Stages of biometric authentication(1:1) or identification (1:N)¶
Biometric systems typically follow well-defined patterns in their operation for most use cases. For example, we can distinguish the stages of evidence or sample capture, account creation and identity validation, registration of the biometric sample associated with an account, and subsequently the authentication operation (in which it is verified that a new sample belongs to an already registered and known account/identity) or identification (in which it is verified whether said sample belongs to any of the subjects registered in the system and to whom). Finally, this entire process usually concludes with a final phase known as decision-making and implementation of the desired action based on this. This section details each of these stages, as well as how the VCSP fits into them.
Biometric sample capture¶
The initial stage within any biometric flow should be the capture of the biometric sample (also typically known as ‘evidence’) from which the biometric template or ‘credential’ will be generated. Customers must provide a valid sample with the supported formats for image and audio files. Veridas offers capture guidance, and even software components to facilitate this task such as SDKs for different platforms for some use cases.
Enrollment¶
Before any enrollment stage, it's necessary to implement a preliminary step called identity proofing to verify the user’s association with their real-world identity. This is typically achieved by asking the user for personal basic information such as name, address, and other identification details or methods.
VCSP doesn’t implement any identity proofing mechanism so including proper identity proofing mechanisms before sending any data to the VCSP is the responsibility of the customer or relying party.
After the Biometric Capture stage, the captured sample is sent to the VCSP in the Enrollment stage. VCSP creates an Account for the subject and generates a Credential that contains the biometric template extracted from the given sample that is bound to the subject’s Account.
Each Account is uniquely identified by a subject_id identifier, which can be provided by the customer or automatically generated by VCSP during enrollment. Providing this subject_id enables data anonymization ensuring that no link exists between the actual subject and the processed/stored biometric samples or credentials. Common examples of subject_id are typically based on personal ID number, phone number, passport number, insurance number, etc, that can be hashed for security before being given to the service. However, this subject_id is flexible and can be tailored to the specific consumer use case and business logic.
Enrollment stage is pivotal as it establishes the baseline for the subject's biometric characteristics, against which all future verifications will be compared. It's crucial to ensure the accuracy of the user's identity at this point. Enrollment stage sets the groundwork for a secure and efficient biometric authentication system.
Hereby, it is shown a story picturing the enrollment process of an individual into a call center service using his/her voice.
One-to-one Authentication¶
Once a subject has been enrolled (a biometric credential and an account have been created in the VCSP), he/she is eligible for an authentication process. To do that, a new biometric sample capture step must be performed, so the sample can be sent to VCSP along with its subject_id. VCSP will look for the subject’s Account and will compare the biometric template generated during Enrollment stage with the new biometric sample provided. As a result of this comparison, a response will be sent to the customer that will allow to make an acceptance/rejection decision.
The result of an Authentication process may determine if the access attempt is authentic (it is not a presentation attack or a deep fake), and whether they belong to the same person or not (thereby validating the user's identity).
Authentication stage occurs every time the user’s identity needs to be validated.
Following the previous call center scenario example, the next picture depicts how the authentication interaction could look like:
Group credentials¶
Once subjects have been enrolled in the system, VCSP enables the possibility of organizing credentials in groups to be used in further identification processes.
Before doing so, the group itself needs to be created. Upon creation, customers can specify a name, a description and an expiration date that will determine the end of life of the group. The group resource will be removed after this date but the credentials (and accounts) will remain in the system as they can be used by other groups simultaneously.
After creating a group, it can be filled using either a complete list of credentials or by applying tags to include only those credentials that match all specified tags.
One to many comparison¶
Once a group has been created and populated with credentials, it is possible to perform 1:N identifications or searches with it. To do this, it is necessary to re-execute the step of capturing a new sample (biometric sample capture) of the individual to be identified, and send the request to the service along with the identifier of the group in question. Optionally, tags can also be added to the search operation so that only those credentials that belong to the group and also contain the given list of tags will be taken into account. Logically, the provided sample must match the type of sample for which the group was defined, otherwise the service will return an error. As a result, the system will return a list of candidates ordered from highest to lowest similarity.