Showing posts with label global identity foundation. Show all posts
Showing posts with label global identity foundation. Show all posts

Mistaken identity; the mistakes we make and a lack of understanding about what identity actually is - part 5

Warning: this is part five of what is intended to be a nine-part blog looking and expanding on what identity is!

If you have arrived here directly, then please go back and start at part 1 - after all, in the Identity world context is everything! [sorry for the identity in-joke].

Part Five - Why privacy and anonymity must be at the heart of your digital identity ecosystem

There are two famous (prophetic, as they are now over twenty years old,) quotes about tech and privacy:

If you do not already subscribe, then Have I Been Pwned? allows you to search across multiple data breaches to see if your email address or phone number has been compromised. At the last count my personal data has been exposed in seventeen major breaches; everything from date-of-birth, to home address and phone numbers.

And that’s before you perform a dark-web trawl on your name / job / company, and that’s even more scary.

Which leads us to the first (linked) conclusions:

  1. If all your attributes are known, then what you should actually care about is: someone else being able to assert them as “proof” they are you.

  2. When someone/something asserts that they are a particular entity (“hello I’m from your bank”) how can you verify the veracity of said assertion?

However, there are areas of your life  where a failure of privacy is hazardous to your life: for example one of our collaborators is an Iraqi Kurd who lived in Iraq during the reign of Saddam Hussain; or that you have a subscription to “Gay Times” if you are living/working in Afghanistan; both attributes (or whole persona) that containing SPI (Sensitive Personal Information).

Which leads us to the first three tenets for privacy;

However, to ensure an ecosystem with privacy at its core; then THE fundamental design principle is the need for 100% anonymity at the root of any identity.

Though counter-intuitive to most identity and security professionals, it’s actually fairly obvious; that if you want to be able to issue linked assertions from disparate personas (see part four), then:

  • There must be a common root;  AND

  • Only said entity must be in sole control of it; AND THEREFORE

  • It must be known and accessible only to that entity.

In addition, using this root of trust to make linked assertions, then the relying party (the entity receiving and needing to verify the linked assertion) must also understand the method by which the issuing entity is linked (the level of immutable linkage) to the root of trust; thus, they are able to factor this into their risk-equation for the transaction.

In real-life, you are your own Core Identity, and the immutable linkage between you and the assertion(s) is generally an approved photo ID (Entity:person → photo → name → matched attribute assertions).

Implementing this in the digital realm, there needs to be a known linkage between the entity:person with their “Core Identity” and their “Core Identifier” (their 100% anonymous “cryptographic root of trust”).

In part six, I will look at why understanding the “locus-of-control” problem is fundamental to proposing any solution in the identity ecosystem space.






Mistaken identity; the mistakes we make and a lack of understanding about what identity actually is - part 4

Warning: this is part four of what is intended to be a nine-part blog looking and expanding on what identity is!

If you have arrived here directly, then please go back and start at part 1 - after all, in the Identity world context is everything! [sorry for the identity in-joke].

Part Four - Making risk-based decisions based on understanding attributes in context

This is the start of the “how do we make it all work” part - and again the problem is, that how we make it work in the real world needs to be totally different from the band-aid “kludges” we cobble together in the computer world; And then we wonder why we can’t make it work, or leverage it everywhere.

So, let’s look at a real-world example of making a risk-based decision. For those that don’t know me, one of my “personas” is that of a white-water kayak instructor, with both Scouting and a local junior Kayaking club.

So, let’s look at what we would call the “entitlement” criteria if I were to offer to take your (precious) 13-year-old on the (London 2012 Olympic) white water course at Lee Valley just outside London.

Of course, in the “good old days” we would just have said “he’s a really good chap, and everyone says he knows what he’s doing”; but that was before 1993, when an outdoor activity centre killed four teenagers, (see: Wiki: “Lyme Bay canoeing disaster”); so in the UK we need to be properly licensed with risk-assessments in place. 

Thus, I need to be able to offer a number of attributes, all from their authoritative sources, as a set, immutably linked to me (with a known level of certainty).

  • Proof I’m over 18, thus legally responsible 
  • A current British Canoeing, Level 3 (or better) Kayak Coach qualification    
  • A current scouting kayaking permit  
  • A UK enhanced DBS Check (proof that I’m not prohibited from working with children)
  • A Lee Valley user card (proving I’ve passed their test to be able to use the course)

As you can see, each is from a different authoritative source, and that last thing those organisations want to do is maintain attributes for which they are not authoritative, because non-authoritative attributes go stale, and are near impossible to maintain; (and because if there was an accident and an inquest and it turns out that my taking them was based on their incorrect / unmaintained information then they could be liable).

Thus, the other lesson that can be drawn from this example, is that the “entitlement” check should be carried out in real time (or as near real-time as possible) using current attributes.

In addition, as the coach, I need to do a series of risk-assessments;

  • It's an outdoor course, what’s the weather like?
  • Each participant's personal capability, are they up to it?
  • Do we have the correct safety equipment and processes in place if there is an issue.
  • Have I been briefed by Lee Valley staff on any current issues / changes / new processes.
  • Dynamic risk: e.g., We start to get freezing hail, do we end the session (hypothermia risk) etc.

Of course, as humans we do variations of that risk assessment continuously and mostly subconsciously, from crossing the street, to walking down a dark alley at night, meeting new people, or deciding to take a new job.

So, this leads us to a series of “principles” on how to process attributes in context, resulting in a risk outcome that meets the risk-appetite of the entity taking the risk; remembering that risk is bidirectional but asymmetric.

As the consumer of the attribute(s)

  • Risk is temporal, and WILL change over time, thus must be re-evaluated in line with your risk-appetite.
  • Attributes must be consumed in the full knowledge of the entity that signed them. (Remembering that some attributes could be self-asserted). 
  • Attributes must be consumed in the full knowledge of the entity that is presenting them, and level of immutability between presentee and the attribute they are asserting.
  • When multiple attributes, from potentially disparate personas, are asserted, then you must have an acceptable level of proof that all the attributes are linked to that single entity.
  • Only request attributes required to support your risk calculation, or meet a legal obligation (such as KYC).

As the intermediary

  • (Never turn a variable into a binary) always pass on the attribute, and the provenance of the attribute, so the entity taking the risk can evaluate the whole picture.

As the issuer/signer of the attribute(s)

  • Only hold, maintain and sign attributes for which you are truly authoritative.

As the presenter of the attributes

  • (Where possible) only present attributes in a privacy enhancing manner (“I am over 18” rather than “Date-of-Birth”).    
  • Understand why attributes are being requested, and reject requests/transactions that over demand attributes.

Two final thoughts

The evaluation of risk is not just about evaluating the asserted attributes; it also needs to factor in as much supporting information as possible. 

Maintaining groups of attributes in a “persona” that is tied to the authoritative source has major security advantages; as all they are doing is maintaining their attributes, thus if they are breached, or their signing key is compromised, then they need to re-issue the key and attributes at their cost. However, as they hold/maintain no others, nothing else is affected.

In part five, I will look at why privacy needs to be at the heart of any identity ecosystem.



Mistaken identity; the mistakes we make and a lack of understanding about what identity actually is - part 3

Warning: this is part three of what is intended to be a nine-part blog looking and expanding on what identity is!
If you have arrived here directly, then please go back and start at part 1 - after all, in the Identity world context is everything! [sorry for the identity in-joke].

Part Three - Consuming attributes and understanding persona to derive context

Being presented with an attribute of my identity without some form of context is somewhere between meaningless and slightly useful. Let's take the example of buying a bottle of whiskey and asserting my age;
In real life, unlike the computer world, there are few if any absolutes, everything we do, and more importantly the decisions we make are based on context. If I were a social scientist, I would now be making an argument about context being predominantly learnt prejudice, but let's not go there.
  • In person, grey hair, probably OK, no further attribute required
  • In person, entering bar, Chicago, grey hair, mandatory photo ID (with date-of-birth) required
  • In person, UK, look under 25, photo ID with DoB probably required
  • Over the Internet; some countries, no problems, just buy it!
  • Over the Internet; in country, with country specific ID, you stand a chance
  • Over the Internet; without being enrolled in “their” age verification system, probably not
Apart from being a complete lottery when presenting attributes, we need to look at why it sort-of-works face-to-face and generally fails when not face-to-face.
  1. We need to understand who is truly authoritative for the attribute I am asserting. In my case the UK Government, thus there are generally two authoritative documents issued by the UK Government generally acceptable as they have both photo and date-of-birth; namely my UK Driving Licence and my Passport.
  2. Because of international treaties, my passport generally works globally, and my driving licence less so.
  3. I say that because I was at a US conference where a booth was showing their tech that enrolled you into their identity verification system, validating your age via your driving licence, so I gave them my UK licence and was told - “Oh no, this only work on new US ‘strong’ driving licences”.
  4. Had I managed to enrol my UK Driving Licence into their system, then asserting my identity via that US service in the UK is probably a complete waste of time, as a UK supplier will not recognise it at all, and certainly not as authoritative.
  5. In fact, even the big UK banks, which generally are fairly “joined up” and consistent, will not accept each other's assertions for KYC (know your customer) checks.
  6. Our corporate account is with Barclays, obviously with full KYC checks. As a trustee on my late-Father’s trust for his grandchildren would Halifax accept this? - of course not; despite both being British high-street banks, subject to the same UK banking regulations – Halifax required that I turn up in-branch with passport, proof of address etc. - all so a very junior employee could take photo-copies of them.
Bottom line, in real-life we assert an attribute from a persona, often multiple attributes from disparate personas (that are linked at the root - i.e. me), and as long as the entity requiring these attributes is able to validate the entity that signed them, to their level of satisfaction, the transaction is able to proceed.
Why? Because the entity receiving them is able to understand them in context, so for example for my whisky sold over the Internet the contextual decision goes something like this;
  • Is over 18 AND IF in USA over 21 - signed by relevant government
  • Will pay for it, signed by VISA OR MasterCard OR Amex OR PayPal
  • Have valid delivery address signed by relevant Post Office AND not a prohibited country
In reality, we constantly assert attributes from multiple personas, that all need to be provably linked. Easy in real-life (remember that photo linking my personas), however in the digital world we need cryptography and common (single & anonymous) cryptographic roots of trust - but more on that in a later blog.
For now, let's just leave it as Identity (Authentication, Sameness, Personas and Attributes) that all allow the derivation of context, and from context we get into risk-based decision making - but that’s part 4.

Mistaken identity; the mistakes we make and a lack of understanding about what identity actually is - part 2

Mistaken identity; the mistakes we make and a lack of understanding about what identity actually is - part 2

Warning: this is part two of what is intended to be a nine-part blog looking and expanding on what identity is!
If you have arrived here directly, then please go back and start at part 1 - after all, in the Identity world context is everything! [sorry for the identity in-joke].

Part Two - Entities have identity, not just people

Back in Part One of this blog, I talked about computer professionals being fixated with digital identity for “people”. If you think about where we have come as an industry, we started with computers (which when they were only mainframes were god-like and implicitly trusted) and we then introduced the concept of “users” - people who, if they were lucky enough, were granted the privilege of being able to interact with these entities.

From there, we went to multiple computers which needed a central computer managing user authentication, which (sort of) worked, but ONLY if all the users were managed in our “Locus-of-Control” [See: Ref 1, command #8] (a system that we own, manage, and of course vet the users prior to giving them a user account) - historically for most organisations this ended up being Active Directory. But the instant we need to involve users or systems outside of our locus-of-control then things start to get difficult and compromises start to occur (a topic for a different blog).

So let's go back to first principles and look at how identity operates in-real-life, and what we are doing wrong.

We, as humans, need to interact with a wide variety of entities; from organisations to devices and of course to other humans.  Back over ten years ago this led us to explain this in terms of five basic entity types that explain the breadth of what we are describing; People, Devices, Organisations, Code and Agents. But in fact it’s wider than that; and you could generalise an Entity as being “any unique instance of a ‘thing’”.

Why are entities so important? #1 Because they enable personas

If you generalise how identity and attributes work: then the join of two entities forms a unique persona, populated with some (hopefully) authoritative attributes. 

Let's think about this with a few examples;

  • The join between Entity:Me and Entity:UK Government creates my unique “Citizen Persona

  • The join between Entity:Me and Entity:Simmonds Family creates my unique “Family Persona

  • The join between Entity:Me and Entity:UK DVLA creates my unique “Driving Licence Persona

  • The join between Entity:Me and Entity:ACME Plc. creates my unique “ACME Plc. Staff Persona

In the first example above, my citizen persona (in my case as a UK citizen, what is on my state-issued birth certificate) contains attributes issued by the authoritative source for children born in the UK, which are:

  • Date of birth (immutable)

  • Place of birth (immutable)

  • Name [at birth] (could change)

  • Sex [at birth] (could change)

  • Right to British citizenship (could change)

If you’ve been into any financial institution for a KYC (know-your-customer) check then you will know that they insist on original documents from (mainly) authoritative entities, one of which must be photographic (passport or driving licence etc.) so that they can tie the name on the other paperwork to your face, thus having an acceptable level of Immutable Linkage between yourself and all the attribute assertions you are making, as a linked-set (i.e., they all have the same name).

Effectively you are asserting different attributes, each “signed” by a source that the bank recognises as authoritative, as a linked set with you at the root of that assertion.

Why are entities so important? #2 Because over a network you can’t (easily) distinguish a person from any other entity type.

In reality, you don't actually know whether it's a person, an AI, an IoT device, a system or a hacker at the end of the conversation. It's a bit like a modern Turing Test, only more difficult, because not only are you trying to determine whether is a particular type of entity, you are also trying to determine that the credentials match the actual entity claimed - just because the password matches, or even the API says “biometric match” does not make it 100% the entity claimed.

It’s a bit like being robocalled by an AI, or a hacker using a deep-fake - and they are getting better day-by-day - so it takes a while to understand (and test) whether it’s actually a person. We should be validating the person randomly calling; does the Caller-ID match? Can they provide evidence of the organisation they are calling from? Can they prove who they are? - Of course, if it is someone we know personally, or even intimately, then it’s easier to check for “shared secrets”, but otherwise, as numerous politicians who have been prank-called by radio-stations have found out, it can be very difficult.

So, when communicating remotely, we should care about the fidelity of an entities assertions of who/what they claim to be, as well as the level of immutability between the entity and the claim.

In Part 3, we will examine why consuming attributes and understanding personas is key to deriving context.






Mistaken identity; the mistakes we make and a lack of understanding about what identity actually is - part 1

Identity has a problem! 

Not just that we are unable to make digital identity work properly without loads of compromise; no, it’s the fact that IT Architects, Security professionals and (dare I say it) even many claimed identity specialists, do not understand what identity is, misusing the term and even getting the wider aspects of identity fundamentally wrong. 

Without properly understanding identity, its facets and nuances, it will be impossible to develop a frictionless global identity ecosystem, or leverage identity for cloud, zero-trust, collaboration, encryption and proof of age, or other essential attributes.

Warning: this is intended to be a nine-part blog looking and expanding on what identity is, starting with this blog!

Part One - Identity fundamentals, or “what is identity?” 

Strictly, Entities have Identity, (but that’s going to be part 2!so first, let's start with people, as that’s what you and I best relate to:

“I am me” - I am a unique entity, we call this Sameness; I am the same entity yesterday, am today and will be tomorrow.

As a unique person I have multiple “facets” of my overall identity, some of which I care to share and some I may never share with anyone, all maintained personally by myself; some attributes we just know (for example family relationships) and some we maintain “pointers” to; references to the authoritative source, such as the assertion that I’m a British Citizen because my passport says so (and is authoritative for this assertion). We refer to this as the “core identity”, all the attributes that make up me as a person.  

Those “facets” of my overall identity consist of attributes; some like my height, the colour of my eyes, and a rough approximation of my age which I am unable to keep private if you meet me in real life, but others such as sexual-pursuasion, the football team I support, my favourite colour, my family etc. I may choose to share with you depending on my perceived sensitivity of the attribute, how much I trust you, and your need for that information to process our relationship; in reality I perform a risk-assessment, based on my personal risk-appetite.

In reality; we have sets of attributes that pertain to a particular aspect of our lives, and we call these personas - a group of related attributes that define us in a particular context. Examples would be:

  • My citizen persona: (in my case as a UK citizen, what is on my state-issued birth certificate) date of birth, place of birth, both of which are immutable,  name at birth, sex-at-birth and right to British citizenship - all of which could change.

  • My family persona; parents, partner, children, aunts, uncles etc.

  • Employment persona(s)

  • Sporting persona(s)

You get the idea; and in reality each of us as humans operate with hundreds, if not thousands, of personas, and we assert attributes from multiple disparate personas as required for our day-to-day lives and our interactions with other entities.

What normal humans glibly call “Identity” actually consists of three distinct components.  

  • Authentication”; the “how do I uniquely prove that I am the same person that you previously met”

  • Sameness”; the “I am me, and always will be” part that contains personas, and attributes

  • Personas & Attributes”; The parts of my core identity that I decide to share

Authentication is key to interacting with other entities; in real life humans, due to millions of years of evolution, do authentication using faces - in fact we are so good at it that if you meet someone you have not met for ten years there is a good chance you will remember who they are. 

Faces are so key to human life that phrases pertaining to this interaction are embedded in our language; “it’s nice to finally see you”, “they are two-faced”, “put on a brave face” or even “put your cards face up”.

When we see someone, we assign the attributes they share (consciously or unconsciously) against an (internalised) unique identifier of their face. In other words, Authentication (by whatever method, and however tenuous) is the key to Sameness.

This is why your driving licence or passport has your face on it; to link the person to the attributes contained on that document with a degree of confidence.

This level to which a person is bound to the authentication is known as the level of Immutable Linkage (or Immutable Binding), and it's important to understand the level as part of your risk-calculation; with what degree of certainty the actual person is linked to the identifier. - I look enough like my brother that if you have not seen us for ten years it’s not unusual for friends of my parents to get us wrong when they meet just one of us (but not I suspect if they met both of us together).

However, the problems start when we cannot interact “face-to-face”, and for many thousands of years civilization has grappled with this problem, accepting a set of compromises, usually based on the bearer holding a set of documents to which some degree of provenance can be given - read the history of the passport!

So, in summary; we as people can derive a model for how identity works in real life. But, as people ourselves, we are fixated on how to extrapolate this to the wider, non-face-to-face, world; which is why we are in the current mess with digital identity.

So in Part 2, we will examine why the identity of people is just a small part of the overall identity picture.


#WhyID ?

We were pleased to be invited to participate in the World Economic Forum workshop last week on Cybercrime 2025 focusing on Digital Identity.

One of the participants presenting were Access Now, who “defends and extends the digital rights of users at risk around the world” [] who are running a campaign that I’d urge you to add your signature of support for; called #WhyID.

They ask that at the onset of any digital identity programme in any given region or country the #WhyID question must be asked;

Given that our aspiration is a global identity ecosystem, then I guess responding to these questions are even more important for us as an organisation. So here goes;

1. Respond to WhyID?:

     Why do we need these foundational digital identity systems? What are their benefits?

We need foundational digital identity as we live in an increasingly digital world that has little trust, and in a digital world where the majority of entities are based on self-asserted identity.

In short, the benefits, if we do this correctly, are;

o   The move from self-asserted identity and identity attributes, to trusted identities with attributes from truly authoritative sources.

o   The move from identities that operate only within a locus-of-control, to identities that can be reused anywhere, by anyone, globally.

o   The move from identities that need to have a central authority at its heart, to a decentralised, privacy enhancing ecosystem [and one that is NOT blockchain][1].

o   The move from a binary level of trust, to one where the entity taking the risk (remembering that risk is bi-directional, yet asymmetric) is able to understand the risk of every component part.

o   The elimination of billions of dollars of fraud and crime.

o   The elimination of identity theft and impersonation.

o   The ability to understand information from trusted, traceable and reputable sources, vs. un-trusted, self-asserted and fraudulent entities (trolls, sock-puppets, state sponsored misinformation etc.).

o   The ability to leverage global ecosystem for secure and trusted IoT devices and secure and trusted communications.

    Why are such programmes deployed without sufficient evidence of the benefits that they should deliver? How do these programmes plan to reduce the risk to and safeguard the rights and data of users?

We agree; most programs are designed to only fix one particular issue, and are limited in both scope and thus design.
In contrast, we started by looking at why Identity systems fail[2], from there developing this understanding of what you need to “do differently” to build a set of principles[3], and from there designing a system[4] to meet those principles.
Thus the model builds in privacy by design, ensuring anonymity where needed and places the identity of an individual entity under the full control of said entity, with no intermediate systems or infrastructure that can be compromised.

    Why should it be mandatory – either explicitly or de facto – for users to enrol onto these programmes? These programmes are either mandatory through legislative mandates or through making them a precondition to essential services for users.

We feel it should not; an entity should be able to generate its own root with 100% anonymity, and with total control over that root. Said entity should be able to generate personas (the join of said entity and an entity that is authoritative for one facet of said entities overall identity) only when there is a benefit to said entity [you only need a passport because you want to travel across borders that require passports].
Most entities will see the benefit, especially as the use of a common (cryptographic) root [albeit 100% anonymous] allows multiple privacy enhancing assertions to be made from disparate personas as a provably linked set [only the one entity could have made them]. For example: “I am over 21” & “Here is payment for alcohol”.

    Why are these programmes centralised and ubiquitous? Why is one digital identity linked to multiple facets of a citizen’s life?

We see this as one of the fundamental questions; and our stance is that designing a digital identity system in this manner is fundamentally wrong, technically unnecessary and ultimately causes any digital ecosystem to fail or implode.
While there a great benefits to having multiple, disparate, trusted attributes all under a central “root” (after all, this is what happens in real-life); you can only make this work if that root is 100% anonymous; the design must also take into account when the entity in question decides their level of trust in the ecosystem is insufficient and allow them to have multiple, unconnected roots.

    Why are countries leapfrogging to digital identity programmes, especially in regions where conventional identity programmes have not worked? The scalability of digital identity programmes also makes their harms scalable.

We believe (based on historical evidence) that identity ecosystems implemented at a national level either fail, implode to a sub-set of services and fail to federate (be trusted) outside of that particular locus-of-control.

Instead, giving away for free, an eco-system and a standard that needs no central infrastructure; which is therefore simple to adopt; where the government or organisation is only responsible for its people and only for those attributes for which it is truly authoritative delivers all the benefits to countries and their citizens without the potential harms that come when such a system is scaled.

     Why are these digital identity programmes not following the security guidance coming out of various expert academic and technical standard-setting bodies on the use of biometrics in identity systems?

We’d go further than this and suggest that any biometric used for authentication should never be stored by any third-party.
This does not of course preclude the nefarious collection of biometric information (fingerprint from a glass) or the (legal, or illegal) use of biometric recognition systems (typically facial or gait) linked to surveillance systems.
Instead, a digital identity ecosystem must be designed to understand the authentication of the entity to the digital as well as the level of trust it can place in an assertion of biometric authentication (but not validating the raw biometric itself) and in such a manner as to render replay attacks useless.

    Why are some private sector enterprises being privileged with access and ability to access the ID systems and build their private businesses on top of them? What safeguards are being implemented to prevent the misuse of information by the private sector? What should be the role of the private sector in the identity ecosystem?

The driver for most companies is the ability to make money; either from building large identity infrastructure (either traditional or more recently blockchain), in the form of consultancy or through controlling access to attributes.
Instead we believe that no big infrastructure is required; and organisations that are authoritative for facets of an entities identity must be able to add the necessary service to their existing systems to be able to sign trusted attributes that can be held, maintained and managed by the entity to which they pertain.
In addition, organisations wishing to consume said trusted, authoritative attributes when proffered them by said entity, must be able to add the necessary service to their existing system to accept and validate these.
We envisage both add-on's being open-source and royalty free to ensure proper security validation and widespread global take-up.

Those who promote these programmes must first critically evaluate and answer these basic WhyID questions, along with providing evidence of such rationale. In addition to answering these questions, these actors must actively engage and consult all actors. If there is no compelling rationale, evidence-based policy plan, and measures to avoid and repair harms, there should be no digital identity programme rolled out.

2. Evaluate and, if needed, halt: The potential impact on human rights of all existing and potential digital identity programmes must be independently evaluated. They must be checked for necessary safeguards and detailed audit reports must be made public, for scrutiny. If the necessary safeguards are not in place, the digital identity programmes must be halted.

We would agree; (and probably go further) as we believe that
adopting the Identity 3.0 principles[3]
and the associated global ecosystem will both protect human rights and provide greater
benefits for the government and its citizens.

 3.  Moratorium on the collection and use of biometrics (including facial recognition) for authentication purposes: Digital identity programmes should not collect or use biometrics for the authentication of users, until it can be proven that such biometric authentication is completely safe, inclusive, not liable to error, and is the only method of authentication available for the purpose of the programme. The harms from the breach of biometric information is irreparable for users and the ecosystem.

Our belief is that your biometrics (as they relate to authenticating your identity) should be collected, stored and validated under your direct and exclusive control.

Any relying entity wanting to validate the level to which an entity is authenticated should, along with the relevant signed attributes, be able to understand everything about how authentication was achieved (device, version, pass threshold, number of attempts etc.) allowing them to make their own risk assessment of whether that is adequate for them, of course with the option to then use some form of “step-up” authentication should the biometric threshold be inadequate.

This way there can be no collection, and thus no breach, of an entity’s biometric information.