A few days ago, the National Cryptologic Centre (CCN) published CCN-TEC 103, ‘Secure biometric technologies for access control’, which provides an updated view on the role of biometrics in access control, both physical and digital.
This document highlights the advantages of modern biometric technologies from an information security perspective, clarifying recent misunderstandings related to their implementation and their compatibility with regulations such as the General Data Protection Regulation (GDPR), the National Security Scheme (NSS) or the European Regulation on Artificial Intelligence (IA Act).
In this article, we will analyse some of the most relevant conclusions with the greatest short-term impact on the implementation of identity verification solutions based on biometrics highlighted in document CCN-TEC 103. First, let’s review the role of biometrics.
The National Security Scheme (NSS) and biometric authentication
The ENS is a Spanish regulatory framework developed by the CCN that establishes the principles and requirements for guaranteeing the protection of information in the public and private spheres.
Its main objective is to create a secure environment that promotes trust in technology. Within this context, the ENS considers biometrics one of the three possible authentication factors.
A biometric feature is an inherent factor, which makes it the only explicit guarantee of real identity as opposed to possession (something you have, such as a token) or knowledge (something you know, such as a password) factors. Non-inherent factors are based on assumptions, trusting that the person who knows or possesses something is who they say they are. However, to ensure a higher degree of security, it is essential to have a factor that explicitly assures identity. This is where biometrics play a crucial role, offering a clear method of validating the user’s identity.
Furthermore, advanced technologies such as Presentation Attack Detection (PAD) can identify impersonation attempts with high accuracy, enhancing the security of the biometric engine. The combination of the three authentication factors allows building highly robust identity verification systems.
Physical access control, hierarchy and biometrics
In the physical domain, CCN-TEC 103 places particular emphasis on access control to spaces, redefining the traditional hierarchy between the degree of security associated with manual and automatic processes. For a manual verification to be equivalent to biometrics, it is necessary for a person to validate the authenticity of the identity document (a function comparable to the detection of presentation attacks) and to ensure the facial correspondence between the document and the bearer.
This dual process, carried out manually, requires considerable effort. However, recent advances in facial biometric modelling technologies, driven by deep learning, have made it possible to achieve higher accuracy rates than human operators, who may make mistakes due to factors such as fatigue, cognitive biases or visual memory limitations. However, there remains a certain mistrust of biometric technologies in terms of information security, inherited from the technical limitations of previous generations.
From the limited anthropometric approach to deep learning security
Biometric systems prior to deep learning relied on anthropometric measurements: a mesh of facial points was plotted from which distances were calculated to model features. This approach had several limitations: it required controlled environments, stored easily interpretable information, and generated interoperable and irrevocable vectors. These shortcomings slowed its adoption in critical processes.
All that changed with the advent of deep learning-based AI. Deep learning-based AI architectures generate feature vectors that do not contain directly interpretable information. During the training process, the system learns to extract biometric features from the example data, generating robust, irreversible, and non-interoperable biometric vectors.
New generation biometric templates (RBRs)
All these conditions are listed in the ISO 24745 Standard on the protection of biometric information that establishes the principles that should govern the new generation biometric templates: Renewable Biometric References (RBRs).
To meet all the security requirements listed above, it is necessary to go a step further and add extra security measures to those provided by deep learning models. Some studies have managed with limited success to carry out white-box and black-box attacks to reconstruct the original feature from deep patterns. Although in a real-life scenario, it would be extremely difficult to carry out this operation, technical solutions are needed to provide security and confidence to users of biometric systems.
Innovations in data protection: crypto biometrics and encryption
At Mobbeel, we have long been researching and applying advanced technologies to protect biometric information. One example is crypto biometrics, which makes it possible to encrypt vectors with customised cryptographic keys and perform indirect comparisons without decrypting the original information. This has interesting applications in contexts such as finance, where, for example, an encrypted biometric together with the hash of a transaction can be used to jointly validate a bank transaction and the identity of the person carrying out the transaction.
In other cases, such as the secure storage of biometric data, homomorphic encryption allows verifications to be performed without the need to decrypt the information while preserving its security at all times.
Risk levels and biometrics in the European AI Regulation
Finally, questions have been raised about the role of biometrics in the European IA Regulation. This regulation, which is still under development, classifies uses according to their risk, from prohibited to minimally invasive. While some marginal uses of biometrics are in high-risk categories, the systems developed by Mobbeel are classified at low or no-risk levels. This is because they are not indiscriminate, require active user acceptance and do not store information that can be reused for other purposes. In this way, the CCN-TEC 103 endorses that solutions such as those marketed by Mobbeel are fully operational and fall under the umbrella of the authorised uses in the IA Act.
To sum up…
- The popularisation of remote digital services has made it essential to develop identity verification systems that allow users to be authenticated securely and simply.
- Biometrics is a key method for building robust authentication models, as it provides a necessary inherency factor.
- Recent advances in AI have overcome some of the limitations of previous-generation biometric technologies, making it possible to verify users’ identities with secure and non-invasive methods.
At Mobbeel, we continue to lead the industry with more than 15 years of experience. We anticipate challenges and offer innovative solutions that meet the highest standards in security and privacy in the sense of CCN-TEC 013.
I am Head of Mobbeel’s Innovation Department and I work together with the rest of the team in the research and development of biometric and identity verification technologies for the continuous improvement of our products.
