Last week Israel’s Interior Ministry announced that it will be testing the sharing of a fingerprint biometric database with the U.S. in an exercise to become part of the U.S. visa waiver program. While there is still some way to go, especially given the privacy commitments, what is being undertaken between the Israeli government and its citizens to create the database is another signal towards the revolution in the federation of biometric data.

Identity federation has been controversial subject since inception. This includes the extension of credit profiles to credit bureaus who were already aggregating sensitive customer information, through to attempts by various types of organizations to leverage their customers’ personally identifiable information (PII) for a wide range of Identification and Verification (ID&V) and fraud solutions, most notably “social sign-on” via the likes of Facebook, Google etc. There have been a few regional initiatives as well, such as India’s UIDAI, UK’s GOV.UK Verify, DigID Netherlands and public-private partnerships such as SecureKey Concierge in Canada.

The wide-reaching implications of regulations such as the General Data Protection Regulation (GDPR) as well as the second Payment Services Directive (PSD2), presently being drafted, signals extremely onerous technical, operational and reporting obligations for companies holding PII, as well as heavy fines for breach. This has resulted in a somewhat different attitude towards customer data which is now being viewed as “toxic” by some of the same organizations who previously had a stranglehold over this information. While not immediately evident, biometrics’ ability to support secure ID&V without the sharing of biographic data goes a long way towards fulfilling many of the key regulatory requirements.

At Risk: Federation Creates Honeypot for Criminals
Federation does however carry the risk of attack, as has been seen by the number of large scale breaches across digital giants and credit bureaus. All aggregators of PII have either already been hacked, or stand the risk of cyber-attack. This is to be expected as data centralization creates a honeypot for cybercriminals who sometimes lack a profit motive, but rather enjoy “celebrity status” in the identity underworld. Nonetheless, stolen identities can be good business due the sheer scale at which data can stolen, and then sold in bulk.

These fears are also driving ever escalating consumer concerns relating to PII. The concept of Identity Relationship Management (‘IRM’) is also gaining traction, where consumers are wanting to store their identity, very much like paper-based ID&V, and provide it selectively to companies without the risk of a central repository. The Sovrin Foundation is leading such an initiative through the creation of the Self Sovereign Identity (SSI).

Distributed architectures, such as that for mobile devices from the FIDO Alliance, provides a mechanism by storing the data on end-devices, and sharing encryption keys in a hybrid form.

The blockchain, originally developed for Bitcoin and a growing number of crypto-currencies, is interestingly also referred to as the “trust machine,” and resonates well with ID&V challenges, especially as the sharing of any personal information is based on trust. More generically referred to as “shared-ledger” or “distributed-ledger” technologies (DLT), these “trust mechanisms” simultaneously address the regulatory and technical requirements, while providing continually improving ID&V confidence, at scale; and the promise is that this will be done forever! While it is too early to confirm this, the signals are that a combination of blockchain platforms, together with SSI-type schemes, are the way of the future.

Categories: Intelligent Authentication, Articles