A security server is provided to maintain security profiles for many customers. Customers are authenticated to the security server using a secret identifier, such as a password, or a digital signature. The customer can add, delete, and modify security images included with the customer's profile. In addition, the customer grants merchants or other requestors the right to retrieve one or more of the customer's security features. The authorized requesters are included in an authorization list. The customer restricts when the requestors can request the selected security features. When a requestor requests security features corresponding to a user, the requestor's identity is verified, such as using a digital certificate or an identifier. A check is also made to determine whether the customer has granted the requester access to the requested security features. The features are either returned to the requestor or an error is returned depending on the requestor's authorization.