Private ID as a service leverages smartphone-enabled biometrics
Co-funded under the ICT Policy Support Programme of the European Union as part of the Competitiveness and Innovation Framework Programme (CIP) and is scheduled to run until December 2016.
It shares some similarities with the terminated TAS3 project (Trusted Architecture for Securely Shared Services) co-funded by the European Union some years ago, in the sense that identity management would be user-centric, enabling smartphone users to authenticate themselves to access different services online without giving out their ID credentials (i.e biometric data) and without having to enrol with every new service they use.
Indeed, while every new online service typically wants to collect unique user data upon registration (and we have all been accustomed to creating avatars through multiple emails), users may be reticent to let just any new service online exploit irrevocable biometric samples which are strongly linked with their identity. Creating avatars is a form of ID management, but how much guessing is there left in biometrics?
The PIDaaS project focuses precisely on the preservation of biometric data during the authentication process, adding biometric template protection schemes (BTPS) so users can create multiple pseudo-bio-identities from the same biometric trait, with the possibility of revoking, renewing and reissuing them. This prevents users from having to go through multiple enrolment processes, with the uneasy feeling that their biometric data is getting dispersed and growing out of control on the cloud.
As well as a biometric template protection scheme, the PIDaaS platform also relies on voice and face recognition verification technology as used in the IdForMe authentication application, a backend, and a Life Management Platform (LMP).
The PIDaaS Mobile application allows users to manage their identity, personal data and biometric templates (digital reference of characteristics that have been extracted from a biometric sample) and to be authenticated through speaker and face recognition. This user-centric ID management lets users authorize which action is performed in their name on any website and decide what information they allow to access to Website, Mobile apps, online purchasing, etc.
A preliminary mockup PIDaaS App has been developed for the project partners to work with.
The PIDaaS Backend provides mobile application and service providers a gateway to access to the PIDaaS platform services, asking for login authentication services.
And for what is probably the most critical enrolment part (which would probably only be performed by a governmental entity once for all), the PIDaaS Life Management Platform is responsible for storing the information about PIDaaS users, service providers and for monitoring the users’ activities within the PIDaaS platform. It store the biometric templates (verification data) and offers a mechanism for sharing personal data between the user and the services in a secure way while providing users control over those templates and their personal data.
While biometric data would be the main factor of authentication, it would be paired with other metadata (relating to hardware, software and network) to better ensure the certainty of each authentication request.
The PIDaaS project will soon be at a pilot stage, with several trials due to start mid-february next year to evaluate use cases in several environments such as e-Commerce, e-Health and E-citizenship.
The PIDaaS solution will be integrated on the platform of one of the biggest e-shops in Finland, the company F9 Distribution OY to be used by real customers. In Spain, the Catalan health system TICSalut will carry a pilot test to enable users interact online with the health department, its agencies and providers (hospitals, health centres, etc.).
The E-citizen pilot will be performed in Italy, in which PIDaaS will be integrated in the service of visualization of the personal data within the human resources procedures. The employees belonging to an administration or company will be able to access to their personals records (such as payroll, holidays, time off work, etc.) and visualize them.
Now who would host the LMP database, the most critical part of this whole identification service? Surely consumers would not be comfortable with their biometric data in the hands of a private company.
"Initially, the database of the LMP will be hosted by Catalonian technology centre Eurecat (https://eurecatmobileforum.com/en/); then it may be hosted in the cloud", explained Pau Bellorbi, manager of the project at co-founding partner Ricoh IT Services.
"Note that users will only store in the LMP few personal information such as name, address or e-mail, and management information. All the other sensitive information would be stored in the source servers. For instance, all your health information could be stored in servers of the Catalan Health System and the LMP would only store policies to allow third parties to access that information. We think that the storage of biometric templates, other kinds of credentials, authorization and management policies, etc. would not have to compromise the privacy of users".
How would you define the amount of information that a company could ask a user to transfer through the LMP? Isn’t there a risk for users with little concern or knowledge about privacy to give by mistake full access to their data to all the companies connected to the LMP?
"Obviously, data that each service provider shares with/through the LMP should be defined in advance and with an associated privacy agreement. For instance, health insurance companies do not need access to the users’ financial transactions. But, human errors are very difficult to foresee and control" added Bellorbi.
At this stage, the partners are not settled on whether the PIDaaS platform would become open-source or not. The PIDaaS is a project co-founded under the ICT Policy Support Programme by the following partners: CSI Piemonte, Bantec, Eurecat, Ricoh, University of Kent, E-bros, TicSalut and Hogskolen I Gjovik.
More info about PIDaaS at www.pidaas.eu