Uncoupling Biometrics from Templates for Secure and Privacy-Preserving Authentication

Biometrics are widely used for authentication in several domains, services and applications. However, only very few systems succeed in effectively combining highly secure user authentication with an adequate privacy protection of the biometric templates, due to the difficulty associated with jointly providing good authentication performance, unlinkability and irreversibility to biometric templates. This thwarts the use of biometrics in remote authentication scenarios, despite the advantages that this kind of architectures provides. We propose a user-specific approach for decoupling the biometrics from their binary representation before using biometric protection schemes based on fuzzy extractors. This allows for more reliable, flexible, irreversible and unlinkable protected biometric templates. With the proposed biometrics decoupling procedures, biometric metadata, that does not allow to recover the original biometric template, is generated. However, different biometric metadata that are generated starting from the same biometric template remain statistically linkable, therefore we propose to additionally protect these using a second authentication factor (e.g., knowledge or possession based). We demonstrate the potential of this approach within a two-factor authentication protocol for remote biometric authentication in mobile scenarios.