In many authentication systems, input received from a user is matched against a template previously stored for that user. The user templates are often stored in direct association with respective user identifiers. For example, in one type of biometric authentication system with server-side template matching, a biometric reader associated with an endpoint computing device or other type of client device samples a biometric value from a user, such as a fingerprint, an iris image, keystroke dynamics, etc. This sample is transmitted to a server for comparison with a stored user template. The authentication attempt succeeds if a biometric authentication algorithm determines that the sample matches the template.
Maintaining the confidentiality of biometric data in such a system is important to prevention of impersonation attacks. In the absence of strong hardware protections on the biometric reader and an authenticated channel to the server that stores the templates, there is no assurance that biometric samples are honestly presented by a user, rather than injected or simulated by an attacker. That is, the integrity of the system hinges on the confidentiality of stored templates.
Biometrics are particularly sensitive authentication secrets because they are often a scarce resource. In some cases, they are non-revocable. For example, a user can change the fingerprint he or she uses to authenticate at most nine times. They are also subject to sharing across systems. Additionally, biometrics tend to comprise innately personal information. Consequently their disclosure may be viewed as a breach of user privacy.
A server-side biometric authentication system of the type described above typically involves the aggregation of templates from many users in a single database. Given this aggregation and the special sensitivity of biometric templates, system compromise can have extensive repercussions. Similar problems arise with other types of user templates and other authentication systems.