Open Letter to the Finance Committe: Biometrics
This note points out the weaknesses inherent in biometrics and the pitfalls in using them. It recommends procedural safeguards that should be adopted by the UID in order to make the use of biometrics more secure and inclusive.
Biometrics are not centrally stored and are used only for identification
Biometrics, as our first letter notes 1 are better suited for identification, and are inappropriate for authentication. Therefore, the central server need not store biometric information, and need only store the public key of each citizen's digital signature.2 Biometrics on a smart card for authentication will allow service providers to determine if the card is being carried by the right person. This configuration of biometrics has many positives. It is :
- Cost effective
- More secure
- Places the control of biometric information in the hands of the data subject
Use encrypted data, rather than live data
The UID scheme has stated that biometrics will be encrypted, but has not provided further details. 3It is recommended that biometrics are:
- Encrypted whenever it is used, stored and transferred;
- A biometric should be encrypted to such a degree that it is not possible to reconstruct the biometric data; and
- After an encrypted version of the biometric is made, the original biometric should be deleted.
In order to perform an identification check – the biometrics presented should be encrypted and then compared to the encrypted version stored on the card. If the card is stolen – the thief would not be able to harvest biometrics.
Security clearance for all associated entities and personnel
UID registrations and transactions will be handled by 'registrars' or in other words personnel who work at organizations not directly under the control of the UIDAI. A clear process associated with who can perform transactions and a proper audit system is needed to prevent 'insider' attacks.
Clearly defined alternate identification factors
There are many situations in which a biometric cannot be accepted in a transaction. For example, when the biometric changes, is misread, or is unreadable. The UID has recognized this possibility and has stated: “In case of authentication, the operator needs to find an alternate method of authentication if fingerprint verification fails. The operator/application would not know the cause of verification failure. A timeout will be implemented in service after five attempts.”4The alternative identity factors that will be accepted need to be clearly defined and articulate.
- Standards for acceptance of biometric as authentication factor
The UIDAI has proposed a whole range of authentication factors – pin, password, partial biometrics, full biometrics, mobile phone and combination's thereof. 5 Some of these authentication factors may also be presented by the data subject over the Internet. As our previous letters have stated – some authentication factors are more secure than others. Therefore, the UIDAI should publish standards for acceptance of different authentication factors based on the security requirements of different types of transactions. Even if biometrics are used as an authentication standard – in our opinion it should only be used for trivial transactions without major financial or citizenship implications.
2 Distinguish and separate the authentication process from the identification process: Identification is a comparison of one set of biometric data against all sets of collected biometrics in one central database to verify the identity of the owner of the biometric data. Authentication is a comparison of a biometric against a stored template to validate the existence of that specific biometric