Allow users to secure their digital identities

Issue 4 2023 Access Control & Identity Management, Security Services & Risk Management


Erhard Brand.

The move towards personalisation and digital privacy is shifting how companies handle personal and biometric data. Rather than building fortresses, forward-thinking businesses are empowering their users to safeguard their digital identities, putting them in control and lowering the risk of expensive and dangerous mass breaches.

Data breaches are happening with increasing frequency. According to Forrester, data breaches and privacy abuses exposed a billion records which resulted in $2.7 billion in fines in 2022. The company says that more than 70% of security decision-makers experienced at least one breach at their firm, while 36% experienced three or more breaches.

“Many organisations are currently opting to store users’ identity as well as biometric information in central databases. Their focus is on building higher walls in order to protect that data – in much the same way as one would try to protect the crown jewels inside a tower. All the efforts are about building an impenetrable system. A different way of approaching the problem is to decentralise how personal data is stored, empowering individuals to be in control of their digital identity,” explains Erhard Brand, R&D; Team Lead at Entersekt.

Brand says the focus on personalisation and digital privacy has also led to a rise in the decentralised, distributed or self-sovereign identity when it comes to security.

“It’s generally held that most users have upwards of 100 digital identities online. Each carries unique identifiers, such as email addresses, ID numbers as well as biometric data that bind digital information to that physical person. Storing these identities in central databases makes it incredibly easy for hackers to access hundreds of thousands of identities with one hack. What’s more, it exposes companies storing the data to massive lawsuits if there is a breach. If, however, each person keeps their identity on their personal devices, for example in the form of a cryptographic keypair, protected using biometrics, short of using a soldering iron, an attacker won't be able to get the data off the device, and besides, individual hacks just aren’t worth the effort for hackers.”

Brand says this method allows a password-free means of cryptographically proving who is conducting transactions each time they are carried out. This removes the need for centrally stored identifiers and lessens the appeal for hackers. What’s more, the device and software running on it can also be checked to ensure it isn’t compromised before banks and others issue a credential to the device, adding an additional layer of security.

“We are constantly looking for the most secure way of verifying a user when server-side biometrics are involved. As soon as we have verified the person, we want to move the information down to the edge, handing off the identity to the user in their hand, rather than storing it on a server. As people become more concerned about their privacy, allowing them to take ownership and feel in control helps create an environment where trust can be built,” Brand says.

When it comes to lost devices, Brand says there will always be a need to have central repositories of biometric data, such as the Department of Home Affairs, against which security companies can verify users, but says that these checks should happen only if and when they are needed.

Brand also believes that an important part of digital privacy is keeping the user in the loop whenever a company collects information on them.

“There are times when silent authentication can happen in the background for low-risk transactions, but letting the user know what is happening is key. Asking users if they want to create a digital fingerprint, or if they want to store biometric information puts them in control.

For instance, when you set up a banking app on your new phone you should be explicitly asked if you will permit the collection of geolocation data. The collected data may allow the bank to make better risk decisions, but the choice should always be yours. There are companies that are silently collecting data points on users’ behavioural patterns to create unique digital fingerprints. While this can be effective, if the company doesn't inform the user that data collection is taking place, it might not be privacy preserving and runs against the current trend where the customer is in control of their data at all times," Brand says.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

SMARTpod talks to The Risk Management Forum
SMART Security Solutions Editor's Choice News & Events Security Services & Risk Management Videos Training & Education
SMART Security Solutions recently released its first SMARTpod podcast, discussing the upcoming Risk Management Forum Conference 2024, which will be held on 26 September 2024 at the Indaba Conference Centre in Fourways, Johannesburg.

Read more...
There is a SaaS for everything, but at what cost, especially to SMEs?
Editor's Choice Information Security Security Services & Risk Management
Relying on SaaS platforms presents significant cybersecurity risks as the number of providers in your landscape increases, expanding your attack surface. It is important to assess the strength of the SaaS providers in your chain.

Read more...
New State of Physical Access Control Report from HID
HID Global Editor's Choice Access Control & Identity Management News & Events
HID released the 2024 State of Physical Access Control Report, identifying five key trends shaping access control's future and painting a picture of an industry that has been undergoing considerable transformation.

Read more...
Smart intercoms are transforming access control
Access Control & Identity Management Products & Solutions
Smart intercoms have emerged as a pivotal tool in modern access control. They provide a seamless and secure way to manage entry points without the need for traditional security guards to validate visitors before granting them access.

Read more...
Innovation and security go hand in hand
Technews Publishing Facilities & Building Management Security Services & Risk Management
In a world where the demand for tech innovation is matched only by the acceleration of cybersecurity threats, businesses face the challenge of balancing new product development and robust security measures.

Read more...
Easy, secure access for student apartments
Paxton Access Control & Identity Management Surveillance
Enhancing Security and Convenience at Beau Vie II Student Accommodation, a student apartment block located at Banghoek Road, Stellenbosch, with Paxton's access control and video management solution

Read more...
Invixium acquires Triax Technologies
News & Events Access Control & Identity Management
Invixium has announced it has acquired Triax Technologies to expand its biometric solutions with AI-based RTLS (Real-Time Location Systems) offering for improved safety and productivity at industrial sites and critical infrastructure.

Read more...
ControliD's iDFace receives ICASA certification
Impro Technologies News & Events Access Control & Identity Management
The introduction of Control iD's iDFace facial biometric reader, backed by mandatory ICASA certification, underscores the commitment to quality, compliance, and innovation.

Read more...
The future of workplace access
HID Global Access Control & Identity Management
Mobile credentials are considerably more secure than physical access control, because they eliminate the need for physical cards or badges, support multiple security protocols, and add layers of protection on top of basic card encryption.

Read more...
Bomb threat landscape in South Africa
Editor's Choice Security Services & Risk Management
Over the past 25 years, South Africa has faced thousands of bomb threats and explosive incidents annually, imposing a significant economic burden on the nation, costing billions of rand.

Read more...