Biometric Service Provider (BSP) : John "Jack" Callahan Veridium
Biometric Service Provider (BSP) : John "Jack" Callahan Veridium
Biometric Service Provider (BSP) : John "Jack" Callahan Veridium
(BSP)
John “Jack” Callahan
Veridium
Source: Google
KBA,
Biometrics, etc.
Experian,
FBI, etc.
Passport,
Driver’s license
Figure 4-1 (annotated) The Identity Proofing User Journey [source: NIST 800-63-3A]
Biometric ≠ Password
Biometric
Verifiable
Credentials
6
A Range of Biometric Use Cases
• Device unlocking
• Authentication
• Identification
• Identity Proofing
• Identity Verification
• Deduplication (on enrollment)
• Fraud prevention (on enrollment)
Initial & Candidate Biometric Vectors
IBV CBV
Match?
Registration Presentation
Some Simple Best Practices
• Protect biometric data …
• at collection (sensor safeguards)
• at rest (special hardware, TPM/TEE, database encryption)
• in transit (encrypted communications)
• during match (volatile memory protections)
• Never log biometric data!
• Candidate Biometric Vector is ephemeral
Pocket Pattern BSP Pattern
Where is IBV & CBV matched?
Mobile Server
Pocket Pattern
1:1 1:N
Mobile Authentication Authentication
Where is IBV persisted?
BSP Pattern
1:1 1:N
Server Authentication Authentication
Identity Verification Identity Proofing
Identity Proofing
INTERPOL • Know Your Customer (KYC)
• Anti-Money Laundering (AML)
• Required by most countries for banking
Biometric
Verifiable
Credentials
12
BOPS,
ABIS,
MOSIP
Aadhaar
Biometric
Verifiable
Credentials
13
BOPS, BOPS,
ABIS, ABIS,
MOSIP MOSIP
Aadhaar Aadhaar
Biometric
Verifiable
Credentials
14
BOPS,
ABIS,
MOSIP
Aadhaar
Biometric
Verifiable
Credentials
15
BOPS, BOPS,
ABIS, ABIS,
MOSIP MOSIP,
Aadhaar Aadhaar
BSP BSP
Biometric
Verifiable
Credentials
16
Biometric Service Provider (BSP)
• A protocol?
• Should define biometric verifiable credential schema(s)
• Biometric modality agnostic
• Accommodate Biometric shards
• Integrate with Ursa crypto
• Integrate with service endpoint model
• Allows Issuers, Verifiers, and Holder wallets & agents to invoke services like:
• Registration
• Matching
• Deduplication
• Verification
• Provides new services
• Fuzzy matching
• Shard management (for DKMS)
• Holder-specific biometric matching “machine” (using ZK-STARKs)
• Compatible with trust relationships
• Supports DID connections/Trust relationships (Holder ⟷ BSP ⟷ Verifier)
Agent/self-hosted?
BOPS, BOPS,
ABIS, ABIS,
MOSIP MOSIP,
Aadhaar Aadhaar
BSP BSP
Biometric
Verifiable
Credentials
18
Interpol,
FBI,
UK Border
BSP
Issuer-
generated,
BSP
Holder-
specific
ZK-STARK
19
Next Steps
• Feedback
• Draft RFC aligned with
• Distributed Key Management RFC
• Credential Fraud RFC (Threat model, Patterns & Anti-Patterns)
• BSP threat model?
• Prototype implementation(s)
• Relation to
• IEEE 2410 (BOPS)
• FIDO and new FIDO IDV