This week we shall continue describing what identity management is. Last week we noted that Kenyans who use plastic cards (ATM, credit/debit cards etc) are currently enjoying pseudonymity. This is where privacy has been guaranteed because local companies do not share identity information between themselves. Another important aspect we discussed was the fact that local companies should adopt Identity Management as a conscious response to the increasing risks associated with identity theft.
The main objective of Identity Management is to establish trust by ensuring that eligibility between two transacting parties is accurately determined before transaction commences. This means that a company should be able to verify that you are who you claim to be and that the credentials (username, PIN or password) you are presenting are actually yours.
A major fundamental in Identity Management is biometrics. In information technology, biometrics refers to the technologies that measure and analyzes human body characteristics, such as fingerprints, eye retinas/irises, voice or facial patterns and hand measurements. These characteristics are measured to aid in identification and authentication. Biometrics has always been part of identity assurance. It, however, has limited usage in Kenya.
Using biometric characteristics in ATM transactions would, for instance, go a long way in mitigating the risk of fraudulent withdrawals. The use of biometrics has however been controversial. Civil liberty campaigners protest that invasion of privacy occurs when these characteristics are widely adopted.
While this claim cannot be dismissed, the benefit of using biometrics in identity management far outweighs the risk of non-use. In this regard a distinction between biometric images and biometric templates must be understood.
A biometric image is a copy of the biometric. A fingerprint image which has been scanned and stored in a database is a copy of the original. A biometric template, on the other hand, is a one-way mathematical function that describes key characteristics of a biometric image. A fingerprint template will, for instance, describe the key attributes of the fingerprint and these key attributes are the ones used to determine a match.
Therefore, the main difference between a biometric copy and the template is that an image cannot be reconstructed from a template. This means that if you have the template you do not have a copy of biometric and cannot reproduce the same.
It is therefore not possible to breach privacy because reconstruction from a template is impossible. This therefore deflects the main argument that privacy is at risk when biometric features are resident in company databases.
Companies should therefore embrace biometrics aggressively as an active component of their Identify Management policy.