Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D3.10: Biometrics in identity management
A token (possession) or a secret (knowledge) as traditional factors for authentication have a common problem: is its user the legitimate user or has the token be stolen and is being used by an unauthorised person? To secure the binding between a token and an authorised user, knowledge as an additional factor of authentication (e.g. in the SecureID systems by RSA Inc.) or a facial image (photo, e.g. in paper based travel documents) can be added.
In this context biometrics can be used instead or in addition to knowledge or printed photos on ID documents to secure the binding between a physical person and a token. This could be applied not only to Type I government controlled ID models, but also to the Type II access model, the Type III mixed model and the Type IV b convenience model.
At that point, however, one should question which functionality of biometrics shall be deployed in order to meet the proportionality criterion. To improve the security by deployment of biometrics, the security can in most cases already be improved considerably by applying the verification mode of biometrics in combination with a token. Biometrics will than be used for verification purposes. This is especially valid for the biometric Type II access model for securing access to online systems (see above, section ), even if the biometrics in that model are used in an environment where there is no supervision (e.g., web access at home for financial services). The use of biometrics for identification purposes through deployment of that biometric in combination with a token for a 1:N comparison locally in a Type II model does not add much to the security for that application, while the central storage of the biometric which is needed for the 1:N check contains considerable risks for the person involved (such as the loss of control over the use of the biometrics - see also above). The use of biometrics in combination with a token for identification could for that reason be considered disproportionate. This problem becomes void if one assumes that the biometric is stored in a secured token, which cannot be easily counterfeited or hacked.
Decisions of DPAs in some countries seem to follow that approach. The DPA in France has issued on 27th April 2006 a ‘single authorisation’ decision in which it allows the use of fingerprints to the extent the fingerprint of employees is verified with the template stored on the card for access control, without central storage.
24 / 40 |