/The National Cryptologic Center (CCN) Endorses Modern Biometric Technologies: Security and Privacy in Access Control

Key Ideas

1. RBRs: Security and Privacy Guaranteed: RBR templates are irreversible, non-interoperable, revocable, and private, adding an extra layer of security compared to traditional authentication methods such as passwords or tokens.
   
2. Inherent Factor Advantages: Biometrics ensures real identity authentication, surpassing the limitations of possession or knowledge-based factors, which can be transferred or stolen. Authentication processes that compare RBR templates make forgery significantly more difficult, providing enhanced security.
3. Risk Classification under the RIA: The European AI Regulation classifies biometric applications that involve the active and conscious participation of users as low-risk or negligible, reinforcing the viability of these technologies in critical environments.
4. Recommendations for High-Security Levels: The CCN recommends using RBR templates for access control systems with high-security requirements, provided they are evaluated and certified according to international standards.

Over the past year, the debate surrounding the use of biometric systems for identity protection has evolved significantly. While traditional technologies and regulations dominated the landscape, recent regulatory and technological advancements have established solutions that seamlessly combine security, privacy, and efficiency.

The approval of the European Artificial Intelligence Regulation (RIA) and the recent report by the National Cryptologic Center (CCN) have provided a clear and updated framework for modern biometrics. Both validate using technologies such as Renewable Biometric References (RBRs), which have become the most secure standard for identity management in critical environments.

A Paradigm Shift: From Outdated to Modern Technologies

For years, biometric systems relied on technologies that, while innovative at the time, had significant limitations in terms of security and privacy. These traditional solutions utilized reversible and interoperable templates, characteristics that increased their vulnerability to potential privacy risks.

With the introduction of RBRs, as defined by the ISO/IEC 24745:2022 standard, biometric data management has undergone a qualitative leap. These references introduce an additional layer of protection that resolves issues associated with older technologies, establishing new standards that ensure user security.

To understand why modern technologies surpass the limitations of traditional templates, it is essential to grasp the concept of Renewable Biometric References (RBRs).

What Are Renewable Biometric References (RBRs)?

Renewable Biometric References (RBRs) represent a key advancement in the secure management of biometric data. Unlike traditional biometric templates (BRs), which rely on facial landmarks or characteristic points, RBRs add an extra layer of protection, completely transforming how data is handled.

Key Features of RBRs

1. Irreversibility: It is impossible to reconstruct the original biometric data, such as a facial image, from an RBR template. This protects users even if their data is compromised.
2. Non-interoperability: Each RBR template is unique and designed exclusively for a specific use case or system, preventing reuse in other contexts or applications.
3. Revocability: If an RBR template is compromised, it can be replaced with a new one without altering the user’s original biometric data.
4. Multiplicity: Multiple RBR templates can be generated from the same biometric data, each tailored to a specific use case. This allows for greater flexibility and security.
5. Non-permanence: Templates can be continuously renewed and adjusted based on algorithms and parameters, ensuring adaptability and security.

These features position RBRs as a secure, ethical, and adaptable solution to today’s privacy demands.

The CCN Report: A Decisive Validation

The National Cryptologic Center (CCN), Spain’s leading cybersecurity authority, recently published the report “Secure Biometric Technologies for Access Control.”  This document not only validates the principles behind RBRs but also fully supports the arguments that Veridas has championed for years.

Key Conclusions from the CCN Report

1. RBRs: Security and Privacy Guaranteed: RBR templates are irreversible, non-interoperable, revocable, and private, adding an extra layer of security compared to traditional authentication methods such as passwords or tokens.
   
2. Inherent Factor Advantages: Biometrics ensures real identity authentication, surpassing the limitations of possession or knowledge-based factors, which can be transferred or stolen. Authentication processes that compare RBR templates make forgery significantly more difficult, providing enhanced security.
3. Risk Classification under the RIA: The European AI Regulation classifies biometric applications that involve the active and conscious participation of users as low-risk or negligible, reinforcing the viability of these technologies in critical environments.
4. Recommendations for High-Security Levels: The CCN recommends using RBR templates for access control systems with high-security requirements, provided they are evaluated and certified according to international standards. 

General Conclusions: Modern Biometrics as a Pillar of Security and Privacy

1. Maximum Security with Biometrics: Biometrics provides a superior level of authentication by focusing on the real identity of individuals, eliminating vulnerabilities inherent in presumed identities such as passwords and tokens. This approach offers unique guarantees that strengthen protection against fraud and identity theft, with no “equivalent” alternatives in other methods.
2. Fundamental Rights and Data Protection: Biometrics must balance technological innovation with an unwavering respect for fundamental rights. The development of secure biometric systems should prioritize privacy and data protection, ensuring that solutions are secure and ethical by design and implementation.
3. Modern Biometrics: Privacy by Design & by Default: The shift from traditional biometric templates to modern technologies like RBRs has revolutionized security and privacy. This evolution addresses historical risks identified by data protection authorities and is supported by features such as:
   1. Irreversibility: Impossible to derive the original data.
   2. Non-interoperability: Templates specific to each use.
   3. Multiplicity and Revocability: Adaptability and enhanced security.
4. Additional Security Layers: Biometrics should be complemented by advanced spoofing detection technologies, especially against threats generated by artificial intelligence (AI). It is essential to ensure compliance with international quality standards, such as those defined by the NIST, guaranteeing accuracy, minimizing bias, and eliminating discrimination.
5. Regulation of Biometric Applications:The Artificial Intelligence Regulation (RIA) establishes a solid regulatory framework that classifies biometric verification and identification processes involving the active participation of users as low-risk or negligible. This recognition strengthens the viability of these solutions in critical environments, positioning them as secure and reliable tools.

The endorsement of the CCN, combined with certifications under the most stringent international standards such as the ISO/IEC 24745, strengthens confidence in RBRs as a leading technology in modern biometrics. Already deployed across multiple industries and countries worldwide, this technology has demonstrated its effectiveness in critical environments where security and privacy are paramount.

From physical access to digital fraud prevention, RBRs are making a significant difference in protecting identities and enhancing user experiences. As we move forward, this technology represents not only the present but also the future of secure and ethical identity management.