If someone steals your fingerprint, “cancelable biometrics” software from IBM can issue a new one.
Your fingerprints are yours and yours alone, and that makes them a useful tool for confirming the identity of people doing things like conducting secure banking transactions or passing through corporate security checkpoints.
Trouble is, it’s theoretically possible for a hacker to break into the software of, say, an employer, steal a copy of your stored fingerprint, and later use it to gain entrance.
So researchers at IBM have come up with “cancelable biometrics”: if someone steals your fingerprint, you’re just issued a new one, like a replacement credit card number.
The IBM algorithm takes biometric data and runs it through one of an infinite number of “transform” programs. The features of a fingerprint, for example, might get squeezed or twisted. A bank could take a fingerprint scan when it enrolls a customer, run the print through the algorithm, and then use only the transformed biometric data for future verification.
If that data is stolen, the bank simply cancels the transformed biometric and issues a new transformation. And since different transformations can be used in different contexts – one at a bank, one at an employer – cross-matching becomes nearly impossible, protecting the privacy of the user.
Finally, the software makes sure that the original image can’t be reconstituted from the transformed versions. IBM hopes to offer the software package as a commercial product within three years.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today