We introduced decentralized identity and verifiable credentials in a previous blog, where we discussed how it is taking shape across industrial and government initiatives like the Digital Identity for all Europeans proposal by the EU Commission.

In this blog, we will look at the integration of verifiable credentials with biometric matching (biometrics) to enable Identity Proofing with a high level of assurance.

Identity proofing and levels of assurance
When using a government digital service for the first time, citizens need to go through a process known as Identity Proofing, to prove who they are. A few governments have set standards on what a citizen needs to provide to prove their identity. For example:

• The US NIST published 800-63-3 Digital Identity Guidelines with three Levels of Assurance
• The UK Government has published Good Practice Guide (GPG) 45 which established four levels of confidence

Frameworks like the above require a match between the citizen’s paperwork and fresh biometric data to attain higher levels of assurance (LOA). For example, the NIST framework requires two distinct factors of authentication, from which biometrics can be one. This applies to both identity proofing and authentication of returning users, so that they do not have to go through identity proofing every time they use a service.

However, biometrics carry an inherent risk to privacy; unlike passwords, biometrics cannot be changed if stolen. To minimize the risk to biometric data, biometric services allow processing but avoid data storage in the system.

Biometrics can be used with decentralized identity
Biometrics go hand in hand with decentralized identity: We can collect biometric data and match it against data in the shared verifiable credential. For example, the photograph of a passport’s owner, taken from their digital passport verifiable credential, can be matched with a fresh photograph of the person, taken at the spot by the biometric service. Although data will have to be transferred to a cloud service for processing, it will not be stored there permanently. This would provide the required LOA for identity proofing and authentication while using a minimum set of data in the most privacy-preserving manner possible.

How it works
Here is how it may work, but please note that not all security features are illustrated.

• When a citizen visits an e-Government service (e.g., tax return website) for the first time, and shares a verifiable credential supporting biometric matching (e.g., a passport), the service will ask consent to do biometric registration and matching.
• If they agree, they will be redirected to a biometric matching service which will also get the photograph from their passport (from the verifiable credential shared previously).
• The service will ask the citizen to take a picture of themselves, using their mobile phone or laptop camera.
• Then it will compare the passport photograph with the freshly taken photograph to see if they match. If they do match, it will create a verifiable credential with the biometric profile of the user and send it back to the user for storage – the service will not store neither of the photographs.
• In the end, it will notify the digital service that the user passed biometric matching.

Subsequent requests for biometric matching are even easier, just compare a fresh selfie against the biometric profile in the verifiable credential, which only needs to be set up once, and then can be used with a multitude of different services. The biometric profile would therefore be usable in not only e-government but industry services as well.

The catalyst of success
The success of decentralized identity will depend upon wide adoption and how fast it will reach the tipping point towards a mature global ecosystem. Biometrics accelerate this adoption by enabling government-related use cases, which in turn tend to be used by large numbers of people and in numerous public and private sector services. Biometrics is therefore the catalyst to popularizing decentralized identity and can be used while preserving security and privacy.

Visit this page to get started with your own decentralized identity journey or learn more about how we can help your organization.