Deciphering the Decentralized Biometrics Landscape
10 min read
Tags:
Decentralized Biometrics
Share:
Blog
A storm is brewing in the identity industry. It is being caused by a trifecta of factors – consumer desire for more control over their personal data, never ending data breaches and lack of trust in our institutions’ ability to secure and protect our personal identities. Other trends are also coalescing – relentless rise of digital interactions, emergence of Web3, NFTs and cryptocurrencies, and the use of blockchain technology in general to store and host digital credentials. Together, they are driving unprecedented growth and acceptance of biometrics as the irrefutable link between a person and their identity. The question is not whether, but how, to deploy biometrics in the larger context of identity management.
We’ve put together the table below to align stakeholders on the different definitions and methodologies that can be considered, particularly as relates to decentralized identity and decentralized biometrics. It is by no means exhaustive, rather, it is meant to create an anchor on the most important terms that are critical for system design that enhances overall security and protects personal privacy.
Feel free to contact us with any suggested additions or edits.
Term
Description
Anonybit Relationship
Concepts and Frameworks
Multi-party Computing (MPC)
MPC is a technology that gives different parties to a relationship the ability to compute data and arrive at a mutually desired result without requiring parties to the transaction to divulge their private data. MPC also uses complex encryption to distribute computation between multiple parties or network nodes.
Anonybit’s core architecture uses MPC to enable decentralized storage and processing of personal data, including biometrics and other digital assets.
Zero-Knowledge Proof
Zero-knowledge proof, also known as zero-knowledge authentication, is a cryptographic authentication protocol in which one party (the prover) can prove to another party (the verifier) that a given statement is true without conveying any additional information apart from the fact that the statement is indeed true.
Zero-knowledge proofs are used by Anonybit to provide biometric authentication responses without recompiling or revealing the original biometric data set.
Personally Identifiable Information (PII)
Personally identifiable information (PII) is information that, when used alone or with other relevant data, can identify an individual. There are various levels of personal information sensitivity within PII. Biometrics is a form of PII, along with name, email address, device ID, location and other elements that are used to identify a person.
There is an increasing call to protect PII in the digital world because of the possible fraud associated with compromising a person’s personal information. Anonybit’s framework is designed to store all kinds of PII in a decentralized manner.
Distributed Ledger (Blockchain)
A distributed ledger is a peer-to-peer network that doesn’t have a central administrator or central database. This design is intended to increase network security and remove corruption by replacing a single point of failure with a distributed network of devices that work together to verify the accuracy of data. Distributed ledgers are usually associated with blockchain technology but blockchain is just one use of distributed ledgers. Distributed ledgers are very powerful to exchange trusted information between unrelated parties while maintaining its integrity, and possibly anonymity.
Anonybit does not use distributed ledger or blockchain technology due to limitations around data processing, the need to be able to delete per privacy regulation, and performance issues. Rather, Anonybit’s patent-pending infrastructure relies on proprietary derivatives of MPC and Zero Knowledge Proofs to achieve the decentralized storage and processing capabilities.
Digital Wallet
A digital wallet (or e-wallet) is a software-based system that securely stores users’ payment information, passwords and other identity information, as well as cryptographic assets, health information, and more. By using a digital wallet, users can complete purchases easily and quickly with near-field communications (NFC) technology, present digital credentials, and share their information at their own discretion. Digital wallets are used by the payments industry, cryptocurrency industry, self-sovereign identity frameworks, and many more.
Anonybit provides a secure infrastructure for digital wallets and makes them accessible across devices. Anonybit also allows for the storage of the wallet’s contents in its decentralized digital asset vault and leverages biometric authentication to protect the assets, ensuring that only the right person is invoking them. This reduces the risks of wallet takeovers by attackers using stolen credentials (e.g. usernames and passwords).
Decentralized identity
Self-Sovereign Identity (SSI)
Decentralized identity, often used interchangeably with “self-sovereign identity” (SSI), is an alternative to centralized and federated identity infrastructures. With SSI, credentials are managed in a digital wallet and are verified using a public key that is anchored on a distributed ledger. The SSI may be generated from an issuer’s database (e.g., government, university, health institution, social media account, etc.), but does not actually contain any personal information. The SSI can be used to interact with third parties at the sole discretion of the individual. Personal data therefore does not need to be transferred as individuals interact, however, the issuer’s database may still be centralized.
Anonybit secures the digital wallet where the SSI assets are stored. This ensures that the SSI is invoked only by the authorized person and enables cross-device access to the wallet’s framework. This is important if an individual gets a new device or is using a shared device.
Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs)
Decentralized Identifiers and Verifiable Credentials make up Self-Sovereign Identity. The DIDs are holders for the digitized credentials themselves. When the VCs are generated by the issuing party, they are signed with a public key that is stored on the blockchain. When someone wants to verify the authenticity/validity of the credential, they can check the blockchain to see who issued it without having to contact the issuing party.
Anonybit allows the issuer to associate a biometric to the DID for use in downstream applications, ensuring that the correct person is invoking it and allowing for easy reissuance if the person gets a new device.
Decentralized biometrics
Decentralized biometrics is the process of splitting biometric data into pieces and storing/distributing them over different computers or nodes. Most decentralized biometric schemes require that the pieces come back together again for matching, which create performance and security problems. As a result, the alternative has been to use device-based biometrics which ensure no central repository of the biometric data, but as noted elsewhere in this document and on the blog, this method is easily circumvented. New breakthroughs
allow both the storage and the processing of the data to be done in a distributed way, eliminating the tradeoffs and problems seen with centralized and device-based biometric approaches.
Anonybit leverages multi-party computing and zero-knowledge proofs in a proprietary manner to deliver fully decentralized biometrics and support both privacy and security.
Identity Management
Identity Verification
Identity verification (IdV) is an approach for verifying and authenticating the physical identity of individuals onboarding to a digital application. IdV is sometimes used for step up verification as well. It uses knowledge-based user attributes and document verification to confirm that a person enrolling a service is who they say they are in the physical world. Part of the process involves matching the photograph on the identity document to a live selfie. IdV is typically used for onboarding digital applications and for KYC and AML compliance.
Anonybit integrates with the identity verification flow to enhance overall identity assurance levels downstream. The biometric data that is captured during the onboarding process is sent to Anonybit for sharding and distribution throughout the peer-to-peer network and this same enrollment data is used for subsequent authentication and account recovery in all future interactions with the service.
Passwordless Authentication
Passwordless authentication is a method that allows a person to gain access to an application or network without the use of a password or other knowledge elements (pin code, personal questions) . In many cases, passwordless authentication methods rely on a biometric signature that is tied to a cryptographic signature which gets sent to the authenticating service. Almost always, the biometric signature comes from a local template that is stored on a user’s device (PC, smartphone or external security token). Except in very specific cases, the authenticating service does not manage the user’s device or the biometric identity, and the fallback in case of account recovery or other failure is typically a password or other knowledge-based authenticator.
Anonybit provides turnkey passwordless authentication via cloud-based decentralized biometrics. Because Anonybit is cloud-based, there is no device dependency and the solution can be linked to the onboarding process for added security in downstream applications including account recovery.
Online Account Recovery
One of the biggest challenges for providers of online services is allowing a secure and accurate account recovery process. The need for account recovery is driven by users losing access to their original credentials (“forgot my password”), and must account for risks of fraudulent online attacks, lost or stolen passwords, lost or stolen devices, or compromise from insider threats.
Anonybit addresses the online account recovery by giving providers a biometric trust-anchor with the user, to which they can tie any access to the service. By providing cross-device biometric authentication that is connected to identity proofing and fraud resistant, account lock-out and losses are securely prevented.
Zero Trust Security
Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network perimeter; networks can be local, in the cloud, or a combination of hybrid with resources anywhere as well as workers in any location
Anonybit provides accurate, secure, and private biometric authentication for access to digital applications. This authentication process can be invoked at any time within an application or central authentication facility such as single-sign-on (SSO).
Multi Factor Authentication (MFA)
Multi Factor Authentication (MFA) is a method of user verification that utilizes two or more unrelated authentication modalities that includes something the user knows (password, pin, knowledge), something the user owns (device, token, cryptographic key), and something the user is (physical biometric traits such as face, iris, fingerprint, voice, etc., as well as behavioral biometric). It is possible to combine passwordless authentication methods with other authentication methods to make up MFA.
Anonybit uses multiple biometric authentication modalities within its framework, which are combined with device binding to create decentralized, passwordless MFA.
Federated Identity Management
Federated Identity Management is an arrangement between multiple organizations or online services that enables their users to use the same identification data (digital identity) to access across their networks. These partners are also known as trust domains. A trust domain can be an organization, a business unit, a smaller subsidiary of a larger organization, etc. and are trusted by a similar organization called the Relying Party.
Anonybit can serve as a common anchor of trust across organizational trust-domains by ensuring users are authenticating at the same high level of assurance. The high assurance level is achieved by incorporating the Anonybit authenticator into the federated authentication flow. Through that, the trusting organization receives a consistent level of assurance across all its federated partners against a consistent, biometrically proven trust anchor. With the ability to securely manage identities with the Anonybit network, the architecture can support Federated Identity Management by protecting the user’s personal information across multiple trust domains.
Term
Description
Anonybit Relationship
Concepts and Frameworks
Multi-party Computing (MPC)
MPC is a technology that gives different parties to a relationship the ability to compute data and arrive at a mutually desired result without requiring parties to the transaction to divulge their private data. MPC also uses complex encryption to distribute computation between multiple parties or network nodes.
Anonybit’s core architecture uses MPC to enable decentralized storage and processing of personal data, including biometrics and other digital assets.
Zero-Knowledge Proof
Zero-knowledge proof, also known as zero-knowledge authentication, is a cryptographic authentication protocol in which one party (the prover) can prove to another party (the verifier) that a given statement is true without conveying any additional information apart from the fact that the statement is indeed true.
Zero-knowledge proofs are used by Anonybit to provide biometric authentication responses without recompiling or revealing the original biometric data set.
Personally Identifiable Information (PII)
Personally identifiable information (PII) is information that, when used alone or with other relevant data, can identify an individual. There are various levels of personal information sensitivity within PII. Biometrics is a form of PII, along with name, email address, device ID, location and other elements that are used to identify a person.
There is an increasing call to protect PII in the digital world because of the possible fraud associated with compromising a person’s personal information. Anonybit’s framework is designed to store all kinds of PII in a decentralized manner.
Distributed Ledger (Blockchain)
A distributed ledger is a peer-to-peer network that doesn’t have a central administrator or central database. This design is intended to increase network security and remove corruption by replacing a single point of failure with a distributed network of devices that work together to verify the accuracy of data. Distributed ledgers are usually associated with blockchain technology but blockchain is just one use of distributed ledgers. Distributed ledgers are very powerful to exchange trusted information between unrelated parties while maintaining its integrity, and possibly anonymity.
Anonybit does not use distributed ledger or blockchain technology due to limitations around data processing, the need to be able to delete per privacy regulation, and performance issues. Rather, Anonybit’s patent-pending infrastructure relies on proprietary derivatives of MPC and Zero Knowledge Proofs to achieve the decentralized storage and processing capabilities.
Digital Wallet
A digital wallet (or e-wallet) is a software-based system that securely stores users’ payment information, passwords and other identity information, as well as cryptographic assets, health information, and more. By using a digital wallet, users can complete purchases easily and quickly with near-field communications (NFC) technology, present digital credentials, and share their information at their own discretion. Digital wallets are used by the payments industry, cryptocurrency industry, self-sovereign identity frameworks, and many more.
Anonybit provides a secure infrastructure for digital wallets and makes them accessible across devices. Anonybit also allows for the storage of the wallet’s contents in its decentralized digital asset vault and leverages biometric authentication to protect the assets, ensuring that only the right person is invoking them. This reduces the risks of wallet takeovers by attackers using stolen credentials (e.g. usernames and passwords).
Decentralized identity
Self-Sovereign Identity (SSI)
Decentralized identity, often used interchangeably with “self-sovereign identity” (SSI), is an alternative to centralized and federated identity infrastructures. With SSI, credentials are managed in a digital wallet and are verified using a public key that is anchored on a distributed ledger. The SSI may be generated from an issuer’s database (e.g., government, university, health institution, social media account, etc.), but does not actually contain any personal information. The SSI can be used to interact with third parties at the sole discretion of the individual. Personal data therefore does not need to be transferred as individuals interact, however, the issuer’s database may still be centralized.
Anonybit secures the digital wallet where the SSI assets are stored. This ensures that the SSI is invoked only by the authorized person and enables cross-device access to the wallet’s framework. This is important if an individual gets a new device or is using a shared device.
Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs)
Decentralized Identifiers and Verifiable Credentials make up Self-Sovereign Identity. The DIDs are holders for the digitized credentials themselves. When the VCs are generated by the issuing party, they are signed with a public key that is stored on the blockchain. When someone wants to verify the authenticity/validity of the credential, they can check the blockchain to see who issued it without having to contact the issuing party.
Anonybit allows the issuer to associate a biometric to the DID for use in downstream applications, ensuring that the correct person is invoking it and allowing for easy reissuance if the person gets a new device.
Decentralized biometrics
Decentralized biometrics is the process of splitting biometric data into pieces and storing/distributing them over different computers or nodes. Most decentralized biometric schemes require that the pieces come back together again for matching, which create performance and security problems. As a result, the alternative has been to use device-based biometrics which ensure no central repository of the biometric data, but as noted elsewhere in this document and on the blog, this method is easily circumvented. New breakthroughs
allow both the storage and the processing of the data to be done in a distributed way, eliminating the tradeoffs and problems seen with centralized and device-based biometric approaches.
Anonybit leverages multi-party computing and zero-knowledge proofs in a proprietary manner to deliver fully decentralized biometrics and support both privacy and security.
Identity Management
Identity Verification
Identity verification (IdV) is an approach for verifying and authenticating the physical identity of individuals onboarding to a digital application. IdV is sometimes used for step up verification as well. It uses knowledge-based user attributes and document verification to confirm that a person enrolling a service is who they say they are in the physical world. Part of the process involves matching the photograph on the identity document to a live selfie. IdV is typically used for onboarding digital applications and for KYC and AML compliance.
Anonybit integrates with the identity verification flow to enhance overall identity assurance levels downstream. The biometric data that is captured during the onboarding process is sent to Anonybit for sharding and distribution throughout the peer-to-peer network and this same enrollment data is used for subsequent authentication and account recovery in all future interactions with the service.
Passwordless Authentication
Passwordless authentication is a method that allows a person to gain access to an application or network without the use of a password or other knowledge elements (pin code, personal questions) . In many cases, passwordless authentication methods rely on a biometric signature that is tied to a cryptographic signature which gets sent to the authenticating service. Almost always, the biometric signature comes from a local template that is stored on a user’s device (PC, smartphone or external security token). Except in very specific cases, the authenticating service does not manage the user’s device or the biometric identity, and the fallback in case of account recovery or other failure is typically a password or other knowledge-based authenticator.
Anonybit provides turnkey passwordless authentication via cloud-based decentralized biometrics. Because Anonybit is cloud-based, there is no device dependency and the solution can be linked to the onboarding process for added security in downstream applications including account recovery.
Online Account Recovery
One of the biggest challenges for providers of online services is allowing a secure and accurate account recovery process. The need for account recovery is driven by users losing access to their original credentials (“forgot my password”), and must account for risks of fraudulent online attacks, lost or stolen passwords, lost or stolen devices, or compromise from insider threats.
Anonybit addresses the online account recovery by giving providers a biometric trust-anchor with the user, to which they can tie any access to the service. By providing cross-device biometric authentication that is connected to identity proofing and fraud resistant, account lock-out and losses are securely prevented.
Zero Trust Security
Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data. Zero Trust assumes that there is no traditional network perimeter; networks can be local, in the cloud, or a combination of hybrid with resources anywhere as well as workers in any location
Anonybit provides accurate, secure, and private biometric authentication for access to digital applications. This authentication process can be invoked at any time within an application or central authentication facility such as single-sign-on (SSO).
Multi Factor Authentication (MFA)
Multi Factor Authentication (MFA) is a method of user verification that utilizes two or more unrelated authentication modalities that includes something the user knows (password, pin, knowledge), something the user owns (device, token, cryptographic key), and something the user is (physical biometric traits such as face, iris, fingerprint, voice, etc., as well as behavioral biometric). It is possible to combine passwordless authentication methods with other authentication methods to make up MFA.
Anonybit uses multiple biometric authentication modalities within its framework, which are combined with device binding to create decentralized, passwordless MFA.
Federated Identity Management
Federated Identity Management is an arrangement between multiple organizations or online services that enables their users to use the same identification data (digital identity) to access across their networks. These partners are also known as trust domains. A trust domain can be an organization, a business unit, a smaller subsidiary of a larger organization, etc. and are trusted by a similar organization called the Relying Party.
Anonybit can serve as a common anchor of trust across organizational trust-domains by ensuring users are authenticating at the same high level of assurance. The high assurance level is achieved by incorporating the Anonybit authenticator into the federated authentication flow. Through that, the trusting organization receives a consistent level of assurance across all its federated partners against a consistent, biometrically proven trust anchor. With the ability to securely manage identities with the Anonybit network, the architecture can support Federated Identity Management by protecting the user’s personal information across multiple trust domains.
