Will OPM hack affect DOD's use of fingerprints for authentication?

The Pentagon has been expanding its use of fingerprints and other biometrics as a secondary form of authentication, especially as it makes use of more mobile devices and looks for ways to authenticate personnel into the network without having to use Common Access Cards. But will the revelation that the hack of Office of Personnel Management databases included the theft of about 1.1 million fingerprints change those plans?

As the OPM hacks shows, fingerprints are something of a double-edged sword as a security device. They’re unique to the individual and they don’t change, so they provide a persistent, reliable way to confirm someone’s identity. But if they’re stolen, well, they’re unique to the individual and they don’t change, so they raise the potential for identity theft and a range of espionage-related uses.

The fingerprints stolen were included on in-depth background checks, rather than specifically part of a biometrics ID database, but once taken they could conceivably be used for biometric spoofing.

In the wake of the hack, security experts have speculated on how the fingerprints—stolen along with other personal information on more than 22 million current, former and prospective Defense Department personnel and contractors, most likely by the Chinese—could be used. At this point, it’s largely speculation because, as several security experts told the National Journal, the theft of this degree (and amount) of sensitive information is unprecedented.

In addition to using fingerprints and other stolen information (Social Security numbers, family, employment and health histories, and a lot of other information) for identity theft or blackmail, security experts have said the fingerprints could be used for, say, identifying U.S. personnel working under an assumed identity overseas, or allowing a foreign agent to pose as someone with a U.S. security clearance.

Does this mean that fingerprints are besmirched as an identity tool, or is the real problem with the security of the databases holding that information?

Despite their usefulness, biometrics have never been hack-proof. When German Interior Minister Wolfgang Schäuble pushed for greater use of biometrics in 2008, for instance, a group called the Chaos Computer Club lifted his fingerprint from a water glass after a speech and reproduced it 4,000 times.

In 2014 at a hackers convention hosted by that same Chaos club, Jan Krissler a well-known biometrics research hacker known as Starbug, demonstrated how he reverse-engineered the fingerprints of Germany’s defense minister, Ursula von der Leyen, using only high-resolution photos, including one issued from her press office and one he took from about three meters away, according to a report in the Guardian. 

And while iris scans and facial recognition may be more difficult to spoof, they’re not foolproof either.

The biggest knock on fingerprints and other biometrics is what makes them appealing—their unchanging nature. Victims of hacks can get new credit cards or even new Social Security numbers. And, of course, they can change their passwords. But a biometric is forever.

DOD's plans have called for using biometrics as a secondary authentication tool, so, from an authentication standpoint, users who have strong passwords and change them regularly have a measure of protection. But the fallout from the OPM hack and the extent of personal information taken will take a while to determine—perhaps a very long time. As former CIA Director Michael Hayden pointed out, that personal information will stay with the victims until they “age off,” that is, for the rest of their lives.

Meanwhile, DOD has to provide protections for the affected personnel, try to shore up its security and accept the fact that, in the information age, attacks such as these will be business as usual. Hayden also said that, as CIA director, he would have done the same thing, saying the OPM hack does not reflect shame on the Chinese but embarrassment on the United States.

As for a second authentication factor for building access and mobile devices, derived credentials—software tokens containing the information included on CACs—might at the moment look like a more attractive option.