“BYOB — Bring Your Own Biometrics” will help you avoid the existential risks of storing biometrics or managing generative AI deepfakes — while retaining your biometric authentication systems.
By Trevor Butterworth
Biometric authentication has been rapidly and widely adopted as a powerful and simple solution to the seemingly intractable risk of identity fraud. At face value, it seems like the perfect solution to the friction of logins and passwords: your face is unique and you can’t forget it like you can a password. That’s why billions of dollars have been poured into biometric technology, especially for seamless payments.
The problem is not just that you can’t reset your face if its biometric equivalent is stolen, it’s that your biometrics are being stored in precisely the same way that has successfully allowed millions of logins and passwords to be stolen.
It’s like we’ve collectively decided that strapping a jet engine on a people carrier will make travel faster. Yeah, in theory. But do the risks really have to be spelled out?
And while you’re still processing that mental picture, let me introduce you to deepfake me. It wants you to pay “me” the money I loaned you.
The combination of centralized biometric storage and generative AI now haunt biometric authentication. Stolen biometrics are lifelong existential risks. The world is still reeling from the audacity of a deepfake “chief financial officer” requesting and receiving a $25 million payment from an employee.
Twenty-three percent of financial organizations surveyed by Regula “reported more than $1,000,000 in losses due to AI-generated fraud.” And, as Davey Winder reported in Forbes, “dedicated mobile app security protections such as anti-emulation, anti-virtual environments and anti-hooking mechanisms” cannot be depended on to provide protection.
It seems almost trivial to add that even if a system isn’t hacked or tricked, biometric technology isn’t perfect. False positives do happen with serious legal and financial consequences if someone is misidentified.
Avoid the risks without abandoning your biometric systems
There is an elegant way around all these problems that allows everyone to keep their biometric systems: Decentralized identity and Verifiable Credentials. We call it “Bring Your Own Biometrics” — BYOB.
Developed by Indicio for air travel and border crossing, BYOB removes the need to store biometric data in order to verify a liveness check.
Here’s how it works:
1. During identity verification, a biometric template is created and issued as a Verifiable Credential. This means the biometric information is digitally signed in a way that makes it tamper proof.
2. This credential is issued to a person who stores it in a digital wallet on a mobile device, secured by multiple layers of authentication, including a PIN and biometric access.
3. The credential is unique and it can’t be shared or faked: it is bound to the person, and their device. It can be linked to other digital credentials and biographical data in a way that a person can link multiple proofs of identity.
4. When the person needs to verify their identity, they perform a liveness check and present their biometric credential at the same time.
5. The system compares the live biometric data to the signed biometric data in the credential. There’s no need to store the data for cross checking.
6. For virtual authentication, the person has to present their credential at the same time as they perform a liveness check, thereby adding a verification that generative AI can’t fake.
7. Because users hold and control their biometric data, BYOB also ensures compliance with strict data privacy laws, like those in the EU.
Looking at biometric authentication for its 2024 Prism Project Report, Acuity Market Intelligence called Indicio’s solution “masterful.” By enabling people to hold their own biometric data in a way that can be cross checked against themselves, the problem of centralized storage disappears and the problem of deepfakes is bypassed. A Verifiable Credential provides a simple, cost-effective way to prove you’re not fake.
It’s also technology that’s designed to be easily layered into existing systems. With Indicio Proven, you can use Verifiable Credentials to manage all kinds of authentication, from single sign-on to biometric border crossing, and deploy in hours or (depending on complexity) weeks.
Contact Indicio to learn how airlines and governments are already using Indicio technology for seamless travel and border crossing and how you too can use Indicio Proven to implement BYOB.
###
