Security at the centre: why biometrics is key to supporting digital ID programmes
For many governments, the Holy Grail is to enable citizens to access a plethora of services using digital ID. For that to happen, they must first ensure that the person behind the screen is who they say they are. Enter biometrics
The increasing preference in a post-pandemic world for us to access services from the comfort of our own homes, combined with the advancement of smartphone technology in our pockets, is seeing governments turn to biometric identities to ensure that all manner of e-services can be accessed both conveniently and securely.
Authentifying people from their visual characteristics – their faces, irises or fingerprints – is becoming the gateway of choice for administrations around the globe, with biometric information embedded into passports, driving licences and national identity cards. Through government use of biometrics, citizens in some countries can access a wide range of public services via a single portal, and remotely perform tasks such as signing legal documents.
As Gregory Kuhlmey, partnership and innovation director for digital identity at biometric specialist IDEMIA’s Paris office, explains: “We cannot accelerate the use of digital services without ensuring the right level of security; and biometrics are a key enabler to know that the person behind the screen is the person it’s supposed to be.”
Biometric information, such as facial recognition, can be used to set up a secure account that the citizen can subsequently access using different kinds of authentication factors such as passwords or pins. Alternatively, an administration might ask for biometric authentication every time the citizen logs in.
But how can governments be confident that this is enabled in a secure, accurate and unbiased way? And how can they reassure their citizens that such sensitive personal information can be kept safe, and used only for the purposes it was intended?
Kuhlmey explains how the technology works in terms of ensuring a citizen’s authenticity. “If governments are using facial recognition to set up an account, initially they need a trusted reference picture, so that they know what the person they are expecting to see behind the screen looks like.
“This reference picture can come from the central registry or it may come from an identity document, like a passport. Once you have this trusted reference portrait, you then need to take a picture of the person that is behind the computer. You need to make sure that it’s an actual person.”
It is preferable, he says, for smartphones to be used for this purpose rather than laptops as they benefit from better cameras. Sophisticated algorithms lower the risk of the system being duped by impersonation or masked faces and provide accurate and unbiased authentication.
When it comes to a biometric system’s performance capabilities, there are a number of independent bodies that can provide governments with assurances through rigorous testing of the various options on the market. The most notable of these is NIST (The National Institute of Standards and Technology) which is part of the U.S. Department of Commerce. In June, the IDEMIA facial recognition algorithm 1:N came top among 75 tested systems and 281 entrants in NIST’s latest facial recognition verification test, which measures against accuracy, speed, storage and memory criteria.
More recently NIST has included indicators by which you can see how biased an algorithm is. IDEMIA passed this test with distinction.
Citizens’ security concerns
The type of biometric system selected and how it is rolled out and adopted by governments will to a great extent depend on that society’s culture and appetite for the technology.
“Some countries are deeply worried about biometrics, which hinders the deployment,” says Kuhlmey. “Others recognise that biometrics brings security and convenience. We work with governments to ascertain what that interest is and build the system around that.
“For example, the national context may allow a government to build a national database of biometric data as happened in India.”
As a result, IDEMIA was able to build a national ID programme in close partnership with the Indian government which 95% of the population – 1.3 billion people – use to process over 200 million payment transactions every month.
In countries where citizens would feel uncomfortable with a central database, one alternative is to store sensitive information in a smart card or a mobile phone, and give the user more control.
Kuhlmey explains that in this scenario a trusted system of matching authentication is still needed. The central server would not hold a database of the entire population; instead, it is sent the trusted reference portrait from the smart card or mobile phone together with the person’s ‘selfie’ only when required. Once this information has been processed, it is discarded and will not leave a trace.
Citizens’ security concerns are understandable. Last month, an Argentine government database containing ID card data of all its citizens was hacked. Amongst the information reputedly stolen was biometric data in the form of photos, plus home addresses, birth dates, and social security numbers.
However, security protocols continue to advance. In the last few years a number of cryptographic approaches have been developed. For example, data can now not only be stored centrally but also be processed centrally whilst remaining encrypted all the time. Therefore, anything leaked cannot be used, explains Kuhlmey.
Another concern is how biometric information is used. Citizens are unlikely to trust the system if they provide facial recognition to access their drivers’ licences if this is then used to identify them, say, taking part in a protest or demonstration.
“Clearly, this is to do with the ethical use of these biometrics,” Kuhlmey says. “To have trust in the system, you need to assure citizens that there’s not going to be such misuse, for example where biometric data may be used in a criminal justice setting and would basically mean that every citizen is a suspect. For that you need to have an authority that regulates the use and oversees how different government agencies are using the biometric data.”
Kuhlmey concludes: “There is a great deal of potential to deploy biometrics because it offers a great source of confidence and convenience when done in an ethical, secure way. It needs to be regulated, and the regulators need to understand that the technology is not something people should be afraid of.”
Virtual drivers’ licences in the United States
In the US, IDEMIA has been working with a number of states to provide driving licences on mobile phones by using biometric authentication. One such collaboration is with the Oklahoma Department of Public Safety and other agencies in the state to develop a digital ID app called Mobile ID.
For provenance, the digital ID is issued from the department’s identity ‘system of record’. Based on this record, the Mobile ID app creates a virtual version of the physical driver’s licence on the individual’s smartphone. Data can be shared with law enforcement undertaking roadside stops through use of a verifier app. The virtual drivers’ licences also allow Oklahoma residents to secure access to online services provided by both the public and private sector.
Arizona, Delaware, and Mississippi are also states where IDEMIA Mobile drivers’ licenses are currently deployed.
About Partner Content
This content is brought to you by a Global Government Forum, Knowledge Partner.
Related Posts
