But now here is a concept that I hadn't really considered before... something I hadn’t considered before…and probably why I should stay away from digital security conferences and reading related documents… the hacking of fingerprint databases. Passwords, credit cards and even identities can be fixed or changed or re-issued. But fingerprints are for a lifetime. You can’t change those. You can remove them…ouch. But you can’t get new ones. And guess what? Fingerprint authentication as a security measure is growing…it’s not just on “Get Smart” or “Mission: Impossible” anymore. It’s on your laptop and your smartphone and your tablet.
The good news is – the usage right now is small and it’s on your personal device. It’s being authenticated on your device, not across the internet. The bad news is – usage is growing and devices can be hacked. And there are uses that are part of cyber security:
- Mobile devices
- Building security
What does this mean to project managers and IT professionals? I’m not sure because it had not struck me till now. But while attending the annual Black Hat conference in Las Vegas there was a briefing about it titled, “Fingerprints on Mobile Devices: Abusing and Leaking” by Yulong Zhang & Tao Wei. I guess you might say it opened my eyes a bit. Not to the usage, but to the potential long term security threat if a fingerprint database is breached. This wouldn’t be like Equifax or Target or Wells Fargo getting their account number databases hacked. This would be a bigger issue. My fingerprints are on file for previous FBI security clearances as well as adoption background checks and gaming/hospitality sheriff cards. No, sorry…nothing exciting like a felony in there…I’m pretty clean (which is why I could get the FBI security clearance and adopt and working in the gaming/hospitality industry). I guess I’m simply not all that exciting…
Now, rest assured…someone stealing a database from your bank or government agency that has your fingerprint in it probably isn’t going to harm you too much – if at all. At least not now because what would they do with it? Frame you in a big art theft jewelry heist? That only happens in something like a James Bond movie right now. But as the uses for fingerprint authentication grow – and I’m not sure what those would be…use your imagination - it could cause problems for the general using public.
Summary / call for feedback
As we think of this in terms of projects and IT security, we will need to be aware of the potential for this type of hack if fingerprint security is part of our project solution access or login measure. If not, don’t worry. But the future changes. When I was a COBOL developer in the 80’s no one was concerned about two-digit year codes and what that might mean when the clocks turned from 1999 to 2000. And we were only 15 years away from that near disaster at the time. Talk about being short-sighted for some measly disk space!
How about our readers? What’s your take on this? Have you worked a project where ID access / authentication was fingerprint-based? If you haven’t yet, and you manage projects much longer with any type of security tied to it, you’re going to run across fingerprint authentication sooner or later.