoints you need to present to defeat the system. The Detroit News is reporting today on research being carried out by IBM to improve the security of those databases. It involves using an algorithm to distort the image collected, which is then compared to a database of similarly distorted images. This way, the database does not contain "cleartext" data that aligns with the actual data to be collected. If the system is comproised, a new distortion algorithm is introduced and the old data is supposedly useless. I'd think that coupling this with a one-way hash of the data would also be a good idea, but what do I know?
- Read the Detroit News article here: Researchers say distorting biometric images enhances security, privacy.
- See pre- and post-distorted images from the IBM research project here: IBM ECVG - Cancelable Biometrics.
- See the IBM technical research paper here (pdf).