Biometrics
Some consider biometrics as intrusive and as a violation of privacy. While you read, pay attention to how biometric systems authenticate and to the three main threats against biometric systems. What are these three threats and what are the cryptographic and non-cryptographic countermeasures?
3. Main Threats against Privacy-Preserving Biometric Authentication Systems
Attacks against privacy-preserving biometric authentication systems aim at learning information about the user's biometric trait or identity. What we describe in this section are attack strategies and goals connected to security and privacy issues that
have severe impact in users' lives, especially considering the irrevocability of biometrics templates. For a detailed description of the adversarial model, we refer the reader to, for example,. Below, we list the four main threats that afflict privacy-preserving
biometric authentication systems.
(1) Biometric Sample Recovery. In this case, the goal of the adversary is to determine a fresh biometric template
which is accepted by the authentication server. The consequences of a successful
attack are similar to the reference recovery attack, apart from the fact that the produced matching template may differ from the user's real one, and so the adversary can recover less information regarding the user's private information
(e.g., physical characteristics and DNA).
(2) Biometric Reference Recovery. A nonauthorised party (usually called the adversary) succeeds in recovering the (plaintext) reference biometric template
. This is the most harmful threat since by recovering the reference
template the adversary may gain unauthorised access to any system that uses as a reference template and also collect sensitive information about the user's physical characteristics and health.
(3) User's Traceability. An unauthorised party (e.g., the adversary) is able to trace a user's authentication attempts over different applications. Consequences of a successful traceability attack are cross–matching, profiling, and tracking of individuals.
(4) User's Distinguishability. The adversary recovers the link between a biometric template, or , and a user identity 
. Compromising this relation may lead to the disclosure of more sensitive information and
often breaks the anonymity of the system.
(1) Biometric Sample Recovery. In this case, the goal of the adversary is to determine a fresh biometric template
which is accepted by the authentication server. The consequences of a successful
attack are similar to the reference recovery attack, apart from the fact that the produced matching template may differ from the user's real one, and so the adversary can recover less information regarding the user's private information
(e.g., physical characteristics and DNA).(2) Biometric Reference Recovery. A nonauthorised party (usually called the adversary) succeeds in recovering the (plaintext) reference biometric template
. This is the most harmful threat since by recovering the reference
template the adversary may gain unauthorised access to any system that uses as a reference template and also collect sensitive information about the user's physical characteristics and health.(3) User's Traceability. An unauthorised party (e.g., the adversary) is able to trace a user's authentication attempts over different applications. Consequences of a successful traceability attack are cross–matching, profiling, and tracking of individuals.
(4) User's Distinguishability. The adversary recovers the link between a biometric template
, or , and a user identity . Compromising this relation may lead to the disclosure of more sensitive information and
often breaks the anonymity of the system.