By Emmanuel Ventadour, Gemalto
Biometric technology can be found more and more in a large variety of ID applications, ranging from national ID documents, to travel documents and electronic healthcare cards. This article aims to give a short overview of the benefits of biometrics as well as provide some appropriate case studies.
The fight against document fraud and identity theft requires the implementation of new technological solutions. Biometrics has quickly established itself as the most pertinent technology for identifying individuals in a fast and reliable way through the use of unique biological characteristics.
Hitherto reserved for sensitive fields such as the security of military sites, today many programs are drawing on biometrics and applications for the general public are now seeing rapid development. These applications are predominantly introduced by national authorities, as the capture and management of a population’s fingerprints call for tightly regulated legal and technical framework. Biometrics provides irrefutable evidence of the link between the document and its holder.
In the health sector and for public services, it is a key contributor to social justice. As IDs enable individual citizens to exercise their rights and responsibilities, document theft and fraud are sources of social injustice as the community may inadvertently allocate resources to an ill-intentioned individual feigning another person’s identity, thus depriving the genuine citizen of that to which he or she is legally entitled. The new Gabon eHealth initiative is a good example detailed below. In this program, fingerprints are used to confirm the identity of the bearer of the card before he or she is given access to healthcare.
Biometrics is also a key enabler for trust as ID documents including biometrics are perceived as secure and convenient tools to make sure the holder (patient, citizen, voter, insurance beneficiary ….) is who he or she claims to be. It can resolve the issue of cardholders not being able to remember their password. Biometrics is widespread in European and Middle East countries. Portugal’s approach to biometrics is of interest and will also be described.
In the travel sector, the electronic passport – particularly with the second generation, which stores two fingerprints in addition to a passport photo – speeds up border crossing through the use of scanners, which use the principle of recognition by comparison of the face and/or fingerprints. These new biometric e-passports are now being used in many countries.
Gabon health program
Even before the program started, it was clear to everyone in Gabon that all resources should be implemented to avoid the health cover program turning into a center of attention for the citizens of neighboring countries and to ensure that the generosity of the program would not lead to its collapse through the fraudulent use of rights.
Hence beneficiaries must be individually identified so that access to care can be reserved for them. It has been decided that the identification of insured parties will be nominative with the implementation of a Gabonese individual health insurance number.
The smart health insurance card also contains civil data, a photograph of the holder and two fingerprints. It is used in hospitals, pharmacies and clinics, to check social security rights whilst protecting the confidentiality of personal data. Checks are performed using terminals with fingerprint sensors. The card stores the fingerprint information and matches it in the device without the need to rely on a connected device, an external server, or a database.
The Portuguese approach to biometrics
Since 2007, Portugal’s new credit card format national eID card has replaced five pre-existing cards. It features several characteristics of the citizen’s identity, including civil and tax identification, social security number, health card and voter card, in a single unifying format.
The highly secure “Citizen Card” also enables a Portuguese person to communicate with government administrations in a simple, fast and secure way through the use of a certified, digital signature.
This card is biometric and contains the holder’s fingerprints. The fingerprints captured and stored on the card are then destroyed as the Portuguese constitution prohibits the use of a single central file for all domains.
The card supports biometric identification through the use of fingerprinting. It uses the “Match on Card” method, which involves making a fingerprint comparison on the card rather than on the reader (the more conventional method to date). It is an attractive option when the project needs to provide for situations where the identity document will be checked in a non-secured or only partially-secured environment (particularly the verification terminals). Because the data never leaves the card, interception of data during transfer to a reader is impossible. This solution requires the appropriate biometric matching algorithm to be packaged within the card, compared to the more conventional storage of fingerprints on card with transfer to terminal for comparison.
Portugal’s history as a former dictatorship and a young democracy (1974), and the population’s attachment to public liberties and human rights, put the choice into perspective.
The first biometric e-passport in Africa
As of December 15, 2009, Morocco is the first country in Africa to deliver biometric e-passports. These secure documents significantly enhance traveler’s security by adopting ICAO’s highest standard—Extended Access Control (EAC). Morocco’s new ePassport is the first outside the European Union to feature the EAC mechanism allowing the use of biometrics data like fingerprints.
Citizens already in possession of an eID card need not have their fingerprints taken, as these centrally stored data can be transferred to the individual’s ePassport. The contactless chip also stores descriptive data, a digitized passport photo and two fingerprints.
In addition, many countries have set up biometric infrastructures to control migration flows to and from their territories. Fingerprint scanners and cameras installed at border posts and consulates capture certain types of information that help identify nationals entering and leaving the country in a more precise and reliable way. The same applies to visa applications and renewals.
Data acquisition requires reliable equipment to ensure optimum capture of photos and fingerprints, essential for precision during comparison and verification.
AFIS databases (Automated Fingerprint Identification System), often linked to a civil register database, ensure the identity and uniqueness of the citizen in relation to the rest of the population in a reliable, fast and automated way. They can combine fingerprints, a photo and an iris scan for greater reliability.
Two levels of verification for fingerprints
- 1 to 1 : i.e. confirms that the credential belongs to the individual presenting it. The process verifies who he or she claims to be. 1 to 1 verification is a very practical and cost effective process for day to day use as it requires inexpensive devices and limited infrastructure. It is also creating a climate of trust for holders as they control what they perceive as a “biometry in my pocket” application. It is also a great solution to protect privacy as in Portugal, when biometric databases are not allowed to be created. No connectivity between verification devices in the field and a central site is required.
- 1 to Many, i.e. verifies if the individual exists within a known population. This guards against a citizen registering in a system under multiple identities. It is a useful function in the fight against identity theft. It requires a permanent link between verification devices and the centralized database, which is generally the case for airports and for most medium and large towns. In the case of a lack of connectivity, a comparison with the whole database may be deferred, for instance when processing a citizen’s requests an identification document or a passport. A validation process can be configured so that a request is automatically blocked and flagged if the fingerprints are found more than once in the database.
Unlocking card applications
PIN codes are usually used for secure authentications. An alternative solution is based on something we are instead of something we know. This kind of authentication relies on biometric verification. By using a good biometry, we can replace the PIN code we have by by something we are (fingerprints for example). In that case, instead of or in addition to storing a number for the PIN, the card will store the reference template of the biometry that will be used for the verification. PIN code-like process for smart card using biometrics opens up a wide range of new opportunities.
Biometrics is already well implemented in secure electronic documents and many applications are now in use for even more citizen’s convenience. It has clearly succeeded to demonstrate that security and privacy can be enhanced without infringing upon new rules on data protection and civil liberties and with a high level of citizen’s acceptance.