September 10, 2023

Anonybit Team

How Is Biometric Data Stored? Keeping Biometric Secure

Blog data moving to cloud - How Is Biometric Data Stored

Are you interested in using biometric authentication techniques but are afraid of a data breach? Understanding how to optimize the storage of biometric data can be a complicated endeavor. This article can provide valuable insights into understanding biometric data security and storage methods, helping you determine which is best for your enterprise.

Anonybit’s solution, a privacy-enhancing identity management platform, can be a valuable tool for preventing data breaches and account takeover fraud using decentralized biometrics. Our core technology enhances biometric data security and allows you to determine which modality is best for your enterprise and use case.

What Is Biometric Data?

phone with data - How Is Biometric Data Stored

Biometrics are measures or assessments of user traits unique to each individual. They can be based on physical features, such as your fingerprint, or behaviors, such as how you hold your phone. Biometric characteristics used for identity confirmation are:

  • Unique
  • Permanent (something that users consistently have access to over time)
  • Measurable

As a result, biometrics is one of the most effective user authentication methods. Biometrics are also highly reliable because, unlike a user ID/password combination, these unique characteristics cannot be lost, forgotten, or stolen.

Common Biometric Data Sets

  • Fingerprint templates
  • Iris templates
  • Voice prints
  • Face recognition 
  • Hand geometry maps
  • Vein recognition templates
  • Behavioral biometric profiles

Related Reading

How Is Biometric Data Collected?

woman learning about How Is Biometric Data Stored

Storing, processing, and using biometric data for authentication are done in stages.

  • The first stage is capturing a person’s biometric identifier (also known as enrolling the person). 
  • Once this data has been captured, it is analyzed and converted into a biometric template. This is a binary mathematical representation of the original biometric identifier (like a fingerprint, for example). 

Enhanced Security and User Experience for Passwordless Authentication

At Anonybit, our decentralized biometrics system design helps companies prevent data breaches and account takeover fraud. With a decentralized biometrics solution, companies can enable passwordless login, wire verification, step-up authentication, and help desk authentication. We are on a mission to protect companies from data breaches, account takeovers, and synthetic identity fraud.

To achieve this goal, we offer security solutions such as:

  • Secure storage of biometrics and PII data
  • Support for the entire user lifecycle
  • 1:1 biometric authentication and 1:N biometric matching to prevent duplicates, synthetics and blocklisted identities 

Anonybit eliminates the tradeoffs between privacy and security. Prevent data breaches, enable strong authentication to eliminate account takeovers, and enhance the user experience across the enterprise using Anonybit. 

Book a free demo today to learn more about our integrated identity management platform.

How Is Biometric Data Stored?

data cloud surrounded - How Is Biometric Data Stored

On-device storage

Biometric data can be stored on an end user’s device. This is most common on smartphones that use touch ID fingerprint sensors, such as Apple’s Secure Enclave. A chip that holds the data separately from the device’s network can be used for on-device storage. Many new biometric bank cards have been tested using this system in the last few years.

When storing the data on the device, the organization implementing the biometric verification process doesn’t have control over it. This is considered a privacy-enhancing feature as opposed to storing the data on a server centrally. Still, it can open up security risks as it is not known who is behind the device, only that the device has granted access to a pre-registered person. 

Portable token

Biometrics stored on portable tokens—security cards or USB drives, for example—work in much the same way as on-device biometric storage. Biometric information is stored on a single device, which must be presented during authentication for verification purposes. Biometric tokens are more costly to implement than the alternative because they require both the token and a separate biometric scanner. They are also very cumbersome to manage as users may forget their token and a backup authentication process needs to be implemented. Oftentimes this backup process is a series of knowledge questions or a pin code, which negates the whole biometric implementation. 

Database server

At times, local device storage is not feasible. Large corporations that use biometric authentication to grant special user access and permissions prefer biometric database storage instead of local device access. A biometric database server is one of the more common methods of biometric data storage as it enables a single source of truth for the enterprise and can support many use cases; however, this approach is more susceptible to cyber threats, data breaches, and insider threats.

Distributed data storage

Distributed data storage is another method that breaks down biometric data and stores the components across multiple servers. The most common way to achieve this is with multiparty computation, which ensures that the components are never brought back together again, even for matching, and allows for significant resiliency and redundancy. n. 

How We Store Biometric Data At Anonybit

data going to cloud - How Is Biometric Data Stored

At Anonybit, the storage and computation (matching) functions are intelligently distributed across a multi-party cloud environment, with each party having exclusive control over their data. Each component of the decentralized identity system is encrypted with its cryptographic key, providing a robust defense against any unauthorized access, even from insider threats. 

Fragmented and Encrypted

When it comes to storing biometric data at Anonybit, the approach is rather unique. Upon capture, Anonybit breaks up the biometric data into anonymized bits distributed throughout a decentralized network. The original biometric image is discarded, and the anonymized bits are never reassembled, even for matching. This way, Anonybit ensures that the biometric data remains secure and private at all times.

Device Agnostic Identity

Anonybit works across devices and applications to maintain a truly decentralized identity. Anonybit can anchor the biometric as the root of trust in a device migration scenario by returning an authentication response without any original biometric data components. This eliminates the need for less secure authenticators while enhancing user privacy and security.

Privacy-Preserving Onboarding and Device Binding

Anonybit can securely ingest biometrics from the onboarding process and link them to the device-binding process without compromising user privacy. This seamless integration of biometric data across various processes ensures a smooth and secure user experience while maintaining the highest data privacy standards.

Securing Cryptographic Assets

The same infrastructure at Anonybit can also secure cryptographic assets, such as FIDO credentials, during transit and storage. Cryptographic assets can be shared and distributed over a decentralized network, and only after a user authenticates biometrically do the assets get released onto the user’s new device. This added layer of security ensures that cryptographic assets are protected at all times, further enhancing the system’s overall security.

How Secure Is Your Stored Biometric Data?

Security is a top priority when it comes to biometric data. The way biometric data is stored plays a crucial role in enhancing security. When you create a biometric template from an image, the biometric data is typically not stored as the original image. Instead, a proprietary, mathematical representation of the biometric selfie, known as the template, is created. The template is unique to the solution provider and cannot be interpreted or read without the vendor’s secret algorithm to decode it.

Historically, this meant that even if someone got access to the biometric template, it could not be reverse engineered without access to the algorithm. Today, the danger is not necessarily limited to reverse engineering; having access to biometric templates opens up new attack vectors like injection attacks and other forms of identity theft. As biometrics get implemented for greater security and as a passwordless form of authentication, how to protect the templates is critical. 

Common Misconceptions About Biometric Data & Authentication

man listening to myths about How Is Biometric Data Stored

Biometric Data is Easily Replicable

Contrary to popular belief, biometric data—whether it’s a fingerprint, face scan, or iris image—is not easily replicable. Biometric systems don’t store images of your biometric markers. Instead, they create a digital template representing these features, and most systems at minimum encrypt these templates for added security. Even with the latest genAI tools, there are countermeasures and technologies that can detect deep fakes. 

Biometric Data Can Be Stolen Like Any Other Password

Biometric data is unique because, unlike passwords, it cannot be stolen in the traditional sense. If your password is compromised, you can change it; if your biometric template is stolen, it is not your actual face or fingerprint that is stolen. That being said, if biometric data is not properly secured, attackers may be able to use them in injection attacks and other forms of identity theft and it will be harder to refute the actual identity. 

Biometric Systems are 100% Accurate and Can’t Make Mistakes

No system is flawless, and biometrics are no exception. Although advancements in machine learning and AI have made biometric systems exceptionally accurate, there can still be false matches and rejections. These can be due to various reasons, such as poor image quality or variability in how biometrics look due to environmental factors or the individuals’ state. Refer to NIST benchmarks for algorithms that have undergone extensive testing.

Biometric Information Cannot Be Anonymized

Biometric data can and should be anonymized when stored or processed; this is no different from any other personal data. By sharding the biometric data into anomymized bits that cannot be reassembled, biometrics can be stored and used safely to support many different use cases. Anonymizing the biometric data also helps to minimize insider threats. 

Biometric Systems are Too Expensive and Complex for Widespread Use

With the proliferation of biometric systems across various industries, their cost and complexity are rapidly decreasing. Technology is becoming more accessible and easier to integrate, and many service providers offer scalable and affordable solutions that can fit into existing tech stacks. From unlocking smartphones to authenticating financial transactions, biometrics increasingly make everyday life more secure and convenient.

What Laws Regulate The Storage And Usage Of Biometric Data?

legal complexities - How Is Biometric Data Stored

Various laws and regulations have been enacted globally to protect biometric data, including the General Data Protection Regulation (GDPR) in the European Union, which sets stringent requirements for the processing of biometric data.

In Illinois, the Biometric Information Privacy Act (BIPA) is among the most comprehensive laws in the United States. It requires informed consent for the collection and storage of biometric data and establishes standards for its protection. Other regions may have less stringent or more sector-specific regulations, reflecting the growing recognition of the need to protect this sensitive information.

Related Reading

What Are The Risks That Come With Storing Biometric Data?

404 errors - How Is Biometric Data Stored

How secure is your stored biometric data? That depends on how secure the means of storing it is. All the storage methods detailed above use encryption to protect biometric data, but anything encrypted can be decrypted. In the end, encrypted data of any type is only as secure and trustworthy as those with access to it.

Centralized Storage Risks

Biometric data stored on a device is more secure than stored in a database, which can be convenient and cost-effective. However, databases can be an attractive hacking target because they contain large numbers of biometric templates for users, and if they are successfully hacked, a large volume of data becomes vulnerable. Encryption helps, but exercising control over who has access to data and how they use it is the key to risk reduction. The ideal implementation is to shard biometric data and distribute the pieces into a multiparty cloud environment where the matching happens.

False Accept Rates (FAR) and False Reject Rates (FRR)

In rare instances, comparing an unauthorized user’s trait to an authorized user’s biometric template can result in an unwarranted verification. The rate at which this happens (the false accept rate) is considered one of the most important statistics by which the security of a biometric algorithm is measured. 

In contrast, the rate at which a biometric trait is rejected and fails to properly verify an authorized user is known as the false reject rate (FRR). Acceptable FAR rates are typically one or two in 100,000, while acceptable FRR rates are less than five or ten percent of attempts.

Privacy Concerns and Regulations

Another concern is the risk to privacy, as concerns how biometric data is stored, managed and used. For example, one concern is that biometric data is likely to bring targeted advertising to the physical world, where in-store cameras collaborate with social media companies to identify you and display in-store ads to you specifically. 

Fortunately, government bodies are aware of current trends, and laws are being created to control biometric data use. The General Data Protection Regulation (GDPR) addresses these concerns in Europe, and many U.S States are enacting or considering Biometric Information Privacy Laws, the most prominent of which is BIPA in Illinois.

Related Reading

Book A Free Demo To Learn More About Our Integrated Identity Management Platform

At Anonybit, we help companies prevent data breaches and account takeover fraud with our decentralized biometrics technology. With our decentralized biometrics framework, companies can enable passwordless login, wire verification, step-up authentication, help desk authentication, and more. 

Comprehensive Security Solutions for Companies

We aim to protect companies from data breaches, account takeovers, synthetic identity on the rise, privacy regulations, and digital transformation. To achieve this goal, we offer security solutions such as:

  • Secure storage of biometrics and PII data
  • Support for the entire user lifecycle
  • 1:1 authentication and 1:N matching for lookups and deduplication

Balancing Privacy and Security with Anonybit’s Integrated Platform

Anonybit eliminates the tradeoffs between privacy and security. Prevent data breaches, reduce account takeover fraud, and enhance the user experience across the enterprise using Anonybit. Book a free demo today to learn more about our integrated identity management platform.

Be the first to know the latest news, product updates, and more from Anonybit