CD Laboratory for Private Digital Authentication in the Physical World

Biometric authentication, e.g. to travel without a passport, will come, but harbours risks of surveillance and data misuse. This CD Laboratory is researching trustworthy, decentralised solutions under full user control.

In order to use public transport or cross national borders, for example, we need to present tickets or a passport. Such physical objects for authentication can be lost, stolen, forged or damaged and are therefore subject to a security risk. In the near future, it would be technically possible to carry out this authentication on the basis of biometric data - loss or theft of physical elements would be ruled out and authentication would still be possible as long as the data is available. Such digital proof of identity could easily be implemented using centralised databases that store all users' biometric data. However, centralised monitoring and storage of all user movements and interactions harbours massive potential for abuse, including the falsification and deletion of digital identities. Complete monitoring and control of all users is currently not compatible with universal fundamental rights to privacy and is incompatible with European concepts of data protection.

In order to be able to use digital identities for the authentication of individuals in everyday life without jeopardising the privacy and self-determination of individual users, decentralised solutions are urgently required that elude monitoring by central entities. This CD Laboratory for Private Digital Authentication in the Physical World (Digidow) is therefore researching a decentralised and therefore trustworthy infrastructure for biometric authentication for the first time. The individual user retains better control over interactions in the digital and physical world and thus over the data traces that he or she necessarily leaves behind.

The decentralised principle connects individual users in the physical world with personal digital agents. These personal agents enable various forms of authentication, payment or other access mechanisms for users. Users are identified by biometric sensors (cameras, fingerprint scanners, etc.). These sensors then communicate the data to the personal agent for verification and selective release of only the relevant data required. The biometric sensors and the personal agents are not controlled by the same entities and must therefore bypass mutual authentication steps. Only when all data and entities involved have been authorised as legitimate by all parties can a border crossing or payment be made.

This interdisciplinary research work covers areas of cryptography, networks, distributed systems, biometric authentication, machine learning and the security of programme code, as well as the associated social, legal and ethical aspects.

Especially now, when large commercial providers are already establishing their user accounts as universal digital access accounts and when facial recognition is increasingly becoming standard within their systems and thus under their control, the search for decentralised, trustworthy options for authentication is highly explosive and urgent.