The fallacy of the “PKI Fallacy”

At the October Congress in London, we had an incredible amount of interaction and in one session some questions were asked about Public Key Infrastructure (PKI). The event was held under Chatham House Rule but I asked some of our members to explain the issue and I have decided to share it here with our members.

One side of the argument was that some people may think on-device biometrics are actually about verifying the device user.  It is important to understand that the biometrics on a device are “anonymous“, the biometric data in the secure enclave on your smart phone is not bound to verified identity data anywhere. Moreover, with the pin, the biometric data can be changed on the device. This means that there is no way to really know who is in control of the device that the credential is bound to.

The nuance that the biometric data is not bound to verified identity profile data anywhere means that those device-native biometrics cannot do what many people think they do.  

Now, consider the implications of Anonymous Biometrics to FIDO and the new PassKeys. Passkeys are “protected” by the device-native biometrics, which we now understand can’t actually protect the keys. In this context, the device-native biometrics, in conjunction with the new FIDO Passkeys may serve as an attack vector, rather than a security measure.  

The PKI fallacy is not a commentary on the efficacy of cryptography in and of itself. Cryptography is wonderful and essential. However, cryptography is being used in ways that it was not designed for. Advocates of cryptographically secure digital credentials suggest that the identity of a person controlling a device can be verified or authenticated because the irrefutable credential is bound to the device. This is a false logic progression that is central to the PKI Fallacy concept. Cryptography cannot bridge the analogue gap between a human being and the digital world: If we do not know who is controlling the device that the credential is bound to, the relying party cannot know who is accessing the privileges represented by that credential.

On the other side I was told that PKI is fundamental to the protection and validation of government issued identity documents such as passports and identity cards. PKI is used to sign the identity data (usually biographics and biometrics) enabling third parties to validate that the data hasn’t been tampered with and that the identity data has been issued by a trusted issuing authority – without needing to access their infrastructure.

As a foundation of the identity infrastructure it is fortunate that PKI is not a fallacy. There are well defined cryptographic standards that control the use for government issued electronic documents such as ICAO Doc 9303 Machine Readable Travel Documents 9303_p3_cons_en.pdf (icao.int). Strong cryptographic standards are used which have not yet been broken and are unlikely to be broken for some time.

PKI plays a central role in digital identity issuance and validation however it is not intended to provide the complete solution in all scenarios. While some have referred to the use of PKI as a fallacy, it is more accurate to explain the role it plays and where additional controls are required.

In many use cases, PKI needs to work with other technologies to support an end-to-end identity process. Specifically PKI is not designed or intended to know who the holder of the device is – but it is a technique that can help with that authentication if required. In some use cases it is important to know who is authenticated to the device but in many identification use cases it is not necessary and indeed not desirable to link identities to a single device. Organisations should be aware of the role that PKI can play. They should consider whether their business process requires them to authenticate individuals to a device and whether additional controls are required.

Border crossing through a manual control is an example where the PKI checks in combination with the visual identification of a passenger by the border official are sufficient to establish that the person is the rightful holder of the electronic document. In addition to the identity assurance other risk checks are frequently conducted but the identity information from the chip is usually the main foundation for these checks.

eGates use PKI as the critical central process of determining whether the identity document is authentic and can be trusted. Only once that authenticity has been established, they match the holder against the chip photo using biometric checks. Without PKI, eGates would simply not be possible as anyone could make a working document and be let through, which is obviously absurd.

Remote onboarding where there is no human supervision is a use case where PKI supports part of the process i.e. the validation that an electronic document is genuine but other biometric checks might be required to confirm that the applicant is the rightful holder of the document. These checks might include liveness and verification of the live captured face to the document alongside other risk checks.

There are variants of the remote onboarding use case which mean that user authentication to the device is not always required or possible. In some scenarios it is the owner of the device that is making the application but in others it is not. For example there are scenarios where a parent enrols a child or a dependent, an applicant who lacks the necessary device asks for assistance from a friend or alternatively an agent conducts the capture using their own device. In these scenarios the application is made for a person that is not the owner of the device. The authentication of device owner to the device is not required and the focus is on ensuring the biometric capture application is working securely with the identity data captured from the electronic document.

For PKI to provide any benefit, the data and the digital signatures contained in the electronic document must be validated right through against a trusted anchor using Passive Authentication, this anchor being the Country Signing Certificate Authority (CSCA) certificate under which the identity document has been issued. Only when this process has been followed will the authenticity of the data be validated.

In summary PKI is a well-defined technique for protecting the integrity of identity data and at the same time allowing third parties to validate the authenticity of the data. This supports use cases such as border crossing and remote onboarding for shared/anonymous device scenarios and also scenarios where the applicant owns the device. PKI and biometrics frequently need to be used together to achieve the level of identity assurance required with the biometric assurance relying on the data secured through PKI. Organisations should understand their end-to-end business process and ensure they use the right controls for identity/biometric capture and assurance. PKI has already played, and will continue to play an increasingly important role in digital identity issuance and assurance.