What makes a good biometric identity management solution?

What does it mean to have a good biometric identity management solution – and how do you build one that is both private and secure? Daltrey’s own Chief Technology and Security Officer, Dr Julien Bringer, dives into this critical topic through the lens of UX versus security, and the relevance of blockchain in biometrics.

 

How would you define a biometric identity management solution?

When we talk about biometric identity management solutions, it’s not just about incorporating biometrics within an existing identity management solution. It’s really about having the ‘global picture’ – having an identity and authentication capability – based on biometrics.

Biometric identity management is about registering someone’s biometrics, then issuing credentials to provide proof of that person’s identity. The credentials would rely on that person’s biometrics every time, in order to have trusted authentication. This then allows for all the access management aspects related to that identity.

 

Breaking down biometrics into layers, what would those layers look like in a good biometric identity solution?

First, a biometric system is not completely different from other security systems. You have to consider multiple layers in order to complement and have them back each other up. It’s a way to ensure that there is protection in depth, and you have to consider everything – from the system infrastructure layers through to the network application layers, to the communication layers and monitoring layers.

There is some specificity that needs to be considered – for example, you will integrate a set of specific biometric algorithms, you will run those biometric algorithms and embed them within some specific biometric components, including verification components to do the comparison between one biometric and another.

Then you have the layers corresponding to where those components are executed and what they entail in terms of hardware and software aspects. In general, these are captured by the notion of endpoint security. And then you have the layer of sending the biometrics – communicating the outcome of the different comparisons or different checks that you are doing during the workflow.

But you have to take into consideration that you are manipulating or communicating sensitive data, so you want there to be end-to-end security to protect the biometrics in transit, at rest or wherever they may be.

And then you still have to monitor the remote management of your system, and obviously the identity and authentication management around your system. It’s kind of a cycle. You are using biometrics to secure further biometrics. But there’s also a need to manage the roles, so you need to be very careful. You don’t want to develop a strong biometric identity management solution with a weak password that can be taken over.

Those layers are there to limit the number and the size of holes. As with other security systems, there is no 100% safe solution. The question for biometric systems is about the user experience – so how many layers are there, and how much are you aware of the risks on each layer in order to strengthen the overall system?

 

Let’s discuss how blockchain relates to biometrics. It’s not just for Bitcoin or all the other random coins – there is a real opportunity for biometrics and blockchain and identity and the world that we live in. So break it down for us: what is the place for blockchain and biometrics as you see it?

If you think about biometrics as an authentication factor, that’s the only one that can really make the link between a real, physically present person and a digital representation of the person. If you think about blockchain, one of the main issues is about where the keys (which are needed to sign a transaction) are managed within the system.

Biometrics is a useful tool to authenticate someone and release the access and the right to execute; to use the keys and sign a transaction within a blockchain. But more than that, when we talk about blockchain and biometrics, it’s necessary that you mix it with biometric identity management solutions.

So there’s been a lot developed in the last decade about the concept of identity management based on blockchain in order to more easily bring different identity providers, attribute providers and service providers into the same system. A lot of work has gone into being able to interoperate more easily within that system, and to build trust based on the blockchain network. This enables everyone to not only transact, but also to know and trust what’s happened in the past.

You can leverage biometrics in order to check whether an identity is legitimate before it is issued. Biometrics can also be used to link the user with that identity. Depending on the level of ID assurance required, you can also leverage an ID document to check that that the identity has been vetted (by a country, for instance). After the proofing and issuing of credentials, you can then leverage biometrics as an authentication factor to authorise access to the credential itself in order to use the blockchain system.

 

So the blockchain system is really used to store the identity attributes which have been vetted during a proofing process and the authentication of the biometric itself as a way to link those identity attributes as an authentication method. Is that correct?

That’s correct. And depending on the kind of blockchain system and how it’s deployed and managed – whether it’s public or private – then you may end up storing the attributes directly within the blockchain.

If it’s public, you will only store, for instance, encrypted attributes or the signature of those attributes, while the attributes themselves would be stored elsewhere. The signature within the blockchain will enable you to verify that the attributes have been checked and that their integrity has been preserved.

 

Want more insight into the world of security, identity access management, biometrics and more? Get your weekly fix with the Identity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.