A presentation by Debajani Mohanty on SSI and biometrics.
Debajani Mohanty Presented on the topic: The slides are available, as well as the questions and answers
Vipin Bharathan: Why is the image stored? instead of the template.
Debajani: Image is not stored, will remove from slide
Can you explain a little more about deduplication? Is this deduplication of biometric templates themselves, in which case why? We already know that many biometrics need to be refreshed. Or is it deduplication vs individual unique identity? In this case how does this sit with fundamentals of SSI that you can have many different 'identities'? Or is it just data cleansing?
Africa and Thailand are the markets where iRespond is active.
iRespond are also issuing secure / smart paper versions of the digital ID for Birth Attestations, this real-world link makes a big difference to informed consent and utility in low connectivity markets
Debajani Mohanty: Only the primary issuer does the deduplication, usually a national government with physical checks and verification of addresses etc. The template is stored for record keeping, however this introduces a central point of failure and attack
Nicky: This is directly in contradiction to the principles of SSI. So one of the ideas for decentralization is to create a set of service providers the choice of one will store the template. (Some of the issues here- we may need to look at the long term viability of the service provider)
Vipin: Template is stored for recovery purposes. Is there a situation where the template does not need to be stored at all? (If the hashing algorithm is foolproof- maybe) But recovery may need re-proofing (or re-enrollment)
Email Response from Daniel Bachenheimer:
In some (many) biometric system implementations, images are preserved for a number of reasons including:
- De-duplication: if more than one candidate is returned during a de-duplication (or identification) operation, images are typically used by an adjudicator to reconcile the candidate list. Without biometric images, demographic data would typically be used for reconciliation which is sub-optimal as it opens an otherwise closed fraud vector.
- Feature Extraction Algorithm Updates: if a vendors FE algorithm needs to be updated (or replaced by another vendor), original images are typically needed (required) to regenerate templates. Without the original images re-enrollment will be required.
- Preserving biometric images does not come without consequences, obviously the most important of these is the fact that such a trove of very personal information needs to be closely guarded and secured. This exposes the repository and its caretaker to attack as it is valuable data.
- What are the consequences of the leakage of such image data? Can such data be used in spoofing using altered edge devices? If not how? (Can the device itself be authenticated before it can participate to authenticate the user - in preparation for user authorization- are there references on this subject?)