Monthly Archives: December 2020

Exploring Facial Biometrics. What is it?

Contributions made by members of the DIACC’s Outreach Expert Committee

In 2017 Apple unveiled a new biometric sensor in its flagship iPhone X, and the media couldn’t stop talking about “Face ID.” Fast-forward three years: Face authentication has been well received by users, and face scans are now employed to unlock Google’s Pixel smartphones, as well as devices from many other top-tier manufacturers. And now, Governments and enterprises worldwide are looking to facial biometrics to address their need for trustworthy remote identity verification during and after the global pandemic. And it makes sense, we interact with other humans by seeing, being seen, speaking, and listening, so naturally, our interactions with technology will also evolve toward our most selected for modalities.

In some countries, remote face verification is already being used to prove user identity for many important applications. From remote citizenship verification to pension payments to accessing government services, the face modality can provide a secure way for users to prove their identity without the need to appear in person at a specific location. This tailored biometric technology enables unsupervised users to prove who they are remotely with the devices they already own. 

This blog post defines the most common types of facial biometrics and explores the role that face verification and authentication will play in the future of digital identity, in addition to setting the stage for more in-depth posts on topics such as how user data and privacy are managed, the impact of COVID-19 on face verification, new advancements that enable unsupervised remote access and account creation, Liveness Detection, as well as the more technical aspects of this evolving biometric technology.

There are three common uses for facial matching technology:

  1. Verification answers the question, is this person legally who they claim to be? For example, where a business has a need to confirm your existence, a KYC (Know Your Customer) file can simplify the process to identify you by matching your selfie against the photo which is loaded on your passport chip or to the source ID photo stored in a government database. A digital photo of a user-provided ID Document can also be matched against, but since it is not verified with the issuer of the legal identity and high-quality fake IDs do exist, it provides a lower level of assurance and results in added controls used by companies to compensate for this.
  2. Authentication leverages the ability to match one’s previously enrolled biometric data to log into a device, a website, or application. Face Authentication offers the balance of security and user convenience long sought by consumers.
  3. Recognition seeks to match face data from an unknown individual and make their identity known by finding a match in a database of known faces. This has been known to be used in some countries by law enforcement and border patrol where the person may have limited or no awareness that the face scanning is taking place and have not provided their consent.

Regarding the three uses outlined above, the verification process is of high priority to the public and private sectors alike. Verification through facial biometrics is an approved method of the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), enabling Canadians to open a bank account without physically visiting a branch. Additionally, in July 2020, the British Columbia Government launched their Send Video feature within the mobile BC Services Card to meet the increased demand for alternative ways to verify a person’s identity in order to activate a mobile BC Services Card and, in turn, making it easier for provincial residents to access online government services during the COVID-19 pandemic and in the future. In these instances, the individual is aware and has consented for their identity to be verified for a product (i.e., account opening) or service (e.g., applying for a driver’s license, services card, or passport).

Verification also addresses the justified concerns regarding privacy. A GAO’s report, The International Biometrics + Identity Association’s (IBIA)Principles for Biometric Data Security and Privacy, states that technological constraints around some facial biometric technologies drive a need for all commercial and civil government applications, organizations to protect biometric data retained by using biometric one-way template transformation. New practices will likely require a liveness detection layer as well, especially when the biometric data is captured in an unsupervised environment. In addition, the IBIA’s Best Practices state that it is good practice to maintain a separation between biometric and associated non-biometric personal information.

The impact of large data breaches is both a significant privacy intrusion and direct financial impact to society in covering the losses due to crime and controls to prevent it. Facial Biometrics can dramatically reduce the criminal demand for data when used for both verification and authentication as a replacement of Knowledge Based Authentication (KBA) by limiting the ability of this information to be used for account takeovers and identity theft. It also has a beneficial side effects by reducing the need for customers to provide unrelated personal information. Knowledge questions such as requesting your mother’s maiden name to open a bank account is a direct contrast against the privacy principle of only collecting the information needed for the relevant purpose. With no reasonable expectation that Data Breach frequency will decrease in the future until wide-scale Knowledge Based Authentication has been replaced, biometrics have begun to bridge the confidence gap, while reducing the added friction.

Policymakers, privacy advocates, and regulators understand that new technologies are being added to existing facial biometric matching to render leaked personal data useless and ensure that any leaked biometric data is both isolated and encrypted to reduce the impacts on individuals from an identity fraud perspective. Liveness detection technology, for example, prevents malicious users from reusing biometric data by requiring a 1st generation capture of new data every time for verification of an individual. It is also common practice not to store face images in databases unencrypted; instead, photos are converted into data in a string of numeric values commonly referred to as a biometric template. 

Face matching and Liveness Detection are powerful technologies that, when combined, enable privacy-preserving biometric use cases like replacing easily guessed or compromised passwords and health-preserving social-distancing use cases like remotely opening a bank account. Many are starting to agree that these security and usability benefits are a tremendous improvement over the previous generation of authentication methods.  

In short, for the purposes of allowing a user to positively identify themselves from their own device, only face verification and face authentication are employed. Face verification creates trust, while face authentication maintains it. Both functions are covered in the Pan-Canadian Trust Framework™ that is intended to support a robust digital identity, trust ecosystem that will allow all Canadians to do more online, in a safer, more secure, and confident way. 

Making Sense of Digital Wallets

Guidelines for Design

Recent advances in the state of the art of digital identity systems are putting the user back in control of their information and their privacy. An important building block of this advancement is the digital wallet for users. This document proposes what a trusted digital wallet should aim to do. Without it, software developers are left to guess, the marketplace offering will be fragmented, and ultimately will result in delaying the adoption of user-centric digital identity solution.

Download the paper.

Making-Sense-of-Digital-Wallets_VF

Help Define and Design the Future of Canada’s Levels of Assurance with DIACC

Online transactions, interactions, and service delivery are no longer aspirational end-states. In the wake of COVID-19, digital has become the default for many Canadians and industries. Making that default work long-term means earning and maintaining trust for people and platforms. Levels of assurance (LOAs) create a clear roadmap for developing that confidence, both for teams offering and people accessing services. Learn more about LOAs in our recent post to understand why they matter to Canadians, where we’re at and where we go from here.

“Making sure we have a common way to evaluate and measure the integrity of that data is central to a common bar of acceptance,” DIACC President Joni Brennan explained. To get a better understanding of how LOAs are a core factor in the future and success of digital platforms, we spoke with Joni and George Watt, Partner, Strategy and Lean Innovation Practice at Becker-Carroll. George has extensive experience leading and developing innovation and security with global enterprises.

Why are Levels of Assurance so important right now? 

George Watt: The pandemic accelerated the pace of digital transformation to breakneck speed. Governments have responded with impressive resolve to deliver new digital services safely. The private sector faced similar challenges with lockdowns and restrictions, new customer needs and opportunities to better serve their customers. For some, these transformations are imperative just to remain viable.

These organizations, both public and private, need to be able to safely transact digitally with their customers, and to interact with one- another. They need to be certain the entities they’re dealing with are who they claim to be with a level of confidence commensurate with risk inherent in each transaction. 

Levels of Assurance are about specific agreements between participants in an ecosystem that enable them to understand the level of confidence they can place in those transactions.

When it’s done well it becomes an unambiguous contract that makes it safe for people to transact digitally. 

Joni Brennan: The LOA conversation is important because it is a piece of the conversation that focuses on the verification of information that would be part of a transaction is authentic. The technical conversation is an important part of the puzzle… but making sure we have good data that can be relied upon and have assurance around that data is ultimately critical. 

For example, if I were a bank, I want to know data is good no matter where it came from. 

LOAs are an important piece of the puzzle for making transactions possible. 

What’s a use case where Canadians interact with LOAs? 

George Watt: When citizens interact with these LOA schemes they aren’t aware it’s happening – but they are aware of its impact. Signing into social media is a low risk example that many people do every day – but those service providers don’t truly know who their customers are. Any of the other services Canadians access with those social media digital credentials would also be considered low level of assurance because nothing is done to ensure the account holder is who they claim to be. 

Online banking is a high risk example. Compromise of that information could be devastating and could lead to bankruptcy or worse. That’s why the Canadian banking industry has a very high LOA standard that helps ensure customers are who they say they are, and helps customers protect themselves. 

The consumer doesn’t see these LOAs in explicit ways but sees their impact implicitly. For example, you don’t need to visit Facebook HQ to get an account – it has a low level of assurance – but you do need to visit your financial institution or go through a more rigorous process to prove who you are to get a bank account. They require a higher level of confidence that they know who you are. 

Joni Brennan: The ability to access city plans and interface on a decision like [changing traffic flow to create active streets] would be a lower risk interaction. Learning that there will be some barriers set up for bicycles would be low risk for other citizens or the municipal government. 
Accessing your pension or tax refund would be an example with higher risk. Something that we haven’t solved yet (but relates to digital ID) is access to digital medical records. Ideally, it will be in a way that the patient can access their own records and make those records transferable or portable between doctors, between patients and across different devices. Access to health records in a ubiquitous way is high risk. It’s something we don’t have today that identity and LOA would help with.

What’s the biggest advantage of a strong LOA scheme? 

Joni Brennan: Part of the ‘why’ behind why we’re talking about this is because we have different LOA schemes in Canada today. Those different schemes have created room for challenges and adoption delays, across different regions and different stakeholders. Different parties might be using the same assurance number – but the way they’re calculating it isn’t consistent, leading to variable outcomes. 

A level of consistency and transparency in terms of assurance – that relates to individual capability in a transaction – makes acceptance and confidence in an interaction clearer and helps the economy as a whole. It’s important for banks, governments, telecommunications providers, and users. Strength in a common acceptance and transparency would help and that’s what we’re missing right now in Canada. 

George Watt: It’s important that we develop a common understanding of these risks and establish a shared vocabulary that ensures we all evaluate risks the same way. Strong LOA schemes will enable positive economic and social impact through more robust delivery of services across domains. 
If we don’t understand those risks collectively, we either won’t deliver the services necessary to live up to our potential — or we will deliver them without understanding the risks, which could be even worse and potentially set us back. Trust is speed. A strong scheme means faster delivery of more robust and trustworthy services. Participation in these digital ecosystems will drive better seamless services for all Canadians.

Why is DIACC advocating for stronger and consistent LOAs?

Joni Brennan: We need commonality in terms of how information is verified. For that measure of assurance of information, we need a common scheme that works across the different schemes that exist in Canada today. It will create visibility and a common approach so that no matter the industry, teams can work from the same starting point for validation and verification of information. That is so important, whether it’s health or AI or smart cities. 

The current scheme and current state of the art doesn’t provide the level of dynamism required in a hyperconnected ecosystem. The current ‘1 through 4’ scheme applied on top of a complicated transaction involving many partners with different capabilities – that singular number is actually insufficient. It’s much better to have transparency, visibility, and a ‘score card’, if you will, that measures assurance that is verified. That’s the kind of dynamism and transparency we need in a hyperconnected ecosystem, that provides scalability in an LOA scheme. 
George Watt: What we had was good – but it needs to evolve to keep up with what we’re dealing with now. We need to solve tomorrow’s challenges today, not yesterday’s problems. A more modern approach to LOAs is necessary to make that happen.

What will be the biggest factor for success? 

George Watt: Bringing the public and private sector together and bridging the many international standards groups… I think the defining factor for success will be collaboration. There are lots of smart people who’ve been thinking about this. More importantly this assurance scheme will work best when private and public sector, NGO and standards orgs work together to create a more trustworthy, more robust ecosystem that allows Canada to live up to its potential. Collaboration will be key. 

Joni Brennan: Collaboration will also represent a diversity of stakeholder needs and values – which is important to ensure the way forward is as inclusive as it can be. Success requires communication and education around the why – why we’re doing this work, the value, as well as how this work will be adopted. 

As George said, for people participating in a transaction these LOAs are meant to be invisible. They’re not always the most exciting or technical part of the work – but they provide that layer of integrity underneath the technology and user experience. To succeed, we’ll need education and communication.

George Watt: Diversity is the rocket fuel of innovation. Working with DIACC, I’ve always been impressed by the diversity of membership and those who participate. It’s a diverse group of smart people who are willing to come together to work on important and complex problems.

Bring your voice to the DIACC and share your perspective on how we can solve these pressing, complex challenges. Together, through our Five Year Strategy, we’re aiming to identify key policy and regulatory enablers and barriers to digital identity growth, including creating a unified approach to LOAs. Join us and subscribe for more on LOAs in Canada.

Spotlight on FaceTec

1.What is the mission and vision of FaceTec?

FaceTec’s mission is to end identity theft and protect privacy by ensuring access to important accounts and information is only available to their legal owners. FaceTec’s state-of-the-art biometric cybersecurity AI has been specifically designed to enable widespread, secure, unsupervised identity verification and user authentication from any modern smart device or PC with a webcam. 

2. Why is trustworthy digital identity critical for existing and emerging markets?

Strong, reliable, digital identity verification empowers individuals by allowing full access and control over current accounts, and protects them when they open new accounts. Trusted digital identity is also critical for enterprise, allowing them to ensure the customers they interact with are legally who they purport to be. By fostering trust on both sides of any remote interaction, FaceTec lowers friction while increasing value. Beyond quantifiable economic benefits, effective user authentication offers noneconomic value to individuals through social and political inclusion, rights protection, and enhanced transparency. The certainty trustworthy digital identity provides is a benefit to individuals, organizations, and society as a whole, and drives higher overall social and economic utility.

3. How will digital identity transform the Canadian and global economy? How does FaceTec address challenges associated with this transformation?

The adoption of a trustworthy remote digital identity verification program will pay quick and lasting dividends in Canada’s social, economic, and political activities. Natural communications barriers – within and outside of Canada – including vast distances, changing weather, and topographical challenges, will be minimized, fostering simplified, trusted interactions regardless of the environmental circumstances.

FaceTec’s technologies were created from inception to promote inclusion and provide the same advantages to anyone with digital access, regardless of their physical, economic, or social status.

4. What role does Canada have to play as a leader in this space?

Canada’s international reputation for thoughtful, rational decision-making will lend significant credibility to the adoption of strong digital identification programs. With a very diverse and large population, Canada will prove to be a beacon for other large-scale digital ID projects that society as a whole will benefit from.

5. Why did FaceTec join the DIACC?

The DIACC’s goals and approaches to solving a major social and economic problem are aligned with FaceTec’s. Leveraging the DIACC’s comprehensive relationship network and FaceTec’s first-hand technology and market experience, will ensure the development of a much more effective and inclusive solution.

6. What else should we know about FaceTec?

A pioneer and global leader in biometric cybersecurity dedicated to privacy, security, and transparency, FaceTec has provided the most accurate remote authentication technology to hundreds-of-millions of users on six continents. FaceTec patented 3D FaceScan UI, battle-tested 3D Liveness Detection, and 3D Face Matching AI anchors identity and enables true passwordless authentication from all modern smart devices and webcam-enabled systems. FaceTec’s small-footprint (3.9mb) device SDKs and neural-network-powered server SDK comprise a complete, feature-rich authentication platform that allows customers’ user data to stay encrypted behind their own firewalls. Easy to integrate into any app or web page, hundreds of organizations now provide exceptionally secure new account onboarding and ongoing access to high-value accounts in financial and government institutions, telecoms, ecommerce, blockchain, social networks, and more.

Spotlight on Acuant

1.What is the mission and vision of Acuant?

Acuant’s mission is to power trust. We do this by enabling trusted transactions that are privacy minded, putting consumers in control of their data and minimizing risk. We are mindful that a mission must be founded upon a set of core values and business principles. For Acuant this means that we take a customer centric approach that defines our purpose, guides our products and harnesses the innovation and enthusiasm of our people. Our vision is that identity is the new currency and it should belong to the individual who may choose when and how to share their personally identifying information or PII. This must be balanced with the fact that the need for strong, customer-friendly identity proofing solutions has never been greater. As PII is continuously jeopardized, Acuant serves to find a way to create trusted transactions that puts individuals at ease and in control, while simultaneously allowing businesses to address their appropriate level of risk. We see ourselves as a global player on the good side of managing identity to aid in reducing human trafficking, combatting commercial fraud and safeguarding our borders

2. Why is trustworthy digital identity critical for existing and emerging markets?

Acuant believes that digital identity will unlock both the Canadian and global markets by providing two critical ingredients:  1) an individual’s personal control over their own identity and how it is used; 2) the ability for a commercial or government to trust the transaction even when the person is not present.

3. How will digital identity transform the Canadian and global economy? How does Acuant address challenges associated with this transformation?

Acuant has been and remains committed to the proper and protected use of identity in powering transactions from boarding crossings to payments. Our Trusted Identity Platform provides identity verification, regulatory compliance and digital identity solutions leveraging AI and human assisted machine learning to deliver tools and technologies necessary for this transformation.  These omnichannel solutions provide seamless customer experiences when it comes to verifying identity, fighting fraud and establishing trust across the physical and digital world. The result is accurate risk decisioning, allowing businesses to move faster and deliver the best user experience across all channels.

4. What role does Canada have to play as a leader in this space?

We believe that Canada provides a wonderful canvas for the design and implementation of a digital identity ecosystem.  It has a robust economy, a diverse population who embrace choice, control and convenience, principles in privacy and democratic regulation and a long history of working hard to collaborate with international standards and enabling interoperability.

5. Why did Acuant join the DIACC?

Acuant joined DIACC because we believe in and want to participate in the creation of a Pan-Canadian trust framework that we envision being woven together with like frameworks from around the world.  Acuant has a long history of working with government  and commercial entities in fighting the good fight against fraud, terrorism, human trafficking, anti-money laundering with the utmost respect for privacy and  an individual’s control over their identity (which, as we state,  we view as the new currency).  We have also had a long tradition of working in Canada.

6. What else should we know about Acuant?

At Acuant we build great products and we stand behind those products. We have been in the industry for over 20 years, processing more than 4 million transactions each month in over 200 countries and territories and have created more than 400 million trusted digital identities with our patented eDNA™ technology. Our Trusted Identity Platform offers automated identity verification, regulatory compliance (AML/KYC) and digital identity solutions for the most secure environments (government services, border crossings, healthcare, banking) to consumer lifestyle apps and everything in between. We offer omnichannel deployment that allows seamless customer experiences for all to fight fraud and establish trust from any location in seconds.