With Verifiable Credentials, biometric authentication can be used to convey a lot more useful information than what you look like.
By Trevor Butterworth
Biometric technology has long been marketed as the ultimate solution for easy, secure identity verification. A quick scan of a fingerprint, a facial recognition check, or even an iris scan — what could be more foolproof? But here’s the uncomfortable truth: Standalone biometrics aren’t as secure, private, or effective as they seem.
Sure, biometrics can tell you who someone is, but they can’t tell you anything about them. Biometrics without biographies are dumb — a missed opportunity. The real value of biometric authentication is when it is bound to a context: what an identifiable person is able to do (certifications, licenses, skills), what they have access to (accounts, buildings, systems), and what they own (assets, records, tickets).
This is where Verifiable Credentials supercharge biometrics.
Contain yourself
Verifiable Credentials allow people to hold information about themselves and share it in ways that are cryptographically verifiable. A Verifiable Credential is like a sealed digital container for data. You always know where the container originated (viz., the issuer of the credential), you can easily verify that the contents of the container haven’t been tampered with (all the data is digitally signed), and you can prove that the container was issued to you.
One of the most important sets of data you can put in a Verifiable Credential is your biometric data. We talk about this in “Bring Your Own Biometrics.”
Briefly, this means that you can support a liveness check with an authenticated copy of your biometrics. It means the party verifying your likeness doesn’t have to store your biometric data to cross check it (a privacy and security boon), and it provides an easy-pass for avoiding deepfakes. A call center gets you to submit an authenticated biometric instead of relying on increasingly fraud-prone voice recognition technology.
Now that you can really, truly, verify that you are identical to your biometrics, you can leverage that power to share and verify other useful information.
Digital Passport Credentials show the way
A physical passport combines an image with data. Someone looks at you, swipes the passport, and reads the associated information. Behind the scenes, the source of the passport — the office that issued it — is cryptographically verified.
A physical passport is the most powerful form of identification we have. It is designed to be extremely hard to fake. Hence, we trust this combination of biometrics and data. We may even infer that a person showing a passport and other identity-related information are one and the same.
Verifiable Credentials replicate this and make it more secure. In short, the biometric image electronically embedded in the passport chip is compared by software with your live image when a digital passport credential is created. The origin of the physical passport is cryptographically checked, and the electronic data is seamlessly transferred into the passport credential.
We now have a digital equivalent of a physical passport. We’ve talked about how this is revolutionizing travel and border crossing, but the point here is to see how the passport credential is much more useful than just a biometric. It binds an authenticated biometric to useful information about who we are.
This principle can be extended in two ways.
Just add authenticated biometrics to any data
First, we can cryptographically prove that the person issued a digital passport credential was also issued with all their other credentials. In other words, we can combine a high-assurance, high-trust Digital Passport Credential with what, if it was presented on its own, might be a low-assurance, low-trust credential. Essentially, every other digital credential can leverage the assurance baked into a Digital Passport Credential.
But we can also add authenticated biometrics to any kind of person-related credential. So, for example, an employee credential could be issued a biometric template during onboarding along with their employee data. This data can then be used to configure governance rules for least-privilege access to systems, while the biometric template provides assurance of identity.
Or the template could be issued separately and then requested when an employee uses their (biometric-less) employee credential as a security double check (they have to present two independently cryptographically-verifiable credentials for access).
A health credential allowing access to systems or providing consent to data can be combined with authenticated biometrics.
Almost any kind of information can be bound to an authenticated biometric.
Supercharge your biometrics with Indicio Proven
Indicio is the global leader in authenticated biometrics thanks to its work developing Digital Passport Credentials for seamless border crossing.
To learn how you can use this same technology at any scale to add value to your biometric authentication systems (and benefit from better security), contact us here.
###
