This post is also available in: heעברית (Hebrew)

A new approach for a secure storage of fingerprint data is under development. Today it is becoming more and more common to use biometric information for secure logins. Whether we store fingerprints on our mobile phone chip, in passports, when logging in to online banking, with our server host or in the cloud, security is always a concern.

Bian Yang of the Center for Cyber and Information Security (CCIS), which is hosted at NTNU in Gjøvik, Norway, is studying how to ensure that personal data cannot be accessed by unauthorized individuals.

According to, Yang and his colleagues have developed a secure approach for storing fingerprints. Their patent has now been bought by the firm Crossmatch, which provides fingerprinting security for border crossings into the United States.

“To enter the United States, you have to get all ten fingers fingerprinted. Storing such a vast number of fingerprints clearly involves a major security risk. It would be catastrophic if these were leaked, and linked to individuals,” says Yang.

“A person’s biometrics can’t be changed the way PINs or passwords can. Biometric identifiers are our individual physiological characteristics, unique traits that make us who we are,” says Yang.

Since we have ten fingers, you might think that you only have ten identification possibilities, but that isn’t necessarily so. The method that Yang has developed enables an infinite number of digital bits of information to be generated from the same fingerprint. These can be used as passwords in different places.

The information bits are as unique as your fingerprint, but they have the advantage that you can log in without the direct use of a sensitive and very personal fingerprint. This approach thus allows the same secure identification with biometric information in a protected form.

Yang’s method prevents someone from acquiring and misusing your fingerprint. This is important as the use of cloud services increases. With cloud storage, the responsibility for making the storage secure is handed off to a third party – cloud service providers. The technology is more vulnerable than we might think.

Yang explains that security can be increased by protecting your whole fingerprint, and only bits of information are extracted and used for identification. This method can be compared to using different passwords for different logins. Every time you log in somewhere, information from your fingerprint is generated.

“We ensure that these bits of information can’t be linked to one another or back to the original fingerprint. This is important in preventing someone from stealing or misusing your fingerprint data. Protecting the information before sending it to the cloud and using it in protected form will be important in the future,” said Yang.

A new EU regulation for data protection will go into effect in 2018. The General Data Protection Regulation will enhance privacy and provide a more unified privacy policy across national borders. Previously, different national laws have not been in sync with each other, which creates problems for global companies such as Google, Facebook, and LinkedIn. “We’ve done our research with a view to finding new, joint solutions in the EU, so that it will be possible to implement the new law once it comes into force a year-and-a-half from now,” said Yang.