Biometrics Identity Management Systems(BIMS)

Doug Greene, Director and Chief Information Officer30 April 2015

What are Biometrics?

2

Biometrics are distinctive, measurable, physical traits used to describe and identify individuals”“

Why does UNHCR use Biometrics?

3

Fingerprints and iris scans allow UNHCR to verify, protect and maintain identities over time

Strengthens integrity of existing registration data Fast, accurate and reliable identity verification Protection of identities and avoiding identity

misrepresentation Facilitating identity management during refugee

movement

What is BIMS?

Outcomes:• Highly-positive passenger experience and feedback

• Over 45 million transactions since deployment in 2010• Transaction time < 15 seconds

• Introduced automated e-Passports gates at Heathrow and Stansted Airport

• Both airports represent 54% of all incoming passenger traffic to the UK

• Featuring advanced anti-tailgating solution (single gate with detection portal)

UK Self-Clearance for EU ePassport Holders

Chad Verification/Enrolment – 450,000 Refugees

Proven Industry Solution

Thailand Verification/Enrolment – 120,000 Refugees

4

What is BIMS?

Components

Mobile Identity ManagementAOptix Stratus

Fingerprints, Iris, Face

Under Consideration

Accenture Unique Identity Service Platform (UISP)(Pre-Filtering & Matching Algorithms)

• GREEN BIT Fingerprint Scanner• IriTech Iris Capture• Logitech Webcam

5

6

What is BIMS?

User Interface

4/6/1975Angelina JolieAngelina Jolie

7

Registration/Identification site Uplink Geneva

Mobiledata

InternetISPISP

SatelliteOperator laptop

Operator tablet

Field server, with partial database Main database

Matching servers

HTTPS server

What is BIMS?

High-Level Process Flow

BIMS Capture Devices• 10 fingerprint images• 2 iris images• 1 facial image

BIMS Client• Controls image quality• Integrates with proGres• Submits enrolment package

to Local BIMS server

BIMS Local Server• Creates biometric templates• Matches with local database to ensure no duplicates• Queues enrolment for submission to Central System

BIMS Central Server• Accepts enrolment package from BIMS Local Server

• De-duplicates enrolment with global gallery of biometric recordsManages synchronization between Local Servers (Local-Central-Local)

• Manages adjudication cases (suspected duplicates) and sends cases down to relevant Local BIMS Server

8

What is BIMS?

System Architecture

UNCHR Office

DIST Corporate Infrastructure (Geneva)

Ultisat Hub (Blavand)

proGres V3 Worstation

Riverbed

CIsco ISR

Cisco 2900 Series

S Y S ACT P OE RP S P S U

I

AC OK 10 0-12 0/20 0- 24 0V~4 /2A, 50 -60 Hz

Laptop

Remote BIM and proGres V3 Site

Ku VSAT(ISP)BGANThuraya IP+3G Modem ADSL

Internet Transit LAN

Transit LAN

UltiSat

Global Internet

Local MobileNetwork

SWISSCOM 3825 (VNG) COLT 3825 (MBT)

Ultisat Router(s) - MBT

Riverbed Steelhead

Public DMZ

BIMS and proGres V4 Networks

CRM Reporting SQL Server

FrontEnd

BIMS & proGres V4 Central InfrastructureCRM App

Riverbed Mobile

Controller

Notes: All BIMS and proGres V4 Servers Virtual on Hyper-VPhysical SQL ServersAll Prod DB Storage on SSDDR Instance TBD (Possibly relocation of Pre-ProdAll Riverbed machines are virtual on VMware

Tablet

Connectivity Kit (ISR & Riverbed)

Other common DIST Infrastructure

Active DirectoryUNHCR.ORG (.LOCAL)

SCCM/SCOM

BIMS and proGres V4 Backend Security Zone

Single User3G/LTE

Connection

Other Satellite Provider(Irmasat, Thuraya, Iridium, etc)

Country Internet

Bottleneck

Nexus SH

Riverbed Central

Steelhead

FWs-External (MBT/VNG)

Kemp Reverse-Proxy/Load Balancers –

Progres.unchr.org -

FrontEnd

Riverbed Netprofiler

Riverbed Steelhead

SAFEHOST

MBT/VNG

Cisco 2900 Series

S Y S ACT P OE RP S P S U

I

AC OK 10 0- 12 0/20 0-24 0V~4/2 A, 50 - 60 Hz

Riverbed

proGres V3 ServerBIMS Local Node BIMS Servers

proGres V3 ServerBIMS Local Node

C-Band VSAT(UltiSat)

Strong and Reliable Connectivity

Online system with direct connection to global database

Multiple Operating ScenariosMultiple Operating Scenarios

Intermittent / Weak Connection

Partially-online system, which syncs

automatically with global database

whenever possible

No Connectivity

Fully offline system, with no connection to global

database

9

What is BIMS?

Security Architecture

All users must authenticate

No data retained on workstations

Operators must authenticate with

biometrics

Field servers 8͛hard drives encrypted

Field servers host only a localised database subset

Main system located behind

UNHCR firewalls

Main system backed up nightly

All main system servers virtual, with

redundant hosts

Field servers use unique SSL certificates to access main system

Role- and site-based permissions, on per-user basis

All BIMS network communications

encrypted with SSL

10

BIMS Enrolment Process

Pre-Identification

Site 1

Site 2

Site 3

Step 2: Pre-identification

Checks for existing enrolments in local area

Step 1: Refugee arrivesInitiation of enrolment in proGres

Result 1:Identity match detected in Site 1 STOP PROCESSESSING

Result 2:Identity not foundCONTINUE ENROLMENT

Geneva

Protection Interview

Enrolment

11

Enrolment Capture and Confirmation

Site 1

Site 2

Site 3

Step 3: Captured biometrics are submitted to

central system, which checks for quality and existing enrolments

Geneva

BIMS Enrolment Process

Result 1:Identity match found from Site 3CREATE ADJUDICATION CASE

Result 2:Identity not foundENROLMENT CONFIRMED

Adjudication Desk

2015 Deployments

ASIAThailandIndiaSri LankaIndonesiaMalaysiaAfghanistanPakistan

Planning is underway with the following UNHCR operations

*Pilot Site

AFRICAChadCongo BrazzaSomaliaKenyaMalawi*MozambiqueZambiaZimbabweSouth Africa