TL;DR
- NIST publishes second draft of digital identity guidelines, invites comment
- Idemia, Mattr, SpruceID chosen to work on NIST mDL project
- Microsoft makes MFA mandatory for Azure sign-ins
- DHS selfie biometrics evaluation for remote IDV shows a range in performance
- Ant Group launches deepfake detection challenge
- W3C issues new technical draft for verifiable credentials standards
- New iOS APIs will allow NFC transactions outside Apple Wallet, Apple Pay
- Samsung offers $1M bounty for ethical hackers to crack Knox Vault
- Metalenz uses polarization information for secure face biometrics
- Pindrop introduces a voice deepfake detection tool
- Free face swap tool goes to number one on GitHub
- 2.5M Scots embrace MyAccount, Yoti digital ID
- Jordan accelerates digital transformation with iris biometrics
- Indian regulator considers biometric authentication for UPI payments
- Australia’s TEx digital verification system could be a ‘golden ticket’ for fraud, says industry
- First digital ID approved as legal voter identification in North Carolina
- Nigeria gains over $5M for digital ID ecosystem from currency devaluation
- Worldcoin bringing iris biometrics operation to Malaysia
Biometrics Market
The Biometric system market size is projected to grow from USD 36.6 billion in 2020 to USD 68.6 billion by 2025; it is estimated to grow at a CAGR of 13.4% during the forecast period. Increasing use of biometrics in consumer electronic devices for authentication and identification purposes, the growing need for surveillance and security with the heightened threat of terrorist attacks, and the surging adoption of biometric technology in automotive applications are the major factors propelling the growth of the biometric system market.
Research & Development
NIST publishes second draft of digital identity guidelines, invites comment
The National Institute of Standards and Technology (NIST) has released the second draft of its updated Digital Identity Guidelines (SP 800–63 Revision 4), which aims to enhance secure access to services while accommodating various identification methods. This revision follows extensive feedback from stakeholders and introduces significant updates, including expanded guidance on emerging technologies such as syncable authenticators (passkeys) and digital wallets. The guidelines also emphasize the importance of maintaining access for individuals using traditional identification methods, including in-person identity proofing. NIST has incorporated expert input to refine biometric verification practices, focusing on accuracy, privacy, and the availability of alternative options. The draft is open for public comment until October 7, 2024, and a webinar is scheduled for August 28, 2024, to discuss the updates.
Microsoft makes MFA mandatory for Azure sign-ins
In response to the escalating threat of cyberattacks, Microsoft has made multi-factor authentication (MFA) mandatory for Azure sign-ins. Through its Secure Future Initiative, the company states its focus on safeguarding digital identities and secrets, aiming to thwart unauthorized access to resources, even in the event of compromised credentials.
For businesses utilizing Microsoft Entra, Microsoft offers various options to enable MFA for users. These include Microsoft Authenticator, which facilitates sign-in approvals through biometrics, one-time passcodes, FIDO2 security keys, certificate-based authentication, passkeys, and SMS or voice approval.
According to Microsoft, the critical signing and platform keys will be protected using hardware security modules and confidential computing. These measures include automatically rotating the keys to prevent unauthorized access. Additionally, the company will enforce MFA methods that are resilient against phishing attacks to protect user accounts.
These mandatory security measures are designed to help businesses comply with various industry standards and regulations, such as the General Data Protection Regulation (GDPR) and the National Institute of Standards and Technology (NIST).
Microsoft’s internal survey revealed that multi-factor authentication can block over 99.2 percent of account compromise attacks. The company initially deployed MFA across its Entra ID tenants, including development, testing, demo, and production environments, with plans to extend this to all Azure customers.
MFA will be implemented in phases for Azure users. The initial phase, which begins in October 2024, will make MFA mandatory for accessing key administrative portals such as Azure Portal, Entra Admin Center, and Intune Admin Center.
Subsequently, the second phase will extend MFA requirements to additional Azure clients and tools, including Azure CLI and Azure PowerShell. Microsoft states that customers with complex environments will be given additional time to comply with the MFA requirements.
Ant Group launches deepfake detection challenge
The deepfake detection boom has taken a financial turn in China, with the announcement of the Global Multimedia Deepfake Detection Challenge 2024, a contest sponsored by the Inclusion Conference on the Bund and digital conglomerate Ant Group (of which Alibaba is majority owner).
A news release promises a total prize pool of 1,000,000 Chinese yuan (around US$137,000) to be won by entrants that can innovate, develop and test deepfake detection models that are more accurate and effective in a series of real-world scenarios. Registration closed on July 31 and testing is currently in progress. Results are to be announced in early September.
Per the release, the deepfake challenge is structured into two tracks: an image track and an audio/video track, featuring comprehensive datasets with “multi-dimensional face forgery methods.” The twenty models that are best at predicting the probability of a deepfake will advance to the final round, where a panel of experts will evaluate their deepfake detection tech against criteria including “accuracy, generalizability, innovation, practical applicability and the interpretability of their solutions.”
Top three teams from each track will receive invitations to a special ceremony at the Inclusion Conference on the Bund in Shanghai.
Zoloz, a subsidiary of Ant Group that provides biometric identity verification — and, as of recently, deepfake detection software — is listed as contributing technical support. Other companies in the Ant Group ecosystem, Ant Security Lab and Alibaba Cloud, are also on board, as is the Advanced Technology Exploration Community (ATEC) and the Cybersecurity College of the University of Science and Technology of China.
W3C issues new technical draft for verifiable credentials standards
The World Wide Web Consortium’s (W3C) Verifiable Credentials Working Group this week issued its Candidate Recommendation Draft of specifications for the Verifiable Credentials Data Model v2.0 (VCDM 2.0) for the use of digital identification on the Web.
VCDM 2.0 introduces several enhancements, including processing clarifications, transitions into an tangible data model, media types, and data model simplifications while still maintaining the VCDM 1.1 baseline.
With support from the U.S. Department of Homeland Security’s Science and Technology Directorate (S&T) and U.S. Citizen and Immigration Service (USCIS), the W3C Working Group has been developing the online digital ID standards.
Jared Goodwin, Chief of the Document Management Division within the Office of Intake and Document Production at USCIS, said that with the support of S&T, USCIS, and many other like-minded partners, these standards describe how a secure, privacy respecting digital credentialing process can be implemented.
Part of the promise of the W3C standards is the ability to share only the data that’s necessary for a completing a secure digital transaction, Goodwin explained, noting that DHS’s Privacy Office is charged with “embedding and enforcing privacy protections and transparency in all DHS activities.” DHS was brought into the process to review the W3C Verifiable Credentials Data Model and Decentralized Identifiers framework and to advise on potential issues.
DHS S&T said in a statement last month that “part of the promise of the W3C standards is the ability to share only the data required for a transaction,” which it sees as “an important step towards putting privacy back in the hands of the people.”
New iOS APIs will allow NFC transactions outside Apple Wallet, Apple Pay
With the release of iOS 18 in September, developers can offer in‑app NFC contactless transactions through new NFC and Secure Element (SE) APIs, says an announcement from Apple.
This means contactless in-store transactions can occur directly within iOS apps, separate from Apple Pay and Apple Wallet. Users can either open an app for a scan, or set the app as their default contactless app in iOS Settings, then double-click the side button on iPhone to initiate a transaction.
NFC contactless transactions can also be applied to car keys, closed-loop transit, corporate badges, student IDs, home keys, hotel keys, merchant loyalty and rewards cards, and event tickets. Apple says support for government IDs is in the works.
Per their release, “the NFC and SE APIs leverage the Secure Element — an industry-standard, certified chip designed to store sensitive information securely on device.” The system leans on “a number of Apple’s proprietary hardware and software technologies when making a contactless transaction, including the Secure Enclave, biometric authentication and Apple servers.”
Apple says an upcoming developer seed will see the NFC and SE APIs made available to developers in Australia, Brazil, Canada, Japan, New Zealand, the UK and the U.S., with additional locations to follow. As a bit of gatekeeping, developers who want to use the APIs will “need to enter into a commercial agreement with Apple, request the NFC and SE entitlement, and pay the associated fees.”
Beyond NFC transactions, signs point to iOS 18 coming bundled with a number of new APIs that lay the groundwork for broader applications of digital identity.
Metalenz uses polarization information for secure face biometrics
Deploying secure facial recognition hardware camera sensors in smartphones has always been costly. Although Apple has achieved this, most Android devices still need help in this area. With face unlock becoming increasingly popular, many manufacturers are implementing face biometrics vulnerable to deepfakes.
Metalenz has developed a hardware system to tackle these challenges by consolidating individual plastic lenses into a single flat surface. This approach not only simplifies the design but also lowers the cost of camera systems, allowing OEMs to integrate sophisticated sensing devices into consumer electronics.
Metalenz’s PolarID is the company’s facial recognition system, which leverages proprietary lens technology that is capable of using polarization information. In an interview with DEMO, Metalenz CEO Rob Devlin explains, “If you can extract the polarization information, you can even analyze the underlying biology or chemistry of certain objects that you’re observing.”
In many cases, cameras capable of capturing polarization information require bulky and expensive equipment. Metalenz has miniaturized these capabilities to integrate into smartphones and other applications for access control.
Devlin also mentions, “You could do a scan of someone’s face with polarization and see whether a skin growth is cancerous or not. So there’s a future set of applications we see building off of the initial face unlock, but that’s the real first target.”
The potential applications of this camera system extend into medical diagnostics and automotive security, offering a face-based authentication mechanism for unlocking vehicles. With PolarID, the system allows users to also make digital payments and access sensitive information.
Last year, the company collaborated with Qualcomm to demonstrate PolarID on their latest Snapdragon mobile platform. The objective is to introduce a secure face unlock feature across the entire Android ecosystem, including approximately “1.5 billion devices.”
During the interview, Devlin presents the spoof detection capabilities, which were being run on an Android device powered by a Qualcomm Snapdragon chip. The system was tested against various spoofing methods, including 3D-printed masks and high-resolution photos.
These simulated facial features can deceive many current systems, particularly those relying solely on RGB cameras. However, PolarID’s utilization of polarization data sets it apart by separating genuine human skin and synthetic materials.
Jordan accelerates digital transformation with iris biometrics
Jordan has made progress in its digital transformation efforts as work is underway to add a biometric system for citizens over 18 years old to enhance access to e-Governmental and private sector services
IrisGuard Deputy Director Simon Reed tells Biometric Update in an interview about the key role that its system to provide proof of liveness utilizing only the human iris plays in bolstering the digital identity framework.
The digital identity system in Jordan, as described by Minister of Digital Economy and Entrepreneurship Ahmed Hanandeh, allows citizens to verify their identity without being present in person.
The system incorporates five key criteria: the national number, name, password, verification code, and phone number, with Hanandeh noting that the digital signature is now legally recognized in Jordan, with exceptions in specific cases, and most institutions have adopted digital documents, FANA reports.
Indian regulator considers biometric authentication for UPI payments
The National Payments Corporation of India is considering integrating biometric authentication into its Unified Payments Interface (UPI) transactions as a replacement for the current PIN or password-based methods, NewsBytes reports. The existing methods have vulnerabilities, including susceptibility to cyber threats such as phishing, hacking, and social engineering attacks.
Face and fingerprint biometrics are the modalities being considered, according to the report. Implementing biometric data would significantly improve the security of UPI transactions, mitigating the risk of payment fraud.
To enable biometric authentication for UPI payments, users need to link their Aadhaar number to their bank account. This is necessary because Aadhaar already contains the user’s biometric data, including fingerprints and iris scans. When making a transaction, the Point of Sale machine captures the user’s biometric data and verifies it against the stored data for authentication.
Although this method enhances the security of digital payments, the centralized storage of biometric data presents security and privacy risks. Strong data protection measures are imperative to foster trust in the system and promote widespread adoption.
Australia’s TEx digital verification system could be a ‘golden ticket’ for fraud, says industry
Australia’s plan to introduce a new digital verification system called Trust Exchange (TEx) continues to attract criticism from identity industry leaders and cybersecurity experts.
The AU$11.4 million (US$7.7 million) digital credentials scheme, which should allow Australians to store and share their identities through any digital wallet, has already been called a potential “honeypot” for cybercriminals. More complaints are now pouring in, including from academics, digital rights advocates and biometric identification companies such as IDVerse.
While the government’s TEx framework is a step in the right direction, it needs to be tightened — especially when it comes to validating identity documents, says Paul Warren-Tape, IDVerse’s general manager for Global Risk and Compliance.
“Right now, the system is far too vulnerable to document fraud — something IDVerse encounters all too often. The current checks are simply not enough; they need to be bulletproof,” he writes in a recent blog post.
IDVerse says the biggest issue for TEx is the initial registration process for digital identity. If fraudsters slip through the cracks during this phase, they will be handed a “golden ticket to commit fraud anywhere that accepts the new digital ID.”
The industry already has better practices to offer such as the FIDO Alliance’s Document Authenticity (DocAuth) Certification Program for Remote Identity Verification, Warren-Tape adds.
Australian Government Services Minister Bill Shorten announced the TEx last week, promising that the scheme would give more control to users over sharing data and sensitive information. The government would verify customer details for businesses and organizations through a smartphone app. Credentials will be stored in the myGov wallet, alongside personal data such as date of birth, address, citizenship, visa status, qualifications and other information held by the government.
Built alongside Australia’s national digital ID project, TEx is currently at the proof-of-concept stage and expected to be finalized by the end of 2024, followed by a pilot phase in early 2025. IDVerse, however, notes that the project’s details are murky at best while digital identification technology is facing rising threats such as deepfakes.
“Australians are essentially being asked to be the guinea pigs in an untested digital experiment. That should raise some eyebrows, especially given myGov’s less-than-stellar track record,” says Warren-Tape.
The myGov wallet, which allows Australians to access government services such as taxation, health, or social security, was hit by a scandal last year after it was discovered fraudsters used the platform to steal at least AU$557 million (US$373 million) in two years.
Minister Shorten said that TEx will work with the user’s preferred digital wallet, including one provided by MyGov. The system will be optional and decentralized while the government has promised additional protections that go “beyond existing privacy laws” to protect personal information.
But concerns over data privacy and security and trust in the system have been echoing throughout the industry. The most common complaint is that the TEx may turn into a honeypot, especially considering Australia’s history of data breaches.
These Weeks’ News by Categories
Access Control:
Corsight AI showcases facial recognition for new gaming law at Security Exhibition
Facial recognition targets scalping at concerts and festivals
Microsoft Entra ID authentication security flaw threatens hybrid environments
Microsoft makes MFA mandatory for Azure sign-ins
Facial recognition comes to Great American Ballpark with MLB Go-Ahead Entry
Selfie biometrics reach general availability on Microsoft Entra Verified ID
Vegas police don’t want to submit face biometrics to work NFL games
Passkeys highlighted in new CISA guidance on secure-by-design software
Mobile Biometrics:
Biometrics replacement of physical IDs hits another gear
DHS selfie biometrics evaluation for remote IDV shows range in performance
CBP One app found to have issues vetting users, security vulnerabilities
Are digital wallets safe? New research says ‘no’
Webinar with FIDO Alliance explores drivers for passkey adoption in the public sector
Over 3 in 4 like using digital wallets for ID verification, access control
California mDLs coming to Apple, Google digital wallets
EU seeks comments on EUDI Wallet regulations
Microsoft makes MFA mandatory for Azure sign-ins
New iOS APIs will allow NFC transactions outside Apple Wallet, Apple Pay
Financial Services:
Jordan accelerates digital transformation with iris biometrics
How face biometric payment companies can build consumer confidence: study
Asia-Pacific prepares for new tech regulation
Are digital wallets safe? New research says ‘no’
Indian regulator considers biometric authentication for UPI payments
Worldcoin bringing iris biometrics operation to Malaysia
Digital IDs can boost US financial inclusion say govt, private sector experts
The role of digital wallets in Pakistan’s digital public infrastructure
Idex, TaluCard launching biometric payment card for the visually impaired
Advance.AI solidifies Philippines presence with credit bureau services
Civil / National ID:
Biometrics replacement of physical IDs hits another gear
UNDP launches bid for 460 biometric registration kits for Honduras’ citizen registry
Australia’s TEx digital verification system could be a ‘golden ticket’ for fraud, says industry
First digital ID approved as legal voter identification in North Carolina
Asia-Pacific prepares for new tech regulation
2.5M Scots embrace MyAccount, Yoti digital ID
Nigeria gains over $5M for digital ID ecosystem from currency devaluation
Could the UK government’s AI plans bring more cash for private businesses?
Idemia, Mattr, SpruceID chosen to work on NIST mDL project
Digital technologies for birth registration must factor in data, gender considerations: APC
Government Services:
Australia’s TEx digital verification system could be a ‘golden ticket’ for fraud, says industry
DHS’s personnel vetting, clearance process still plagued by problems
OBIM to begin collecting data on new biometric tech in wake of problems
Latest draft of NIST digital identity guidance adds digital wallet, passkey details
2.5M Scots embrace MyAccount, Yoti digital ID
Patchwork of state AI privacy laws creates confusion and uncertainty
Macau’s one-stop strategy kicks off with mobile birth, marriage registration
White House poised to throw federal support behind mDLs
Home affairs plans digitization, cracks down on identity fraud in South Africa
Digital IDs can boost US financial inclusion say govt, private sector experts
Facial Recognition:
HID previews face biometrics camera system for airport access control
DHS selfie biometrics evaluation for remote IDV shows range in performance
Metalenz uses polarization information for secure face biometrics
How face biometric payment companies can build consumer confidence: study
Police use of facial recognition technology subject of upcoming public NAIAC meeting
Shots fired in debate over facial recognition-enabled bullet vending machines
Corsight AI showcases facial recognition for new gaming law at Security Exhibition
Aussie privacy watchdog casts evil eye at Clearview, Auror for biometrics collection
Clear biometrics to enhance IDV for PRs
Facial recognition targets scalping at concerts and festivals
Fingerprint Recognition:
Next books first fingerprint biometrics sales in Pakistan amid Asia expansion
Contactless fingerprint biometrics interoperability guidance updated
HID puts biometric scanners in 500 São Paulo civil police stations
Idex, TaluCard launching biometric payment card for the visually impaired
Innovatrics and Idemia top latent fingerprint biometric accuracy ranks
Iris / Eye Recognition:
Jordan accelerates digital transformation with iris biometrics
Worldcoin bringing iris biometrics operation to Malaysia
Worldcoin ecosystem grows as firm faces continued regulatory concerns
Liveness Detection:
Metalenz uses polarization information for secure face biometrics
Pindrop introduces voice deepfake detection tool, tracks down Harris spoof source
Disconnect between deepfake attacks and defenses revealed by iProov survey
Free face swap tool goes to number one on GitHub
Deepfake risk can be mitigated but no silver bullet exists: Veriff
Socure launches selfie biometric reverification to DocV product
Biometrics Industry Events
West Africa Border Security Week: Sep 3, 2024 — Sep 4, 2024
SmartTech Asia: Sep 11, 2024 — Sep 13, 2024
Cyber Security & Cloud Expo Europe: Oct 1, 2024 — Oct 2, 2024
AI & Big Data Expo Europe: Oct 1, 2024 — Oct 2, 2024
Authenticate 2024: Oct 14, 2024 — Oct 16, 2024
Think Digital Identity for Government: Oct 24, 2024
8th Annual Privacy and Data Protection Summit: Oct 24, 2024 — Oct 25, 2024
Critical Infrastructure Protection & Resilience Europe: Nov 12, 2024 — Nov 14, 2024
East Africa Border Security Week: Nov 26, 2024 — Nov 27, 2024
Read ‘Biometrics biweekly’ on the Paradigm Platform.
Subscribe to Paradigm!
Medium, Twitter, Telegram, Telegram Chat, LinkedIn, and Reddit.
Main sources
Research articles