Today’s post is about a topic that’s close to my heart. And my credit report.
As you may have heard, personal information belonging to millions of federal employees and others was stolen from the Office of Personnel Management and and the Interior Department. That was bad.
But this week, it’s come out that it’s not just personally identifiable information (PII) that’s been stolen, but fingerprints as well.
This brings up one of the major problems with using biometric identification as an authentication mechanism. Passwords can be changed. Credit cards can be replaced. In extreme cases, you may even be able to get a new social security number. But biometrics are, by definition, a part of you. You can’t just go out and change your voice print or get a new set of fingerprints.
I understand why the keepers of really important data use biometrics. “Something you are” is one of the fundamental authentication mechanisms. (The other two are “something you know” — like a password — and “something you have” — like a keycard.) And two-factor authentication is a must for any really important data.
But if your data is so important that you literally “want a piece of me” to allow me to work with it, then have the decency to protect it at least that well. Unfortunately, the federal government has a history of failing to protect the data in its charge.
The OPM director has resigned over this incident. It will be easy to say that the problem will be solved under a new director. Perhaps the next person to accept the responsibility of this office will in fact do better. But until those in charge value their employees’ personal data and their citizens’ trust more than their positions of power, we will continue to see incidents like this in the government.