D3.2: A study on PKI and biometrics

Title: INTRODUCTION

There are three different concepts to establish a link between a physical person and its digital identity (): Something the person knows such as a secret phrase, password or PIN-code, something the person carries with her such as a token, like a passport and something that the person is i.e. a biometric feature.

Figure 4‑: There are three different concepts (called factors) used to establish a link between a physical person and their digital identity

These three concepts are used alone or in combination to qualify the strength of user identity verification: from 1-factor systems to 3-factors systems, which are considered as most secure, but are also most expensive and complex to deploy and operate. Below are some examples of user identity verification systems with increasing strength: 

1 factor:    Password

An object (half of a dollar bill, as seen in movies) 

A passport 

A fingerprint reader 

2 factors:    Credit card + password: ATM bank machines

Scratch list + password: most online e-banking sites 

An object + password: spy movies 

3 factors:    A biometric system + token + password

Notably, 3 factors systems all incorporate biometrics to provide the “something you are” factor. Biometric recognition, or more simply biometrics, refers to the automatic recognition of individuals based on their physiological and/or behavioural characteristics. Examples of such characteristics will be examined in detail in section . Essentially, biometrics allows a system to establish or confirm an individual’s identity based on who s/he is, rather than what s/he remembers, such as a PIN code, or what s/he possesses, for example a passport. As such, biometrics offers advantages over traditional authentication systems which cannot discriminate between an impostor who fraudulently obtains the access identifier, for example a password or swipe card, and a bona fide user.

Biometrics represents a special factor in the authentication process. Unlike a secret, a biometric feature is tightly bound to a physical person. Traditional methods to restrict access to secure systems have been passwords and ID cards, however they can easily be guessed and stolen respectively, and thus have proven to be unreliable. Biometrics on the other hand cannot be stolen, borrowed, or forgotten, whereas forging one is usually complex. Typically to forge a biometric credential at least some contact with the legitimate owner of the credential and a physical presence of the impostor is necessary. On the other side a person cannot deny easily that she carries a certain biometric characteristic. This opens the unique possibility to authenticate an uncooperative person or even to prove to an impostor his true identity (negative authentication). 

All biometric systems consist of an enrolment phase and a production phase during which the biometric data are actually used. During the enrolment phase, one or more biometric samples are taken from an individual, e.g., image(s) of a fingerprint, of the face or a voice sample. From these samples, biometric data are extracted, a biometric template is created from the data and the biometric template (a so-called reference template) is stored for later use. In the ‘production’ phase, the individual submits his/her biometric characteristics to the biometric system, and the system compares the biometric characteristics of the applicant with the earlier submitted sample or reference template. If the match succeeds, the system will ‘accept’ the individual. If not, the individual will be rejected. One should take into account that the current biometric technologies calculate the match with only a degree of certainty, since the presented biometric characteristics will almost always vary from the image or the template of the enrolment, i.e., the match will never be 100%. The functionalities of biometrics are verification and identification. Verification is a one-to-one process (1:1) of comparing a submitted biometric sample against the biometric reference template of a single enrolee. The reference template could be stored on an individual storage medium, such as a smart card, or in a database, or both. Identification is a one-to-many comparison process (1:N), recognising an individual by distinguishing him/her from other persons whose biometric data are also stored. For an identification system, it is not possible to store the reference templates solely on an individual storage medium. Authentication is also a one-to-one process (1:1) whereby the submitted characteristics are compared to a specific biometric template which could contain the identity information of the individual, in order to authenticate the identity claim. As well as the business and privacy aspects, the technicalities of the biometric methods will be described in more detail below.