The “Anti-Pattern” of Server-Side Biometric Secrets

The Guardian and Forbes reported that researchers traced a massive leakage of 28 Million biometric and personal records to a company whose products are used worldwide for physical access control to a UK based company. The leak included centrally stored fingerprint, facial recognition, photos, unencrypted usernames and passwords, logs of facility access, security levels and clearance and personal details of staff and comprised over 23 gigabytes of data. The breach reinforces the problem with server-side biometrics and adds to a series of such prior breaches such as the OPM data breach that leaked the biometrics and personal information of US Govt. employees.

This leak points to an “anti-pattern” that security professionals and corporations should understand clearly. A pattern is an idea of how to solve a problem within a class of problems, that repeats itself. An anti-pattern is an idea of how not to solve it because implementing that idea would result in bad design.

The old proverb goes, “Why did Willie Sutton rob banks?….because the money was there!” Biometrics that are transported and aggregated centrally on the server for storage and matching are the worst kind of anti-pattern. They create stores of secrets on the server-side that are attractive for hackers to breach. The possibility of a scalable attack is large, the economic returns are very attractive, and remediation is very complicated.

By contrast, biometrics that work only on your personal device and are never shared, stored or matched on the server are an effective and secure pattern. By distributing the sensitive information and protecting it with extraordinary security, there is no central repository to attack. In other words, Willie Sutton would be out of business as a bank robber and instead be reduced to trying to pick pockets – not a scalable endeavor.

Apple, Samsung and others have proven that by distributing and localizing biometrics to a personal device that is in your control and by placing extraordinary controls around the biometric capture and matching, you can use biometrics as an effective secure pattern. In this case, the data is distributed, and you can at best try a targeted attack on individuals, one at a time – even that is so difficult that the economic incentives are not attractive.

Nok Nok Labs believes deeply in the idea that for privacy, security and the prevention of catastrophic failures like the breach above, corporations should only use the client-side-only biometric pattern as implemented by reputable vendors. We believe this so deeply that we incorporated this as a basic design principle in the creation of the FIDO protocols at the FIDO Alliance that we founded in 2013. The protocols created a more resilient distributed security pattern and are backed today by industry leaders such as Google, Microsoft, Intel, ARM, Samsung, Lenovo, VISA, MasterCard and others who have joined the alliance.

The FIDO protocols represent a good pattern to solve the problem of server-side secret aggregation. Users can leverage a method of authentication that is natural and convenient such as the client-side-store-and-match biometrics on a personal device including a phone or a physical token such as a USB or Bluetooth dongle. The standard ensures that there are no aggregations of secrets (as would be the case with passwords) and is designed to mitigate scalable attacks of all kinds such as phishing, interception by Man-in-the-Middle or compromises of a central repository of passwords. Developers get a simplified interface to implement this, and operators can rely on a single backend infrastructure regardless of device, method of authentication or security requirements. In other words, the standard ensures simplicity for the user, developer and operator.

It’s a well-kept secret that FIDO is already deployed widely and used daily by nearly a billion users at major brands such as Intuit, Bank of America, T-Mobile, Cigna, Google and Microsoft in the US and across Asia at DOCOMO, Softbank, Yahoo! Japan, and some of the largest banks in the region. It is expected to be deployed by most forward-thinking brands by 2020.