Trust Stamp CSO argues for biometric binding with fuzzy tokens in EAB talk
Trust Stamp Chief Science Officer Dr. Norman Poh presented a system for biometric binding which gains privacy benefits from asymmetric key encryption and fuzzy tokens in a European Association for Biometrics (EAB) lunch talk.
The webinar focused on the context and technical details of moving ‘Towards building a resilient digital identity system with strong biometric binding.’
Poh described how Trust Stamp creates its Irreversibly Transformed Identity Token (IT2) by injecting a secret code into the biometric template, and how cryptographic keys are bound to users’ biometric templates. This approach allows the biometric sample to be revoked, as well as avoiding the risk of GDPR fines.
He also notes that the same method can be used to tokenize any kind of personally identifiable information (PII).
If the sample does need to be revoked, the credential can be recovered by re-enrolling the biometric and combining it with a new secret.
Any biometric data can be used, with error rates reduced by capturing more than one sample of the given biometric.
The frightening risk of the Taliban using biometric data to find victims among Afghanistan’s population is an example Poh provides of where a system with an application-specific key could prevent the misuse of biometrics that are stored on a device, rather than in the cloud where the data can be deleted remotely. Revoking the application-specific key severs the link between the template and the token derived from it.
An alternative approach is being used with many COVID-19 vaccination certificates, many of which are not bound to the individual with biometrics. This eliminates the risk of biometric data theft through the credential, but has also contributed to the proliferation of counterfeits and forgeries, Poh says. While rudimentary document fraud can be discovered in various ways, Poh points out that legitimate-seeming credentials issued illegitimately by inside actors, such as healthcare workers, present a challenging problem.
Similar problems are presented by synthetic identity fraud and other attacks against financial services that are not protected with digital ID bound to biometrics.
Poh outlined the eKYC process, and how biometrics can be used to match individuals to established identities, such as those presented by government-issued ID documents. He also shared some of the fraud-prevention gains Trust Stamp’s clients have realized, both in terms of preventing fraud and unblocking legitimate users.
He compared the binding methods of the FIDO protocol with that of Trust Stamp, and discussed additional security considerations. The technical details of verification processes were outlined, and the level of assurance it provides.
The device where the software runs is also important, Poh says, as it acts as a second authentication factor, including in offline environments.
EAB’s next virtual lunch talk will be held on September 21, and address ‘deciphering and generating faces.’