Privacy preserving biometrics for strong ID proofing possible, Mobai researcher contends
Strong biometric identity verification standards and privacy regulations in Europe are at odds, but the situation is resolvable, according to a presentation for the European Association for Biometrics.
The EAB Lunch Talk was presented by Dr. Erik Guoqiang Li of Mobai, who is also an adjunct research fellow at NTNU.
‘User-Centric Biometrics – Securing Privacy & Compliance in Adopting Identity Proofing and Verified Credentials Use Cases’ explores a user-centric architecture for biometric facial authentication.
Norway’s BankID uses one-time passwords and physical tokens to preserve user privacy, based on verification with a passport. Subsequently, remote ID proofing is carried out with the BankID app, which can be used to access government and private-sector services or sign documents digitally.
The digital ID is issued by the bank, and is intended to work with or without a user-specific key held on a device like a smartphone.
Facial recognition is a good option for remote ID proofing, Li says, but must be carried out in accordance with eIDAS, and therefore its supporting standard from ETSI. Presentation attack detection is required, image manipulation detection is recommended and face morphing detection may also be involved under the standard. Mobai expects morphing detection to be added to the requirements in the future.
He points out some ambiguity in the requirements, which seem to suggest assessment at both the algorithm level, with a reference to the NIST FRVT, and system level, with references to false acceptance rate (FAR) and false rejection rate (FRR). Norway’s BITS standard imposes and additional accuracy requirement at the algorithm level.
Li discussed Mobai’s efforts to eliminate bias from its face biometric systems, which focussed on the camera. Calibrating cameras, or if that is not available applying post-processing, shows promise in reducing a major, if not the main source of additional errors for people with darker skin.
The PAD requirements refer to attack presentation classification error rate (APCER) thresholds and bona fide presentation classification error rate (BPCER) performance. Academic studies poorly reflect the state of the art in this area, however, Li points out that, as they set the APCER threshold too high for the security needs of real-world applications. Mobai sees a BPCER of below 15 percent at an APCER as the state of the art in face verification today.
Li then shared Mobai’s work on deepfake attack detection and face morphing detection (MAD) followed, and the company’s involvement in the European Commission-funded iMARS project. Mobai has developed an approach to MAD based on measuring feature differentials.
A typical identity proofing architecture was compared with the requirements, which reveals a tension between the assurance that the standards require, which includes processing images in environments outside the end-user’s control, and the concerns of regulators and users over centralized biometric data storage. This tension, he says, is currently unresolved.
BankID fraud has resulted. Weak binding has even allowed drug addicts to trade their BankIDs when they run out of money.
Banks in Norway are required to store passport photos to comply with AML regulations, but do not use it in identity verification out of fear of GDPR.
Mobai has therefore worked on a way for them to use face biometrics for authentication in a way that maintains compliance with privacy regulations. A key must be combined with the face template to deliver unlinkability, irreversibility, and renewability as required by the regulation.
What key will fit?
Li moved on to Mobai’s approach to key generation.
The backend authentication server generates the user-specific key, which along with the service’s public key is used to encrypt the reference biometric template, he explains.
The encrypted template can then be safely sent to a database server, and the user given both the public and private keys. This creates a strong binding necessary for onboarding without compromising user privacy, according to Li. The user maintains full control throughout the authentication process.
A similar system can also work without a user-specific key tied to a device, such as when a user switches to a different device. In this case, the user sends the encrypted template to the database server, which makes the authentication decision and passes it to the service provider in encrypted form. The service provider uses a private service key to decrypt the authentication decision.
Verifiable credentials and face biometrics can be combined by the creation of protected templates, which can be sent to an issuer by the holder to be embedded within the VC. Biometric comparison takes place with a protected probe template in the encrypted domain.