How the Wise Implementation of Biometrics Will Improve Mobile Identity Programs
With the current global pandemic, there has never been more focus on the use of mobile technology to deliver identity credentials to a remote audience. Social interactions are restricted, and there is a great need for citizens to be able to prove their identity online, over the phone or even at a distance. In this blog post, I take a look at how biometrics can help in delivering and securing such mobile identity programs.
Adding Mobile Identity to an Identity Program Can Be a Challenge
The difficulty of introducing mobile identity to an existing government identity program lies in the ability to create a credential that has equivalent or superior value when compared to the physical credential: same or higher security, same or higher convenience. Most importantly, the added mobile identity must be usable in real life.
The typical lifecycle for an identity credential begins with enrollment in and creation of a trusted identity in the database of the issuing authority. Next, the credential (identity) must be delivered to the individual citizen (issuance). Finally, the citizen puts the credential into circulation by using it when it is necessary for identification.
Two criteria must be met to add mobility to the identity credential:
- Authenticity — Confirmation that the data is genuine. This is easily achieved with the same PKI mechanism that is used in electronic identity.
- Verification — Validation that the credential belongs to the person presenting it. This is easily achieved by having the verification entity proceed with a face match between the picture that is present in the credential and the live face of the presenter of the credential.
It’s commonly understood that applying biometric security to mobile applications will deliver additional security. However, there is a balance to be found between customer experience and security. Not enough security, and you achieve a good user experience without a sufficient level of assurance and with significant risk. Too much security, and you compromise user experience to the extent that it prevents wide-scale acceptance. So how can a government use biometrics to enhance both security and citizen adoption?
An Existing Database Can Be Used to Validate Biometrics
In most cases, government-issued programs start with a great advantage: there is already an existing database of securely enrolled data which can be used to validate any biometrics that are captured remotely. One-to-one (1:1) face match can be employed which does not have the risk and complexity of matching to many images. It is rather easy to finetune your false acceptance rate (FAR) and false reject rate (FRR) to have both high security and good user experience in this case. For a 1:1 face match, all you need to compare is the face on the trusted image in the credential and that of the presenter.
Matching the ID Holder to the Right Person Through a Remote Application Process in the App
There is value to going one step further and ensuring that the issuing authority that is provisioning the mobile credential is doing so to the “right” mobile device. In this context, “right” means that the identity holder is the person operating the device. The best way to achieve that confidence is by implementing a remote application process in the mobile app itself. This remote application process will make use of biometrics to secure and automate the process while maintaining an enjoyable user experience.
Typically, this remote application process involves capturing an existing physical document, such as a passport or driver license, either through taking a photograph or reading the electronic chip. This is then followed by taking a selfie and entering other biographical data. A biometric match can be made between the photograph in the document and the selfie, but the real security comes from comparing the selfie with the picture already held in the issuer’s database.
Now the issuing authority has the exact reference of the record in the issuer database as well as the live face of the requestor, a strong and trustable factor. The additional biographic information can represent a shared secret between the identity holder and the issuing authority, plus the issuer also has information about the specific device. The biometric evaluation process can then start, which will check a number of parameters according to the specific policy of that issuing authority.
Once this evaluation process has been completed, an automated adjudication mechanism can be initiated that will accept and reject requests or send them on to secondary evaluation for a manual adjudication, when necessary. With this type of remote application process, the issuing authority has the flexibility to set its own policies as well as achieve the highest level of security and convenience.
Once the adjudication is done, the requested mobile credential can be provisioned automatically into the “right” device. In this case, the “right” device is the one where the initial application came from, the one where the “right” identity holder took the selfie.
Biometrics are Useful for Unsupervised Events
There is one last value that biometrics bring to mobile identity: ensuring that the presenter is the holder, especially in case of unsupervised events like online verification. In this scenario, the mobile identity app checks that the face of the operator of the device matches with the picture in the mobile identity credential before authorizing any sharing. The verification process applies the same mechanism as above — a local match on the device unlocks the mobile identity and allows it to be used online or with a reading machine.
In conclusion, the use of biometrics is critical to achieving the benefits of mobile identity. The technology is ready to offer a well-balanced mobile identity that will have the right level of security with the right level of user experience and ensure large acceptance.
Read more about why your country should add mobile identity to their identity program in our executive brief The Future Is Now.
Jean-Baptiste Milan is the leading developer of HID Global's mobile identity solution HID goID™. He has over 12 years of experience developing and implementing electronic identity projects around the globe. One of his biggest successes is the implementation of the first national ID on a mobile phone in Argentina (read the press release). Jean-Baptiste is active across many standardization groups, including ISO, where he contributes to the writing of the coming mobile driving license standard.