Biometric recognition refers to the automated recognition of individuals based on their physical, biological or behavioural characteristics. Since biometric characteristics cannot be lost or forgotten, biometric authentication solutions are in general prefered over their password or physical token counterparts. Biometric solutions are more convenient and quicker to use, but are not exempt from vulnerabilities. If not well protected, they may actually be vulnerable to impersonation attacks and privacy leakage. Biometric data serves as a long-term and unique personal identifier, hence categorized as a highly sensitive personal data, falling under the scope of the General Data Protection Regulation (GDPR).

As biometric-based technologies are deployed at a larger scale, biometric databases and devices become natural targets in cyber attacks. These cyberattacks have the potential to be harmful on the long term if they lead to the theft of biometric data. Furthermore, the biometric identifiers of individuals should be transmitted to service providers in a form that prevents cross-matching across databases. Privacy is a fundamental right which is now enforced through the GDPR. Our project PRIVABIO will contribute to both the security of biometric solutions and the technical enforcement of this fundamental right.

Faced with the mentioned vulnerabilities and requirements, the community has proposed primitives dedicated to biometrics, so called biometric template protection schemes (BTP), as well as privacy-preserving biometric recognition protocols. With the popularity of mobile smart devices, some security standards such as FIDO and BOPS have also emerged. The vast majority of these mechanisms and protocols, including the standards, are not systematically accompanied by formal security analyses. In this project, we will conduct a thorough analysis of existing solutions. By developing a better understanding of their security, we will define suitable security models and propose tailored primitives and protocols.

The goal of the PRIVABIO project is to mitigate security and privacy problems in the use of biometrics, by offering low-cost protocols with security guarantees proportional to the high sensitivity of these personal data. PRIVABIO is divided into the following 4 axis:

1. Evaluate the security of biometric template protection (BTP) schemes and biometric protocols.

2. Provide more secure BTP schemes without degrading recognition accuracy, and without compromising their usability on resource-constrained devices.

3. Identify cryptographic mechanisms of interest for privacy aspects.

4. Integrate biometric and cryptographic mechanisms into multi-factor authentication protocols as well as into identification protocols, by providing formal security guarantees.

Identifier: ANR-20-CE39-0005
Starting date: 2021-02-01
End date: 2025-01-31