Biometric Service Provider (BSP) : John "Jack" Callahan Veridium

Download as pdf or txt
Download as pdf or txt
You are on page 1of 20

Biometric Service Provider

(BSP)
John “Jack” Callahan
Veridium
Source: Google
KBA,
Biometrics, etc.

Experian,
FBI, etc.

Passport,
Driver’s license

Figure 4-1 (annotated) The Identity Proofing User Journey [source: NIST 800-63-3A]
Biometric ≠ Password

• Typically combined with liveness


• “IAL3: Physical presence is required for
identity proofing. Identifying attributes must
be verified by an authorized and trained CSP
representative”

• aka Presentation Attack Detection (PAD)


• NIST 800-63-3B Section 5.2.3
• “Testing of presentation attack resistance
SHALL be in accordance with Clause 12 of
ISO/IEC 30107-3. The PAD decision MAY be
made either locally on the claimant’s device or
by a central verifier.”
• “PAD is being considered as a mandatory
requirement in future editions of this
guideline”

• PAD can be performed remotely


• IAL2 introduces the need for either remote or
physically-present identity proofing. [NIST
800-63-3A Section 2.2]
Biometric Credentials

Biometric
Verifiable
Credentials

Issuer Holder Verifier

Blockchain provenance Blockchain provenance


& integrity information & integrity verification

6
A Range of Biometric Use Cases
• Device unlocking
• Authentication
• Identification
• Identity Proofing
• Identity Verification
• Deduplication (on enrollment)
• Fraud prevention (on enrollment)
Initial & Candidate Biometric Vectors

IBV CBV
Match?

Registration Presentation
Some Simple Best Practices
• Protect biometric data …
• at collection (sensor safeguards)
• at rest (special hardware, TPM/TEE, database encryption)
• in transit (encrypted communications)
• during match (volatile memory protections)
• Never log biometric data!
• Candidate Biometric Vector is ephemeral
Pocket Pattern BSP Pattern
Where is IBV & CBV matched?
Mobile Server

Pocket Pattern
1:1 1:N
Mobile Authentication Authentication
Where is IBV persisted?

Device Unlocking Deduplication

BSP Pattern
1:1 1:N
Server Authentication Authentication
Identity Verification Identity Proofing
Identity Proofing
INTERPOL • Know Your Customer (KYC)
• Anti-Money Laundering (AML)
• Required by most countries for banking

Issuer Holder Verifier

Biometric
Verifiable
Credentials

12
BOPS,
ABIS,
MOSIP
Aadhaar

Issuer Holder Verifier

Biometric
Verifiable
Credentials

13
BOPS, BOPS,
ABIS, ABIS,
MOSIP MOSIP
Aadhaar Aadhaar

Issuer Holder Verifier

Biometric
Verifiable
Credentials

14
BOPS,
ABIS,
MOSIP
Aadhaar

Issuer Holder Verifier

Biometric
Verifiable
Credentials

15
BOPS, BOPS,
ABIS, ABIS,
MOSIP MOSIP,
Aadhaar Aadhaar
BSP BSP

Issuer Holder Verifier

Biometric
Verifiable
Credentials

16
Biometric Service Provider (BSP)
• A protocol?
• Should define biometric verifiable credential schema(s)
• Biometric modality agnostic
• Accommodate Biometric shards
• Integrate with Ursa crypto
• Integrate with service endpoint model
• Allows Issuers, Verifiers, and Holder wallets & agents to invoke services like:
• Registration
• Matching
• Deduplication
• Verification
• Provides new services
• Fuzzy matching
• Shard management (for DKMS)
• Holder-specific biometric matching “machine” (using ZK-STARKs)
• Compatible with trust relationships
• Supports DID connections/Trust relationships (Holder ⟷ BSP ⟷ Verifier)
Agent/self-hosted?
BOPS, BOPS,
ABIS, ABIS,
MOSIP MOSIP,
Aadhaar Aadhaar
BSP BSP

Issuer Holder Verifier

Biometric
Verifiable
Credentials

18
Interpol,
FBI,
UK Border

BSP

Issuer Holder Verifier

Issuer-
generated,

BSP
Holder-
specific
ZK-STARK

19
Next Steps
• Feedback
• Draft RFC aligned with
• Distributed Key Management RFC
• Credential Fraud RFC (Threat model, Patterns & Anti-Patterns)
• BSP threat model?
• Prototype implementation(s)
• Relation to
• IEEE 2410 (BOPS)
• FIDO and new FIDO IDV

You might also like