Recording and storing millions of fingerprints is a high-risk operation. Scientists are constantly searching for new and better security solutions to protect your information.
More and more people are leaving their fingerprints behind – in passports, when logging in to online banking or their mobile phones. Have you thought about where your fingerprint information is stored and who has access to it? Whether we store fingerprints on our mobile phone chip, with our server host or in the cloud, security is always a concern.
Bian Yang of the Center for Cyber and Information Security (CCIS), which is hosted at NTNU in Gjøvik, is studying how to ensure that personal data cannot be accessed by unauthorized individuals.
Yang and his colleagues have developed a secure approach for storing fingerprints. Their patent has now been bought by the firm Crossmatch, which provides fingerprinting security for border crossings into the United States.
“To enter the US, you have to get all ten fingers fingerprinted. Storing such a vast number of fingerprints clearly involves a major security risk. It would be catastrophic if these were leaked, and linked to individuals,” says Yang.
- You might also like: Researcher’s heart problems uncover security gap
Infinite fingerprint identifiers
Fingerprints, your face, ears, iris, gait, the way you type – all are unique to just you. These characteristics are called biometric information and are well suited to identify people.
“A person’s biometrics can’t be changed the way PINs or passwords can. Biometric identifiers are our individual physiological characteristics, unique traits that make us who we are,” says Yang.
Today it is becoming more and more common to use biometric information for secure logins. Since we have ten fingers, you might think that you only have ten identification possibilities, but that isn’t necessarily so. The method that Yang has developed enables an infinite number of digital bits of information to be generated from the same fingerprint. These can be used as passwords in different places.
The information bits are as unique as your fingerprint, but they have the advantage that you can log in without the direct use of a sensitive and very personal fingerprint. This approach thus allows can the same secure identification with biometric information in a protected form.
- You might also like: Stolen identity
Technology is more vulnerable than we think
Yang’s method prevents someone from acquiring and misusing your fingerprint. This is important as the use of cloud services increases.
Cloud storage offers many advantages. It doesn’t take up space on your computer’s hard drive and is simple to use, but at the same time it means that responsibility for making the storage secure is handed off to a third party. We send sensitive information to servers in unknown locations and choose to rely on cloud service providers. The technology is more vulnerable than we might think. We may gain ease and affordability at the cost of security.
Making it impossible to find the original
Yang explains that security can be increased by protecting your whole fingerprint, and only bits of information are extracted and used for identification. This method can be compared to using different passwords for different logins. Every time you log in somewhere, information from your fingerprint is generated.
“We ensure that these bits of information can’t be linked to one another or back to the original fingerprint. This is important in preventing someone from stealing or misusing your fingerprint data. Protecting the information before sending it to the cloud and using it in protected form will be important in the future,” said Yang.
Always some risk
“We’ve done our research with a view to finding new, joint solutions in the EU, so that it will be possible to implement the new law once it comes into force a year-and-a-half from now,” said Yang.
Since there will always be security risks, researchers must do what they can to minimize the risks and possible consequences of a breach.
“We’re doing this primarily because it’s important to protect users. Often people don’t think of the need for security until something has gone wrong. We’re doing research to prevent anything from happening,” says Yang.