Security Encyclopedia

Biometric Encryption

Biometric Cryptography, also called Biometric Tokenization, refers to an authentication or other access system that combines inherence factors with public-key infrastructure (PKI). In particular, biometric cryptography is set up to take advantage of the convenience of authentication via fingerprint, face, eye, voice, palm, etc. — with none of the risks posed by having the biometrics take the form of a shared secret.

When a service developing an authentication system selects biometrics as the secret users must present, they face a choice as to where the biometric template is held and matched. Biometric cryptography utilizes a decentralized model (e.g. FIDO UAF) that ensures biometric templates are stored on end-user mobile devices that already have biometric authenticators. In this model, users authenticate to the service by matching their biometric with the template on their device and once it is matched, the device communicates with the service using tokens so biometric information is never transmitted over the wire.

Biometric cryptography enables the service provider to abandon the risks associated with central biometrics storage. The most glaring example of a biometrics breach to date is the US Office of Personnel Management 2015 data breach where millions of biometric templates were stolen among many millions more pieces of personally identifiable information (PII).

Example:

“My company is going true passwordless — they’re going the whole way with using biometrics instead of passwords altogether. But, the whole system is being migrated and architected as FIDO UAF. It uses biometric cryptography to ensure verification is local, on-device, so the user biometrics are never enrolled, stored, or otherwise shared with us.”