Biometrics come to verifiable credentials with Applied Recognition and Sovrin Foundation
The Sovrin Foundation is best known in the digital identity community for the MainNet Hyperledger Indy identity ledger, which it operates as a public utility. The non-profit organization with a vision of digital “identity for all” has partnered with several other organizations, including Applied Recognition, to develop a digital identity wallet that includes biometrics with verifiable credentials.
The wallet is intended to support self-sovereign identity (SSI), like all Sovrin projects.
“What Sovrin and others in this SSI community are trying to bring back to the world is user control of their identity documents and identity data,” explains Sovrin Executive Director Chris Raczkowski to Biometric Update in an interview.
Self-sovereign does not mean ownership, he says; it means user control, like a passport, which is not technically owned by the individual. The concept is being buoyed by interest in digital wallets holding increasingly sensitive information, including health data.
As interest in digital wallets has increased, it is also increasing interest in biometrics to secure them, according to Applied Recognition Executive Vice President of Business Development Carrie Bois.
“We’ve been seeing some activity, certainly with government, where biometrics clearly are one of the elements they want to introduce, so we’re seeing some traction,” she says.
Biometrics provide the secure binding of the individual to the credential they are presenting, while Sovrin’s use of blockchain-based verifiable credentials ensures privacy.
“All private information is, we say, ‘off-chain,’” Raczkowski explains. “It’s held in somebody’s perfect wallet, it’s issued by an issuing authority to an individual’s, or even a company’s secure wallet. Nothing is on the ledger.”
Biometrics are somewhat new in the verifiable credentials space, Raczkowski says, so while neither technology is itself new, bringing them together, and doing so in a highly secure way, is novel.
The market has reached the stage of growing understanding of how to secure credentials and wallets, Bois adds.
“People rely on biometric controls by the manufacturer as a method of securing what’s in the mobile device,” she points out. “That’s fine if there’s biometric control to actually access the device, but how do you really authenticate the credential?”
The Sovrin Foundation is looking at the wallet alignment in terms of interoperability, but also in terms of embedding a layer of protection into the solution. Verifiers need to know there is a way to ensure a person has not unlocked their phone and then handed it to their friend.
Consumers, meanwhile, are rapidly becoming aware of digitizing credentials, Bois says.
“And now, the average consumer is getting completely engaged to understand what this means, and getting more familiar, if from more of a peripheral perspective. As are companies,” Bois adds. She also notes that it is typical of an emerging technology that certain, more forward-looking sectors lead the way in adoption.
Privacy-preserving new world
The goal, Bois says, stands in stark contrast to the industry’s past as a boutique industry.
Governments, particularly those in Canada and Europe, are increasingly behind the idea, according to Raczkowski, perhaps in part due to their familiarity with the well-established underlying technologies.
“What we’re doing is bringing it together so we have the privacy-respecting verifiable credentials, with biometrics that by themselves people are at great risk of losing their biometric identities if it’s not done in this privacy-protecting way,” Raczkowski summarizes.
The biometric comes in as part of credential issuance and verification processes for confidence in all aspects for the verifying party. The consumer gets the ability to use their biometrics, with a lower risk of data loss because of the decentralized architecture and the use of verifiable credentials.
Making wallet available, with support from companies like Applied Rec supplying biometrics that people can use for free, therefore extends Sovrin’s mission of supporting SSI. The companies generous enough to donate their technology to the wallet get commercial upside from next steps of service for banks and other organizations leveraging the open-source wallet, Raczkowski says.
“For us, that’s why they would pick up the phone,” Bois explains. “They know that it’s an easy solution. And with disparate systems right now, especially in financial services where you have, certainly, leading edge solutions but you also have legacy systems, this allows the systems to kind of come together and introduce a transformational technology that has all the security you need.”
Fintechs are a potentially interesting commercial use case for biometrics for KYC and AML checks, and Sovrin intends to add other biometric modalities to the wallet over time.
Bois notes that some governments are interested in using the wallet with biometrics, and that governments are currently looking for ways to implement a level of interoperability with privacy-preserving credentials that the Sovrin wallet already provides. Applied Recognition is seeing interest in a range of different applications of the wallet, for unique challenges requiring different features. Many customers are not sure what exactly they need, making it important for Applied Recognition to anticipate those needs to help guide them.
“It’s very hard from a business perspective, unless you’re in the sphere, to anticipate what I’m going to need or try to mitigate,” Bois observes. “You have to be a pretty large organization with substantial resources to be able to manage this.”
This is typical of leading-edge solutions, she says. “Sometimes clients are not even aware of what they should be asking for, or how that will impact some of the conversations in terms of compliance, regulatory, security and other pieces of it.”
This is particularly the case because some of what is on market is technology to deal with a specific challenge within a process, rather than a suite of solutions. To help their customers understand what they are looking for, Bois suggests biometrics providers have to come together beyond the industry associations and lobbying they have engaged in in the past.
Applied Rec has become a thought leader in the industry after 15 years experience, according to Bois, and is trying to push industry in the right direction.
Potential breakthrough opportunity
Raczkowski acknowledges that there is a large contingent that believes combination of verifiable credentials and decentralized identifiers is like a killer app for privacy-respecting secure identity management.
The Foundation considers the Sovrin Wallet as an intended part of a larger ecosystem.
“We expect the commercial companies out there and governments to be able to leverage this and then make verifiable credentials and DIDs the killer app for our personal identity needs.”
The wallet, like Sovrin’s identity utility, is being made available for white-labeled implementation and use. He compares its ambition for identity to the role of Linux in running the internet.
At this point, Applied Recognition is talking to a European organization working on supply chain and credential related to COVID, among others.
“Their success is all of our success,” Bois points out. That is the case even for future use cases that Sovrin and Applied Recognition might never be aware of, as users adapt and implement the Wallet for their own use.
“We’ve already got good momentum and a good reputation out there with the ledger. All over the world people are using it,” Raczkowski says. “IATA’s using it for their Travel Pass, governments are using it for POCs as well as initial credentials for health professionals et cetera. But if you ask anybody out there using those services, they’ll never know who Sovrin is. And that’s fine, because they don’t know who ICAO and these other organizations are either. But that’s I think a symptom of things working well.”
At the same time, there is important educational work to be done, Bois says, which will help reduce anxieties in the market. A solution is here that addresses those concerns, and allows people to embed biometrics into credentials and wallets for convenient security.
For companies that want to pursue that direction with their own products and solutions, she says, the time is right to start that dialogue.
“It may actually be more convenient and better to use a group like Applied Recognition because of their experience, but that’s a consumer choice,” Raczkowski emphasizes. “It is not a requirement in the open-source world.”
Bois agrees. “Companies are coming together to bundle solutions. The competitive landscape is changing. Partnerships are certainly out there in the digital identity space, but this one is kind of unique, and we’re happy to have conversations with people on what it means and how it can help their own business.”