Information systems and critical infrastructures often need to securely identify their users. It has long been recognised that alternatives are needed to textual passwords for access control. While tokens can still be stolen, or transferred to other persons, biometrics technology can provide reliable, cost-effective and user-friendly solutions, particularly for unsupervised authentication at a distance. By ‘unsupervised’ we mean that no security staff is physically nearby to supervise the process and challenge obvious or suspected intruders. By ‘at a distance’ we mean that the authentication process relies on informatic means that are located remotely (“in the cloud”), due to complexity of the algorithms involved, or just to limited trust on the physical access device made available to legitimate users. Being natural, non-intrusive and readily compatible with smart and mobile devices, automatic speaker verification (ASV) is an appealing solution. The OCTAVE project is mostly devoted to advancing today’s state-of-the-art of ASV systems, so as to maximise robustness to environmental variability and resilience to spoofing. However, ASV-based user access control may be unpractical to be supplied by every single Service Provider. On the other side, users may not like to have to register again and again their own voiceprints (i.e., to enrol) with any new service or critical infrastructure they want to access. Therefore, the OCTAVE platform, named Trusted Biometric Authentication Service (TBAS) assumes delegation of user authentication on behalf of the Service Providers, in addition to providing biometric voice verification. Under this scenario, a trust chain must be established between the user, the application provider and the authentication provider. The purpose of this deliverable is two-fold: (a) to demonstrate how OCTAVE biometric data are protected in the TBAS, via several best practices following secure communications and safe use of databases and the Privacy By Design paradigm; (b) to explore the benefits of federation for authentication according to principles and protocols laid down in standards such as OAuth2.0, SAML and OIDC (OpenID Connect), and (c) to establish the OCTAVE roadmap for an OIDCconformant implementation of the TBAS. The document aims at being as self-contained as possible, thus including a lot of tutorial and background information that probably the readers would not find all in one place. While doing so, OCTAVE-related solutions, already implemented in the first year of the project, brought about in the second year or left for technical exploitation beyond project’s lifetime, are progressively presented and explained. The document, beyond referring to the two trial applications targeted by the Project, also provides other utilisation scenarios for solutions based both on the OCTAVE TBAS and OpenID Connect.
Source: WP 6 Speaker Verification Platform
Dissemination level: Confidential. A public version of this report is available for download as Deliverable D58.