Private Identity as a Service (PIDaaS): Q&A with Albert Marcè Valle of Ricoh Spain IT Services
Private Identity as a Service (PIDaaS) is designed to create and to field-test a secure mobile authentication system built on speaker and face recognition technologies.
The project is co-funded under the ICT Policy Support Programme, and involves several partners spanning Italy, Lithuania, Norway, Spain and the United Kingdom, including Ricoh Spain IT Services, CSI Piemonte, Bantec, Eurecat, University of Kent, E-bros, TicSalut and Hogskolen I Gjovik.
PIDaaS combines traditional biometric technologies and identity management platforms to create an innovative service in which biometric data serves as the main identifier. This biometric data is combined with other metadata relating to hardware, software and network to better ensure the accuracy of each authentication request.
Additionally, PIDaaS adds biometric template protection schemes (BTPS) to avoid the typical privacy and security risks associated with other authentication solutions.
BiometricUpdate.com recently had the opportunity to discuss the PIDaaS project, its main objectives, and what distinguishes it from other biometric authentication solutions, with Albert Marcè Valle, consultant trainee at Ricoh Spain IT Services.
What is the main purpose and key objections of PIDaaS?
Albert Marcè Valle: PIDaaS will enable the cloud paradigm to provide better services, designed around users, where each contact with government is useful and fulfills the user’s needs. The uptake of services supports policy outcomes, such as a leaner government, which includes improved efficiency and increased user satisfaction. These are the fundamentals of the PIDaaS project and are also the foundations of the Digital Agenda.
This project aims to provide security and easy-of-use identification management to the user. First, security will be provided by the inclusion of biometrics into the authentication process using mobile devices, along with other meta-data provided from the hardware and network. Second, privacy will be realized by the use of biometric template protection schemes (BTPS). Third, data management and user control will be assured using mobile BTPS, which will allow the users to take control over which service providers use her/his biometric reference templates (pseudo-bioidentities) and personal data, how long they can be used and the possibility of cancelling its use. Finally, privacy and security as well as the usability will be ensured by rigorous assessment based on real mobile application scenarios.
How does PIDaaS work?
PIDaaS is the result of the integration of three technologies, including BTPS, IdForMe and LMP. The platform consists of the PIDaaS mobile application, which allows the users to manage their identity, personal data and biometric templates and to be authenticated through speaker and face recognition. The management of data allows the users to authorize which action is performed in their name on any website and decide what information they allow to access to website, mobile apps, online purchasing, etc. The authentication process is based on the IdForMe platform, which allows people to do the authentication process using the speaker and face recognition verification technology.
Second, the PIDaaS backend provides a mobile gateway for the mobile application and service providers to access to the PIDaaS platform services. Through this gateway, service providers can ask for login authentication services, and users can manage their stored data. Third, the PIDaaS life management platform (LMP) is responsible for storing the information about PIDaaS users, service providers and for monitoring users’ activities within the PIDaaS platform. It is a mechanism for sharing personal data between the user and the services in a secure way.
Finally, the PIDaaS biometric template protection scheme (BTPS) is responsible for creating and verifying the biometrics templates of the users (so-called pseudo identities). This technology enables the creation of multiple pseudo-bioidentities from the same biometric trait, with the possibility of revoking, renewing and reissuing them. It also assures the privacy by allowing the use of biometric traits while avoiding the inherited risk of classic biometric solutions.
What are the main benefits of the solution?
Biometrics has been proven to be a highly secure alternative for authenticating electronic transactions, being both convenient and comfortable for the users. However, the use of
biometric on a large scale will bring greater potential of misusing biometric data, which may lead to serious privacy hazards (i.e. impersonation, profiling, cross-matching, etc.). In order to overcome this drawback, the biometric template protection schemes (BTPS) that PIDaaS use have been proposed as a promising solution.
BTPS are proactive technologies to protect privacy and ensure security at the same time. They are the best interpretation and straightforward implementation of the “privacy-by-design”
concept. They further enable security during the whole lifecycle of biometric related identities. Moreover, the use of BTPS will allow fulfilling the different personal data regulations, as only the biometric template (pseudo-bioidentities) is stored and transmitted, which is, by definition, unlinkable with raw biometric data. Thanks to these technologies, multiple renewable and revocable pseudo-bioidentities can be derived from a set of biometric samples.
These pseudo-bioidentities preserve the strong physiological-link with the user’s identity and provide irreversibility (it is computationally hard to reconstruct the original biometric sample from the biometric template), unlinkability (different pseudo-bioidentities derived from the same biometric samples cannot be linked between each-other, avoiding cross-matching), revocability, and renewability (solving the drawback of cancelling the few biometrics traits that a user has). These qualities will increase the confidence in biometric technologies, especially in Europe, where privacy concerns are an essential part of our democratic culture.
The combination of biometrics pseudo-bioidentities provided by BTPS with the use of smartphones as a second security channel for online transaction and a strong identity management service will highly increase both the security and privacy of individuals. PIDaaS aims to give the individuals the control over his/her different biometric pseudo-bioidentities and
personal data, which can finally overcome the obstacles that biometric systems have faced regarding user’s privacy and identity management.
What are some key applications of PIDaaS?
The aim of the PIDaaS project is to create an identity management service, including the identity assurance service based on different factors in order to determine the level of
authentication certainty and to provide to the end users the control of whom and how can use their information can be utilized besides the authentication itself. It will rely on biometric traits as one of the most important factor for the identity assurance, including other meta-data to increase the level of certainty. PIDaaS aims to add biometric template protection schemes (BTPS) to this framework, which allows the use of biometric traits while avoiding the inherited risk of classic biometric solutions. In this way, the PIDaaS framework will clearly differentiate from other existing biometric authentication systems (like IdForMe or IdentityX).
Provided that biometric authentication methods are sufficiently resistant against presentation attacks, biometrics authentication through mobile devices (i.e. smartphones or tablets) will fill the need for strong authentication that both clients and service providers have. From the end-user’s point of view, biometrics solves the risk of impersonations and reduces the complexity of the authentication process, as the use of user/password combination will be eluded. From the service provider’s point of view, biometrics solves the risk of fraud and provides the best way to allow clients to access sensitive data (highly interesting especially in e-health and e-citizen services).
When will PIDaaS being piloting the technology?
We will begin three pilots with 200 users expected to be participating in the first pilot in February 2016.