Title: BIOMETRICS IN IDENTITY MANAGEMENT AND THE AUTHENTICATION PROCESS: BASIC CONCEPTS AND MAJOR DISTINCTIONS

By way of introduction into chapter 3, some factors of the authentication process are hereunder recapitulated. It is hereby important to understand not only the basic concepts of the process but also the major distinctions in the functioning of a biometric system. In an authentication process, the authenticity of a claim of a person who seeks access to a place or a system is verified against previous information. This previous information may be given to that person, obtained about or obtained from that person. The verification of a claim can be done by various means, such as the control of the possession of a key or a token which is handed over to that person or the control of knowledge of an access code (user identifier and password). In general, however, there are three possible factors to authenticate a claim or a person (see figure 1): possession of a credential object, knowledge of a secret and/or a personal information, and an individual biometric feature in the form of a physiological or anatomical attribute or a distinctive behaviour. A biometric factor is fit to be used for verification but it is far more powerful as it enables checking of (mostly) unique biological characteristics submitted by an individual with previous biometric reference data. A biometric comparison processes the matching of selected features extracted from sets of information based on unique human characteristics. In the process, a decision is made about the probability that the characteristics which are compared belong to the same person. In a verification process, the biometric system recognises and decides that the individual (based on the submitted characteristics) is the same person as the one he claims to be (based on the previously submitted biometric characteristics by that same person). Because biometrics can in principle not be handed out or forgotten, it is believed that biometric recognition will play an increasing role in the authentication processes.

Figure : Biometric comparison is one of three possible factors to authenticate a person.

At the same time, the use of biometrics raises concerns. Biometrics mostly involve the use of physiological or behavioural characteristics (or a combination of both) which are unique for a specific human being. Biometric data, alone or in combination with other (personal) data, allow identification of a person. Biometrics can reveal directly or indirectly who a person is, even if information such as the name and the place where he/she lives is not stored with the biometric data. A facial image allows identification of a person. The use of a key or of an access code could in principle remain anonymous. A fingerprint image permits through comparison with the fingerprint of a present person or with the fingerprints in a database to identify the person in question. The use of a PIN does not necessarily identify a person. Therefore, biometrics are a very powerful tool, as the data also allow for the identification of human beings, sometimes even without their knowledge. Because of the identification capabilities, biometric information was initially mainly used for law enforcement purposes. This additional ‘quality’ of identification ability which is inherent to many biometric characteristics (e.g., fingerprint, iris, voice, etc), however, is now also, with much enthusiasm, investigated by governments for other purposes.

In the debate about the use of biometrics in identity management systems, the verification process of the authenticity of a claim has to be clearly distinguished from the identification process. Identification and verification are in fact two completely different processes and are also different functions performed by a biometric system. Biometric authentication by verification, in the sense of a process of establishing confidence in the truth of a claim (a claim is for example, “I am entitled to enter these premises” and “this entrance card has been issued to me”), is a verification of one submitted item of information against one given item of information and does not necessarily involve identification of that person. Authentication in this meaning of a one to one (1:1) biometric verification could also be effectuated with non-identification techniques, such as the testing of knowledge belonging to that person, (e.g., a pin code attached to the card) or location of that person, or verification of the possession of a particular item issued to that person, such as a smart card with biometrics, and verification that the biometrics stored on that card stem from the submitted biometrics. In other words, the identification ability of biometrics is in principle not necessary to be used in a ‘simple’ authentication process. However, upon the collection and the use of biometric characteristics, depending on the design and the use of a central database, both functions of identification and of verification often co-exist and the various schemes in which biometrics are used, often do not clearly indicate which functionality is used. This is also indicated in the overview of models and types stated infra in section .

The identification ability of biometrics, including the fact that once unique human characteristics (such as fingerprints) are compromised (e.g., stolen) it is not possible for the individual concerned to adopt new human characteristics, brings on many concerns. In the context of discussions about the protection of privacy and biometrics, the risks of function creep and non-respect for the data minimisation principle (amongst other things) are often mentioned. We believe that these concerns relate principally to the identification functionality of biometrics, which go beyond the authentication purposes for which the biometrics might be used in a particular application.

Because in an authentication process, it can also be verified that someone is the person he/she claims to be, the terms authentication, verification and identification and their meaning in the biometric comparison process are often used together or confused. This does not facilitate the debate about the deployment of biometrics. It is therefore very important to distinguish the two functionalities of the biometric comparison process in the discussions about its use and risks and crucial that due attention is paid to terminology and vocabulary. We will see below that during the standardisation activities on biometric vocabulary, the term ‘authentication’, which is still often used as a synonym for verification has become depreciated and that consensus grows that in discussions about the deployment of biometrics the term should be replaced by the term ‘verification’ (see infra, section ). We should therefore speak in general of a biometric comparison which can be used in a verification or identification mode .

In this context, it is also important to be clear with the notion of ‘identity’, ‘identification’ and ‘identifiability’. ‘Identity’ is in general often understood as referring to the identification details of a person, as registered at the time of birth by a civil servant in a population register (in civil law countries) and consisting of a set of information such as name, date and place of birth, address, name of mother/father etc about that person (‘civil identity’). ‘Identification’ and ‘identifiability’ would then be understood as the possibility to link a person through his biometric characteristics with this ‘civil identity’, as registered and known to the government. Private and commercial parties also know and use this ‘official’ information of persons in a variety of applications. It is primarily this meaning of identification that is by most people considered a risk in the discussion about biometrics. Practically speaking, this identification would require a database in which unique biometric characteristics are combined or linked with other identifying information about the ‘civil’ identity, such as name and address. Such a central register is exactly what several governments intend to establish, for example in the United Kingdom. 

‘Identity’, however, could also be defined in other ways. In the context of identity management research, identity is sometimes defined as ‘any subset of attributes of an individual which identifies this individual within any set of individuals’. According to this definition and understanding, there is no such thing as “the identity” of one person, and one person may have several ‘identities’. ‘Identifiability’ is then ‘the state of being identifiable within a set of subjects (…)’. Taking into account this approach of identity, biometrics could also be used to identify an individual within a group of subjects, but without necessarily referring to the ‘civil identity’. The identification ability of biometrics will then only be used to identify an individual within a group (one to many (1:N) comparison), without other information such as name. This does, however, not solve all problems as this would still require a central storage of the biometric data (but without name or a direct link to a database with names). First of all, biometrics could be deployed as unique identifiers and therefore could be easily linked with other information databases using or containing the same biometric identifier. Secondly, even if the possibility of using the biometric data as a unique identifier would be overcome, the collection and storage of biometric data in a central database will always mean that there remains a risk that the biometric information is sooner or later linked to other identity information which could ultimately identify a person (e.g., manual comparison). It has already been recognised that the collection of biometric information in large-scale databases, sometimes with not only a central control but with a control by several parties/governments without appropriate agreements (multilateral control, see also the models described infra, section 3.3 and Annex 2), is a major fear and risk.

For that reason, identification and the storage of biometric characteristics in central databases are two concepts that are linked to each other and that, in respect for the rights and freedoms of individuals, need to be considered with utmost care. The deployment of biometrics, however, does not necessarily require that the identification functionality and central storage are used. This deliverable aims to, in addition to giving a description of the risks and the advantages of identity recognition through biometric comparison, clarify in which models identification or verification is used. The models which are described in section were developed because of an apparent need to have an overview of the use of biometrics in various applications. The models are developed on the basis of a review of some existing suggestions (by AFNOR and BioVision) to classify biometric systems and on the basis of newly suggested consistent classification criteria which are in our view relevant. These classification criteria are (1) the way control is exercised (central, divided or multilateral), (2) the controller (public or private entity) and (3) the purpose(s) (combating identity fraud, securing online or offline access, mixed purposes of public and private entities, convenience purposes and surveillance) of the applications. Such ‘grouping’ of biometric applications on the basis of applications which are often cited or reported around these criteria should facilitate a common understanding of the risks and advantages and simplify a discussion about the use of biometrics. Medical biometric applications, however, have not been taken into consideration when defining the models, as such applications are evolving very fast in the e-health domain and require specific attention and review.