 Can you see my screen? Yes, and I'm recording now, OK? Sure. We can see your screen. OK, good. All right, so good morning, good day, good afternoon, ladies and gentlemen. I welcome all of you to this session on SSI and Biometrics, Building Identities for Tomorrow. I'm the Jani Mohanty. I work for an organization called Earth ID, and where we are building identities, decentralized identity, and biometrics-based applications. So like already said, that I'm a blockchain author as well, and my latest work is blockchain for self-server and digital identity. And so in today's session, I'll be covering mostly the biometrics-based authentication, different type of biometrics, with their pros and cons, and the issues in the biometric solutions. I won't go to detail out SSI because I believe that most of you are aware how self-servering identity works. But I'll just touch base upon it so that you'll know that how these two technologies can work together, and come up with the Earth ID solution, few of our solution. And then we'll discuss some use cases which are either in production or pretty close, and with some innovation in this field. And finally, if time allows, then we'll do some question and answer session. So first of all, I don't think that any of you have any doubt that biometrics is used for authentication. Today, organizations identify a person from their name, address, phone number, or email ID, which can change. So with such information, one person can create many identities at a time. So you might have heard that a person has got five different passports and a fake passport. So why it is possible is because we use such kind of information, and they are not unique. Also, there might be a complex process to update the data associated with your identity. For example, pretty recently, I had to update my address on my ADHAR, which is India's national identity system. And it really took so much of such a lengthy process and pretty complex. However, if biometrics is something which represents your identity, then it is very unique to a person. And biometrics is the real you. You are actually carrying your biometrics along with you. So it won't lead to hassles like such. Perhaps that's the reason why that global biometrics market is expected to top US $50 billion by 2024. So let's start with biometrics. So currently, most of the applications in today's world, people are moving towards a passwordless world. Why? Because first of all, user ID and passwords are hassles. You have to remember them. And many people use the same user ID again and again. Maybe their email ID or contact number. However, the biometrics are forever. Most passwords are very easy to guess, but you cannot guess somebody's biometrics. Resetting the password is a process that you have to do again and again, but with biometrics, you don't need it. Like I already said, user ID, mobile number, email IDs, et cetera, can change. However, the biometrics doesn't change, especially. I mean, for a very long time period, maybe you can say, from a kid, from a baby to adulthood, biometrics might change a little bit. But again, it stays with you for a very long time. Hackers can steal the user ID and the password through different social engineering technologies. But it's difficult. I mean, I won't say that biometrics can't be stolen, but it's actually difficult and much more expensive. And often, you are using, like I already said, the same user IDs are used again and again, the same email ID or same contact number you are using for multiple applications with multiple different organizations. So it's easy to trace back the user because you are using the same user ID ever. But so this is called correlation, which is pretty much possible with user IDs, but with biometrics. It's not that easy and very difficult to count of it. Now, coming to how biometrics works. The biometrics actually censors scans the user's biometric data, such as the fingerprint, face, palm, et cetera. So here I'm showing the fingerprint, but it can be something else, your face, your palm, your ear, the pattern of your ear. There's so many different things that you can scan with a scanner. And it performs some pre-processing to enhance the quality of the captured biometric data. And some features as extracted, from which the mapping is created, our mapping file is created. And from this mapping, a template is created, which is a binary format. So usually people just wonder what is a biometric template? It looks like this, just one and zeros, binary format, which you can save to a template database. So this is known as the enrollment phase of where the biometric grid is captured and stored in template database. So basically biometrics, just like user-read-in password, it has got two different phages. So with your user-read-in password, first you register and then you log in. Similarly, the first phase with biometrics is enrollment, where you are providing your biometrics to the system and it's getting saved in terms of templates. At a later point of time, when you want to log in, which is called recognition, your biometrics is again captured and again the template is extracted and those two templates are compared. And for every system, there is a threshold value. If the matching is more than the threshold value, then we consider it as a match, otherwise no match. So... Can I ask a question? Yeah. Why should we store the image if only the template comparison is done? I'm sorry, the image is not stored. It's only the biometrics, the template is stored. Maybe you know... Because in your slide, there is something called an image archive. Okay, so... Yeah, maybe it's a little misleading. I'll update this. So actually, we're not saving the image, but only the template. Beautiful, thank you. Okay. So one major issue over here is, while we try to find out what kind of biometrics that we need for your application, one major factor is biometric effectiveness, which is the false acceptance rate and the false rejection rate. So the false acceptance rate measures how lightly it is for an unauthorized user to be incorrectly given access. That means I'm not rightful on it, but still I'm getting access, which is really, really crucial for application not to go with it. The second one is a false rejection rate. That means I'm the right user, but I'm not getting access. So this major is how likely it is for an unauthorized user not to get an access or denied access. For the authentication system, especially, these two rates should be extremely, extremely low. And there are other issues also in biometrics, like first of all, just like your user ID and password, the biometrics can also be stolen because a database that stores the biometric data can still be hacked. This is mostly done in a centralized way, so this can be stolen. The second one is injuries. So injuries can cause a biometric authentication not to work like if you have a burn on your finger, it could lead to a negation on a fingerprint scanner. Third is false rejection and false acceptance rate that I just discussed out. Then some systems are harder to adapt for elderly or those with having disabilities or maybe babies. So discomfort is another area. And finally, it is relatively expensive than the user ID and password. So there are so many different issues that we need to consider before choosing the right kind of biometrics for our use case. Now, there are different type of biometrics. Broadly, they can be categorized into physiological and behavioral. So physiological is something like your IRAs, food frame to your face, ear, DNA, arm band, and behavioral are something like your voice, the gate or the way you walk or the way you sign. So basically, we at R3D are mostly working with physiological, but there are certain behavioral biometrics that are under research or you'd be working. And I'll come up with some use cases why we need behavioral and why behavioral is going to be used in many future use cases. So why I'm actually discussing so many different kind of biometrics type because there is no particular biometrics which is considered to be the best. There are different, there is no one size that fits all over here. There are different use cases and for different use cases that could be different kind of biometrics that we need. So currently I'm going to discuss a couple of biometrics that we are using at R3D and I'll compare them on the basis of these factors, security, accuracy, privacy, ease of use, health and hygiene, cost, how cost effective they are and what are the exclusions? That means that who are the people who have to be excluded for this kind of biometrics? So let's explore them one by one. First of all is fingerprint. So fingerprint, of course, it's a very secure biometrics and it's a proof solution with the history of past almost 100 years. A's of use is very high, your fingerprint are always with you and it is also very cost effective because there are so many, you might have seen so many fingerprint scanners everywhere and this is a technology which is being used highly for the governments and many private sectors are also using it. However, coming to the disadvantage, number one is we leave our fingerprints on almost everything we touch. So making it possible for them to be collected without our consent. So you can visit YouTube and you can find how easily one can create a fingerprint mold and they can use it against a scanner. So really easy for hacking. Also, if we consider the health and hygiene, especially in the COVID time, this biometric pattern requires a direct contact with the sensor to identify the user. So it creates a hygiene concern when a scanner is shared among a large number of people. Then exclusions. So while fingerprints remain relatively stable over a person's lifetime, there are sections of this population which can be excluded using the system. For example, old people and certain diseases, people with certain kind of diseases might not use it because their fingerprint might have been worn out or less accurate to be compared. In babies also, the fingerprint is less developed. When I tell you that accuracy is slow, you won't believe because no fingerprint has been used for such a long time, but it is accurate. But then if we compare it with others, like if we see that what are the FRR, false rejection, false acceptance rate, then fingerprint is relatively less than a couple of others which I'm going to discuss out. So the next one is facial recognition. So again, in a health and hygiene is very high over here because you are not going to touch anything. You can do it from a distance and also ease of use is very high because you can do it even from your mobile phone. So this doesn't need a special camera. So ease of use is very high and there are so many apps today that you can run on your mobile device and they can figure out who are you from this official calculation. At least like I said, it is cost-effective because you can do it with a ordinary camera in a smartphone. There is no such exclusion. You can do it on babies. You can do it on elderly's. So on a digits person, so facial recognition works for everyone. And also this is a very fast technology. The process of recognizing a face text a second or less. So that is why it is used widely across airports in the world for matching a picture in passport. When I come to the negatives, first of all privacy. So with the help of this technology, the government can track down the criminals but at the same time, it can actually track down people like you and me anytime and anywhere. So that is why in many countries, especially in Europe, citizens have raised their concern not to use this technology. Second one is accuracy. How accurate is facial recognition? Actually, this is not that accurate. So two people can look very similar. What about identical twins? They look very similar, right? So that is why it is not that accurate. And also the facial features change almost a couple of years. So that is why you have to keep on updating your biometrics from time to time. Also the false acceptance and false rejection rate can be pretty high with this. So of course, considering the privacy and accuracy are low, so security is also low. Third one is retina. So many people actually are not able to distinguish what is retina and what is iris. I will come to the iris in the next slide. So iris is the part of the eye that you can see from front. Whereas retina is the backside of the eye where the image is getting formed. So because this is a private part, so that is why it is extremely secure. Nobody can take a picture of your retina. This needs a special camera and it cannot be done with a regular camera. It cannot be done with your mobile device on your smartphone. The accuracy is very high. So extremely low false rejection rates close to 0% and low occurrence of false positives. So and also like I said, it's highly secure, highly accurate and highly private. So that is why it is being used in places, not on like mobile device, as I said, that it needs special camera, but it is used in places like FBI or NASA to get access to certain areas. Now, the negatives are first of all is of use because it uses a special kind of the camera and a person has to focus to a point for almost 15 seconds without moving their eyes. So and some people have a feeling of a temporary blindness after the retina scan. So health and hygiene considering, this is a contactless technology, but again, not for everyone. And exclusions cannot be used for people with cataract or few other eye diseases. And like I said, health is also a problem. And also this is highly expensive because you need a special camera. You cannot do it with regular camera. So it is expensive and not a technology for all use cases. Now coming to the iris. Iris again is highly accurate, not as accurate as the retina, but again, it is accurate. It is a private part, even though people are able to see your iris from front, but they cannot see it to that extent. And health and hygiene is also high because you are not going to touch anything. You're not coming close contact with anything and it is secure, cost effective. Like I said, you can take a picture of your iris from your regular smartphone. It can be used on smartphones. And there is not much exclusion. Like you can do it even on babies. Babies also form there. The iris is already formed in babies, so you can use it. And I'll come up with a use case where it is already used, and especially in SSI and biometrics together. Ares of use could be a concern, but it's not that high as a retina. So some people, like the babies might not like it when you take a picture of their iris, but again, it's not that big a hassle. So this is a very good area for biometrics. The next one is palm hen. So palm hen is one of the latest area on biometrics. So the palm hen is an internal biometrics, which means that your biometric code is never exposed to the outside world. So you can take the picture of the internals. So this is secure and accuracy is very high over here. This is a private part. There is no issue in health and hygiene. There is no exclusion. You can do it on babies or elderlies. Everyone has got a unique palm hen structure. Ares of use is also very high. You are not going to touch anything. You just have to show your palm hen and the camera will take the picture. But it actually needs a new technology for taking the picture. So that new camera or new scanner would be needing some kind of investment and some learning curve is there. But then this area is picking up very high. So you can see the comparison of all these different biometrics types. And you can see in terms of the aids of use and accuracy, palm hen seems to be the best at the moment. But considering the fact that palm hen cannot be used with smartphone, the next possibility is Ares. And also you can see that people feel comfortable because when you think about a use case, you might not go with the best technology, but the technology which everyone can use. So hand geometries or palm hen is one very good area. But then I would say that Ares is the one that we can use immediately without further investment or without need to learn more. Now coming to the spoofing. So what is spoofing? So biometrics spoofing is a method of fooling a biometric identification management system where an artificial object like in this case of fingerprint mold can be used, a silicon fingerprint mold can be used and presented to the biometric scanner which leads to the hacker to get access to authorized data and services originally mean for the rightful owner. So spoofing can be done at various different stages. So like you can see in the right hand side, you can see this diagram where there is a sensor. And then there is an internal system where you are doing the extraction and all those things. So mostly the hacking takes place at the sensor level. And that is called the number one which is the presentation attack. So people come up with a 3D mask or a photo or a video or a makeup surgery or if they're doing it for a fingerprint and with molds. So the sensor is the area where maximum attacks happen. But then that could be attacked internally also but if it happens internally, then maybe they would get access to the data, the templates of course, not the original data but templates of a huge number of users. So that is an area that can be handled with the right use of SSI. But when we talk about the capturing the biometrics that would be always there. So we have to deal with the presentation attack and how we do it is through anti-spooping techniques. So when the presentation happens or maybe when the biometrics is captured, at that time you'd be given a challenge. They might ask you to blink your eyes or open your mouth or shake your head or smile, different kind of facial expressions of sadness or happiness or head movements. So all these things you have to do. Then there are sensors and dedicated hardwares which can check, we can do additional checks. So see the thing is the smile or facial expression you can do everything on a regular smartphone camera. But the sensors when we talk about sensor or dedicated hardware, those you cannot do on your mobile device. Those are for a different use case perhaps. So there are sensors who would ask like, sorry, if you are giving your fingerprint, then they might check what is the temperature of your fingers. So from that they can figure out whether it's a real finger or a mold. Similarly, there are algorithms which can check the high-regulation pictures and figure out that whether it's a real face or a fake one. So these are the different antispoofing technologies. So now, liveness detection tests. So these are called actually liveness detection tests which mostly people do in authentication purpose on your smartphones. However, liveness detection test is not needed in Palm Bain because in Palm Bain, the camera is actually taking a picture which is not starting, it's a dynamic picture and it is able to figure out whether the blood is even moving inside the blood vessels. So there is no need of doing a separate liveness detection test in Palm Bain. Now coming to SSI, I'll quickly browse through SSI. I believe that most of you might have good amount of idea on self-servient identity. So self-servient identity is a new type of digital identity where the issuer keeps on gathering verified credentials from different issuers. So the issuer is actually sending the verified credentials to the user's digital wallet and the user can share it with verifier. So here, let's say the issuer is somebody like the passport office and the verifier is somebody like the visa office. So while the issuer is sharing the data with the user, the issuer is also sending a reference hash to the blockchain and the verifier actually is able to know whether the data is valid or not, whether who is the issuer and the data is valid or not from that hash. The issuer is converting the data to hash and checking it themselves to know that whether the data is valid. So at a later point of time, if the issuer wants then they can revoke it by changing the hash on the blockchain and the verifier would be able to know that it has been updated. So there are so many different properties that we achieve through this kind of architecture, the integrity, ownership, privacy, security and validity of the data. So, but in a real world, what happens is like in a real world, we have multiple issuers. Like let's say the first issuer is the hospital where let's say Alice is born in a hospital. So the hospital is issuing the first set of certificate. Now the second certificate is provided by the government, maybe something like a national ID. The third one is the educational VC and the fourth one is the employment verified credential. And those data are collected on the users or the holders mobile device. And the user can share it too with the different verifiers and the data can be shared in different means like it can be a traditional sharing or general knowledge proven, selective disclosure type of sharing or it could be a self-attested sharing. And also there is a public ledger on which the deeds are decentralized. ID are created, reference are signed and revocation happens. So what is actually something that we keep on forgetting that the first issuer is the one who has the maximum responsibility over here because the other issuers are actually the verifiers also. Like let's say the first issuer is mostly the government. Let's say the government is providing you the national identity, which is unique and you are showcasing it to different verifiers and they become the second issuer to the third issuer like that. So it works like a chain. But the responsibility of the first issuer is maximum because they also have to do or deduplication of the data to figure out that whether it's, I mean, the user is not creating multiple fake identities for themselves. So deduplication is also an area that we have to not take care in an ideal world. So now we also have to, SSI is pretty complex. We have to take care of the web standards, authentication standards and the open source blockchain part and also the identity part. So there are different part of the entire ecosystem. So how it works is as a user, Alice is keeping all her data in her mobile device. Whereas Bob is keeping the data in the mobile device as a local storage as well as a copy on the cloud storage. But please note that the biometrics template is something that is not to be shared on any other device. So the key in this kind of architecture is you have to keep your biometrics data as much possible in your mobile device. Do not send it over, do not share it to any cloud storage. Do not share it, send it to any third party as much as possible. So the organization can always keep their encrypted data in a, data vault in a cloud storage. And also there is a public DLT. So which is just, I know, just making sure that all the deeds are created properly and the transaction has to start there. Now let's come to our third is next-gen authentication with decentralized biometrics. So here what we are doing, we are actually working with different kind of biometrics. Like we are working with fingerprints which many people are doing. We are working with iris and face as of now. We are also thinking of, we are just coordinating with other organizations where to make sure that how hand geometry can also be captured, whether it is possible or maybe for as a future use case, we are researching on that. And also we are researching on different behavioral biometrics because the voice is something even that a mobile can capture might not be a gate. Gate is the way you work, but voice is something that the mobile device can actually evaluate. So that is for future, but we are actually doing analysis on all this part. So how the entire thing works is, user first captures the biometric after lightness check and converts it to a template. So that happens in your mobile device and the template then goes to the issuer. The issuer, you can see a number, I have numbered them for you to understand. So the issuer is doing a background verification. In number three, you can see the background verification. Then the issuer is also doing de-duplication. So this is not needed for all issuers, but maybe the first issue or maybe depending on your use case, whether what kind of use case you have, do you need a de-duplication or do you not? And then there is a template storage if everything goes right. Please note that here, we are still using a centralized biometric template database, but that is only one time. The first time when the user is getting authenticated against the first issuer. And next time, number five, come to number five, when the user is trying to log in, at that time, it is the biometrics, the live biometrics is again collected and compared against the one which is stored on the mobile device. And then you can do it even one level of encrypting can also be done. And also then it is sent to the verify, the hash is sent to the verified and verify can check on the blockchain that whether the hash is something which is certified by the issuer. And if all goes well, then user is considered to be authenticated. So this is something, a very similar use case is done by Q-ledger. And you can find it in the news that they have gone to production with this use case. And so Q-ledger is basically a credit union in US and they are associated with multiple other banks and corporate societies, most probably. And once the user logs in to the credit union, Q-ledger, then the others, it's just like, perhaps like an SSO. So the other verifiers trust the credit union and they give access to the user. So it happens on Hyperledger Indy and I do not know whether they have started using biometrics. Maybe they are using fingerprint but I do not find that news anywhere. I don't see that whether they're using actively biometrics, even if they're using, whether it's fingerprint, I think it is fingerprint, I'm not very sure. But we are doing the same use case with multiple different biometrics templates. Depending upon what the user need, we can do different biometrics types. There are certain other use cases that I would like to discuss. First of all, I respond. So this is again a use case which you can find that this is a use case. I think this is either implemented in Africa or South America by a NGO called Irispond. And they're using Hyperledger Indy and this solution is, I believe, is on sovereign. And so basically, this is a special use case here. This use case is implemented in a country where the mobile penetration is low. So you cannot use a mobile. Maybe people do not have mobile or even if they have mobile, they are not smartphones. So obviously, the architecture cannot be something like what I discussed over here. So it has to be different. So how we can handle a use case where the user doesn't have a mobile device. So in this case, what happens in these countries, third world countries where a lot of kidnapping happens of the children. So people kidnap the children and take them across the border and then they're exploited. So what those governments are trying to do is they want to issue a digital certificate or decentralized digital certificate to each child and so the child can be a newly born baby or the child can be anybody who is less than a particular age, maybe 18 or 16 whatsoever. And there is power of agony or digital power of agony which is assigned to the child's legal guardian or custodian. So how that happens is the child's decentralized ID is created by an NGO and that decentralized ID is associated with the child's IDs. So it's not the fingerprint but they are using IDs. Why it's because fingerprint is not something that you can get correctly from a baby. For them, it's not well-developed. But IDs is well-developed. So they take the picture of the IDs and convert it to a template and then associate that with the decentralized identity of the child and the parents' biometrics as well as the deed are also created and they are linked with each other be it a parent or custodian, whoever it is. Now when the child is taken across the border, I mean to cross the border, then the border security officers have to check that whether the child is the right child and whether the guardian has given their consent. So how that would happen? Because these people do not have a mobile device. So a printed copy of their deed, a printed, in fact not a copy, it's a QR code of all the details are handed over to their parents by the NGO when the deed is created. Now when the child is trying to cross the border, at that time the border security officer would check that whether it's the same child and they would also ask for a digital consent by the parents, by the rightful parents and they would do it. And once all the things are validated, then only the child would be able to cross the border. So this use case, if I respond is actually, I think it's an UIT, I'm not sure whether it has gone to production, but it was in news lately. So yeah. The second one is airports of tomorrow. So this is not a use case that people have implemented so far, but I'm just, you know, I just got curious if this can happen and we are also exploring this use case. So this kind of technology to scan somebody's face and to scan somebody's iris in the airport is something which is already happening but in a centralized way. So there are automatic check gates in certain airports in US and the UK where from a distance, they would be able to scan the person's, from the person's gate or the person's face and then there is still some level of checking but then the user would be given access to go without doing so much of struggle. Like, you know, at today's state, you know, we have to do, if you go to something like JFK airport or London Heathrow, you have to wait at the kiosk, you have to wait in kiosk for the security check-in and boarding, but here a day would come in future where, especially if we are using SSI because even now we are using it in a centralized way. But if we use SSI along with biometrics, maybe the person's biometrics would be captured from a distance and the person would be allowed. So how that would happen is like, when the user is booking the ticket, from that point of time, the user's identity checked. So this is a use case where the user's identity checked at many different times. So when the user is booking the ticket, the first time the identity checked, then the user is entering the airport, the second time the identity checked. Third user is going to security check-in at that time also the identity checked and finally when the user is onboarding. So there are so many different checkpoints where the biometrics are checked, but then currently it is being done in a centralized way, but in future maybe we would combine the SSI along with biometrics and what kind of biometrics we can use because today we are using fares because it's relatively easy and many people are using it already, but tomorrow maybe we would be either using iris or we would be using the gate or the way the user is walking. So from a distance, they would be able to know that this person has already booked a ticket, this person has already done the security check-in. So let the person board the flight. So there are certain information that the user would share from his or her mobile device in the pocket and from approximately all the doors would be open to them. So there would be no more queues, there would be no more queues and there would be complete automation of check-in and boarding. So this is a future use case. So we are researching on this one as well. If possible we would be doing it with the gate or the way the user walks in. So what are the SSI success factors that you have figured out the first of all? So how seamlessly we are integrating the biometrics and what are the different kind of biometrics that we are integrating because like I said, different use cases might be needing different kind of biometrics. Then is your solution scalable? We have to always look into it if it is a scalable solution and how soon you are doing the entire thing like authentication, the people will not wait if you keep them waiting for a very long time. Also if your false rejection and false acceptance is high, that would not work for authentication. So depending upon that, you have to figure out whether these solutions are scalable and throughput cyber security. Of course you have to figure out whether cyber security is good enough. You have to do a lot of negative testing to check that your solution is working perfectly. Interoperable in a future date may be a different kind of decentralized identity networks can be completely interoperable and even if it doesn't matter whether you have created your date in one application, you can still go with other application and do something else and still it would work. How nice is your selective disclosure and zero knowledge proof work. So that is also a success factor of your application and also who are your validated nodes. So that also plays a major role. Like some people keep on telling me that who are the validator nodes. So are there some companies who are well known? So you have to see that what kind of validate, who are your validator nodes and this is one area that would lead to fetching more clients for your application for your services. So I think I'm done with my presentation. So if you have any questions you can ask me right now or maybe you can ask me on LinkedIn. I'm available. Yeah, looks like Nikki Hickman has raised a question in the chat. I can read it out. One is the one that talks about the deduplication. It says, can you explain a little more about deduplication? Is this deduplication of biometric templates themselves? In which case, why? We already know that many biometrics need to be refreshed or is it a deduplication versus individual unique identity? Is this case, in this case, how does this sit with the fundamentals of SSI that you can have many different quote-unquote identities or is it just data cleansing? Okay, yeah. So first of all, like I said, deduplication is not for every use case. It is for certain use case. Like I was showing you this slide where there are so many different issuers. It's only the responsibility of the first issuer. So mostly the first issuers are the government. Like if you go to the Singapore, they are creating a national identity based on SSI. So the first issuer's job is deduplication. So that the user does not create a lot of fake identities what people are doing as of now because we don't have that kind of system to check it out. We are not using biometrics in many places. Now the first issuer, so let's say the first issuer is the government. So the first issuer has to do background verification that whether the person is the right person, like let's say in Aadhaar in India. If you have to create your Aadhaar ID, then people even come to your home to check that where your address is the right address. So the background verification has to be done and deduplication also have to be done. So this deduplication is not only on your address but also on your biometrics data. So why it is so is because let's say I got five people in my home and all our addresses are the same like me, my husband, my kids and my parents also. So all of our addresses are the same. But then our biometrics are different. So that is why a biometrics matching has to be done to make sure that it is a unique identity. Now what she said is also right that at a future point of time, let's say your biometrics are changed. Let's say that your biometrics is based on your face. Now your face has changed drastically. Like even today, my children get a passport which is valid only for five years because they are up to a certain age. So depending upon that, maybe you need to change the biometrics. So that also is a separate use but for all these things you have to do de-duplication. Otherwise how do you know who the person is? If it is the same person then we have to update it. If it is a new person then also we have to check there is no duplicate in the same biometrics. So of course there is a de-duplication process which has to happen especially at the first issue who is like a government. So in the right hand side I am showing that this feature can work for the authentication of the same issuer or maybe for a different issuer just like what the Q ledger is doing. So you can log into the same system or to a different system. Just like in ADAR, you can log into ADAR using your same data or there are certain banks who when you create accounts with them, they actually log into the other database to check that whether your biometrics are matching with the person whom you claim to be. So obviously there would be a need of de-duplication especially when the security is very high. Okay so her next question obviously in that stream is that the fundamentals of SSI says that you can have many different quote-unquote identities which obviously are the pairwise dids or something like that but underneath all that is the same person. So there's a contradiction there she's or he, I don't know whether Niki is Hi sorry to let you it seems like it's very hard on that. Yeah the I'm interested in this de-duplication as you explained it it seems to always relate back to this initial issuer this which you suggest is normally a national government or a government ID and I just wonder around continually referencing back to that whether that might not build centralization and control points which which is obviously important for some use cases within a particular ecosystem but doesn't necessarily give the full range of benefits I'd say to the holder the SSI promises does that make sense actually hi Niki yeah you are absolutely right there are certain use cases which needs a person to have multiple identities like let's say that you have five different devices and those devices are all linked to you and again those devices need to interact with each other what is what's going to happen in IOT but that's a different use case so that has to be handled differently but I'm more inclined towards how a national identity works so in national identity your biometrics have to be kept somewhere so as of now we do not have a technology where we can completely decentralize it but maybe in future we can do it but as of now because even if you need to compare your biometrics with some reference what would be that difference and if we say that we have to we don't want to keep a decentralized biometrics template we are actually working in this area we are researching a little bit in this area if this can be decentralized but as of now it would lead to security issues because we have to compare the biometrics template with an existing one so yeah this is an area of research I would say and what about go ahead Niki do you have anything more yeah I mean personally I just see a biometric as another attribute and in that way you could see a template as just another form of credential and so it kind of concerns me that you're still storing this data it should be maybe it's a dream but it should be sufficient and the biometric is just used to bind a living human being to a particular credential or set of credentials and therefore the proof that the verifier has just needs to be the link between the person in front of them or the person they're transacting with and the proof that they've got from the chain in terms of the verifiability of it I can see that within a national system they want to always go back to one unique individual but I think that's missing lots of opportunities yeah it's a big thing in further risk like you could embed you know in this model if you can hack the initial issuer then and kind of force an update and yeah actually the way biometrics comparison is done is very different from the way you compare the alphanumerics so in alphanumerics it's always in the comparison if it matches then it's a 100% match in biometrics it does not always match 100% sometimes you can have false rejection rates also even if you are the right full owner so why that happens is because it is actually giving rise to a biometric template which is 101010 like that so let's say that you are pressing your thumb a little differently let's say that your thumb is a little it has got an injury I mean there could be very small differences and depending upon that it can lead to rejections it can be close match so the way biometrics is compared is very different from the way alphanumerics are compared so that is why what we are doing we are still keeping our centralized repository like I said in future maybe we won't need it but I mean we can come up with the technology where we won't need it but as of now we have to keep a centralized repository especially for the biometrics the first issue which is like a government is keeping our centralized repository and the part that we are sending as a hash this is the first time hash and further you can see when the user is logging in again and again and again again we are not going back to the issue we are just checking that whether the hash is matching with the version which is there on the same mobile device this is the first time we are doing it but like you said I am also looking out for a solution where we won't be needing this centralized biometric template anymore but how soon we can do that only time will tell because I live in a country where we have Aadha which is the biggest biometrics database in the world so that is why the concern is over here everything is interesting research look forward to the results of that so if it were not stored in a centralized database maybe it would be but let's see why it is stored in a centralized database because you are going through this process of deduplication and all that and if you lose your device you lose everything then you can recover it that is one of the things otherwise you have to go through the same process again right the second thing is if the match which I believe is a fuzzy match we actually have a paper a working group that was donated by IBM which is one of our first papers which talks about how this whole process works and we have it linked in our page it's about the way the template is calculated and also about the matching algorithm itself because it's an exact match and it's a fuzzy fuzzy match and the point is maybe there is a way to create that storage in an IPFS or something like that that is much more decentralized but I have seen some models where instead of the issuer having the centralized biometrics or looking after that aspect of authentication they have a biometric service provider that would work alongside your agent or wallet provider so that's decentralization at one level it's certainly not relying on a single issuer to be the kind of owner but then you're centralizing the storage somewhere else I mean even though it is a service provider they can be hacked as well but that's kind of the choice of the individual as opposed to the choice of the issuer and you could have multiple biometric service providers just as you could have multiple agents and wallets yeah I mean in the end if you accept that it has to be stored away from the device or from the address then you have this problem anyway it has been a delightful hour we are at 1001 and many thanks to Debiani for this wonderful presentation and to you Niki for the questions one of the things I want to emphasize here is that the identity working group is looking for presentations and we want to be inclusive and diverse and I have deliberately chosen the first presentation this year to be a woman because that is very important we have very few people presenting that are truly diverse people and I think that is extremely important and I also run this other group called the Hypology Capital Market SIG and I have chosen that so 2021 for me should be where we showcase the diversity of our membership in our community so please get back to me if you are interested in presenting or have any ideas about how to go forward here and many thanks to Debiani again I hope she will share her slides with us I will do that now and then make the slides and the recording available on the site that I posted on the chat and I can probably reflect it back in LinkedIn or some other space as well so that people can find it thank you again and our next presentation is going to be two weeks from now thank you