Biometric authentication is a brilliant solution to the problem of passwords and usernames for identity access management that replicates one of the worst features of password management. Now, that feature threatens to create havoc across the world’s biometric identity systems. We discuss how Verifiable Credentials can solve the problem.
By Sam Curren
The value of biometrics in authentication
You can’t forget your face; it’s always with you, making it a powerful way to manage identity access. But, realistically (which is to say, outside Mission Impossible movies), you can’t reset your face if its digital copy gets stolen. Unfortunately, that’s just the risk we’ve created by storing biometric data for verification in centralized databases.
The good news is that you don’t have to scrap your existing biometric authentication systems.
Biometrics are fast, cool, unforgettable (in the password sense), and easy to use. We want you to use them, we just want to be sure that your end users don’t pay the price.
How biometrics work
Traditional biometric systems are very simple. There are two pieces that work together, enrollment and verification.
Enrollment is where your biometric data is collected, it usually requires a few different tries of scanning your face or finger to collect a few samples so that the system can compute a template with some allowance for variation. This template is then stored in a database to be accessed and compared to information you present when trying to access the system.
When a biometric is collected at an access point through a scan, it is compared to the stored biometric template. Most systems are not looking for an exact match; instead, they compare key points in the template, such as the position of the swirls and loops in your fingerprint. The combination of the variation in individual biometrics and the selection of key biometric points allows for accurate identification given random variations during scanning — such as a finger not quite aligned in the same way as when the template scan was conducted.
Databases are the downfall of biometrics (and really any user data you’re trying to keep secure)
The problem facing biometric systems is the same one that has plagued logins and passwords since their inception. The reliance on a centralized database for the system to function and the fact that storing all this biometric data in one place is an attractive target for a data breach.
This turns a security problem into an existential risk for biometric databases because, unlike passwords and logins that can be quickly changed in the event of a breach, people’s biometrics are largely unchangeable and will continue to be compromised. Once a database has been compromised and the information is out there it becomes easy for bad actors to generate false positives that will work on any other systems tied to the user’s biometrics.
Solving the problem (bring your own biometrics)
When biometrics were first introduced there wasn’t really a good way around the database problem; but since then, we have developed Verifiable Credentials, which offer a tamper-proof, decentralized way for people to hold their information and biometrics themselves on their mobile devices.
The process looks largely the same: Your system captures a person’s biometric, it creates a template in the same way as normal; but instead of saving that template in a database, it is issued to the person or guardian inside a Verifiable Credential.
As the template is digitally signed, it cannot be altered without being detected. And because Verifiable Credentials use cryptography to prove who they were issued by, you can be certain the template was issued by your systems or another source you trust.
This means that when a person presents themselves for a biometric check, they also present their biometric template from their Verifiable Credential. The verifying party simply compares to see if both match without the need to store any biometric data.
And because there is no personal information stored, there are a ton of benefits: easier data privacy compliance, lower liability, no possibility of mass compromise, and more privacy, security, and control for the end user. Most importantly, you keep all the benefits of biometric authentication.
To learn more about Verifiable Credentials and Biometrics you can watch the recent Meetup Indicio hosted on biometric authentication, or reach out to our team of experts.