Because biometrics can't be reduced to a single hash (a number generated from a string of text), providers that store biometric information must rely on the security of their encryption keys for safekeeping of data that can't be revoked.
This concern forms the basis of the argument for housing that data locally, rather than trusting it to the cloud. Man-on-the-side attacks, in which fraudsters plant malware to scrape data as it's passed from the mobile device to the cloud, are eliminated as a possibility if the data is never transferred off the phone.
Intercede, a secure authentication credentials provider that's recently moved into developing secure identity on smartphones, is one of players arguing in favor of local storage. When biometrics are stored locally, "the matching is being done within a trusted app environment; then other rich apps can't sniff the data," said Chris Edwards, chief technology officer at Intercede.
This is especially important for storing fingerprints since providers can't reduce a fingerprint to a single, consistent value because of the flexibility of skin, said Edwards. "It's just an approximation."
For example, Apple Pay relies on multiple images to determine whether the fingerprint trying to access an iPhone 6 is a match.
The iterations that the FIDO Alliance is working on, building third-party authenticators that store information in a secured area on the device, can be delivered using Intercede's MyTAM service. Intercede launched the service in February for Android developers to create apps that launch in the Trusted Execution Environment (TEE), which Trustonic delivers for Intercede. TEEs are separate spaces in a mobile device that can be secured away from the main processor and memory space on the device.
"This is really useful when you're worried about getting Trojans on your phone and particularly important when thinking about entering passwords," Edwards said.
Seven to eight application developers have begun using Intercede's MyTAM service, including Ledger and Rivetz, both which are hardware security providers for Bitcoin services.
The main argument for storing biometrics in the cloud is being able to use those credentials seamlessly over multiple devices and so that merchants could share information between each other to stop fraud from spreading.
While government agencies have stored biometric information about citizens in the cloud for some time, Edwards said the government puts a lot of money and time into protecting these private cloud systems.
Regulators around the world are becoming particularly focused on the risks of cloud storage because of the rising number of data breaches over the past couple years.
Many cloud opponents also worry about the revocability of biometric information. Unlike PIN codes, fingerprints and eyeballs can't be changed or replaced.
"If you think about the financial services sector, if there's a loss because of a security breach you know what it's going to cost you; it's quantifiable," said Edwards. "But, however, if that system is protecting personal information, like health care or biometric data you don't know the real value of that data."
Providers that house irreversible data need to be better protected than banks, he said.
But Dave Birch, director at U.K.-based Consult Hyperion, said it's hard to say one method is better than the other for all situations, specifically when differentiating between authentication and identification.
A voice biometric template could be stored in the cloud, Birch said, as long as it's used for authentication and not to identify the person. For example, if a bank required the customer to speak their account number for access that biometric template shouldn't be kept in the cloud. But what's more likely is that a bank will ask customers to say the date or another unique passphrase to access their account. This allows the bank to use that voice match across multiple devices, and in this way, even if a fraudster gets the biometric they are unable to really do anything with it, he said.
Biometric matching services have started deploying liveness tests, making it harder for a fraudster to use a copied face or fingerprint. For example, facial recognition technology sometimes uses flashing lights to detect slight movements. And instead of using a static fingerprint, some providers are instead reading finger vein scans to be able to detect blood flow. But at the same time, fraudsters are testing ways to get around these methods.
The matching algorithms are the "special sauce," Birch said. Birch is a bit more optimistic than Edwards about business' ability to reduce a biometric to a single hash for matching and secure it effectively in the future.