printer friendly version

Digital identity trust instead of exploitation

The digital world we now live in was initially welcomed with open (and naïve) arms as we found the means to communicate, participate and enjoy global relationships and services from a computer and eventually a mobile device. Bundled under the banner of ‘privacy’, we have slowly come to realise that this amazing digital world is being used to capture personal and private information, all relating to our identities and this data is being viciously exploited for profit.

While the ‘Big Tech’ companies get most of the blame for exploiting information (quite legally according to their seldom read ‘terms of service’ and ‘licences’), there are innumerable companies doing the same and worse. Even useful apps on your phone (i.e., excluding social media apps) collect more information than they really need and are not above profiting from this. That’s not to say every company collecting private information is unethical or has some exploitative motive, but one must ask why the secrecy about what they do if it’s all above board?

Add to this the criminal element where cybercriminals steal, sell and/or use private information for nefarious intents and we have a situation where trust in almost everything digital has eroded and it is basically impossible to be anonymous or even have control over your own identity information. The fact that some companies have no respect for the information they collect (remember the millions of South African identity numbers that were stolen from an online, unprotected database?) and have not had to fear any legal repercussions in South Africa and most of Africa for their carelessness to date – although we hope new legislation will be enforced in SA – and we have a perfect storm in terms of privacy issues.

The positive side

When looking at the growth of online crime and the ability of people to seemingly commit fraud with such ease in the digital world, it’s clear that some form of centralised digital identity can be extraordinarily useful – assuming it is accurate and reliable, as well as managed and secured effectively. This is where the concept of ‘identity proofing’ has arisen and is becoming big business (as can be seen in other articles in this publication).

Jason Shedden.

The terms used in this identity proofing are ‘orchestration’ and ‘federated identity’. Hi-Tech Security Solutions spoke to Jason Shedden, CTO of local identity proofing company, Contactable. The company’s website describes it as follows: “Contactable specialises in biometric and digital identity proofing in South Africa. Identity proofing is a set of activities that provides a high level of confidence that the digital identity claimed by a new customer or user corresponds to the owner of that real-world identity.”

A contact database

To make the concept clear, Shedden goes back a few years to the founding of Contactable. At that time, he was an investment banker. These people are a sociable bunch and collecting each other’s business cards was an important part of the work they did. When you wanted to know something, you remembered someone you met who knew something about that topic, fished out their card and gave them a call – and vice versa.

The problem is that investment bankers also changed jobs often, meaning a contact you made a few months ago may be at another company. Shaun Strydom, the current CEO of Contactable, came up with the idea of a contact list that automatically updated itself.

The idea was simple. Instead of having a rolodex of business cards, people could have a contact list where each person is responsible for keeping their own information current, thereby making sure they can be contacted no matter where they move or what their latest phone number or email is. Each person controlled their digital identity and shared it with whomever they wanted to and the app would ensure that all information was synchronised across the globe – even to the extent of including IP phones.

This idea works for a contact list, but in the business world, a bank, for example, can’t simply let people change their details without some form of verification that the person doing the update is really the person they claim to be. And we all know how cumbersome it is to have to prove your identity every time you want to do some form of transaction. So it would be nice to have one source of accurate and up-to-date information that can be securely accessed.

A federated identity

Contactable came up with the plan to create a federated identity service where an individual’s identity was managed and controlled by securely maintaining a database of different aspects of their identity and sharing this with known and authorised businesses. The concept is offered by many companies globally in various forms, so Contactable decided to focus on digital identities, specifically being able to verify an identity in under 1 minute.

This is where the concept of orchestration comes in. Shedden says your digital identity is made up of many components and just as a conductor needs a full orchestra to perform Beethoven properly, Contactable orchestrates all these components to verify an identity with a high level of certainty. As physical security is improved with a layered approach, we can be more certain of the validity of an identity by adding layers of these components that each add another level of validation that the person is who they claim, creating a strong federated identity.

When going through South Africa’s RICA verification process, for example, a business will collect a person’s identity document (which will have their face on it or in the card) and their address. But how do they know the person is who they claim to be?

The first layer of authentication could be to confirm the identity number and face with Home Affairs before moving onto more verification layers. This is the federated identity or orchestration platform that Contactable has built. The service is not simply for banks, but any company that transacts and requires a level of trust that the party they are interacting with is the real person.

More than biometrics

Biometrics is naturally a great way to authenticate an identity and today’s technology is making it harder to use fake fingerprints or faces. In addition, Covid has ensured that most people are keen on touchless biometrics. Therefore biometrics forms a crucial part of Contactable’s service.

Shedden explains that your biometric is a great first step in the process. Capture a fingerprint with a reliable reader and you can use Home Affairs to confirm the fingerprint belongs to the person. If someone has been doing DIY projects on the weekend and their fingerprints are unreadable due to the careless use of superglue (or maybe that’s just me), you can fall back onto facial or voice biometrics which can be verified by a third party.

Not that biometrics are essential, although the various modalities are high-value layers in the orchestration process, there are other means to verify an identity (the Contactable platform has been created in such a way that any API can be plugged in if required). Using a mobile device can provide additional identity information, such as whether the person usually uses that phone and network and whether there has been any fraud activity related to it and more. When it comes to the use of technology, behavioural biometrics is an additional growing (and frightening) modality.

However, biometrics streamline the process as long as the appropriate equipment and security is in place. Contactable makes sure it uses the best solutions out there by, for example, checking the NIST (National Institute of Standards and Technology) rating. Some interesting reading about biometrics can be found at www.nist.gov/biometrics.

How the platform works

Every digital interaction has a user interface, whether on a cellphone, a computer or even a kiosk where information is collected, a picture of the person’s face taken, or documents scanned etc. This information is sent by the client company to Contactable’s back-end server where it is sent to various third-party services for analysis.

As above, an identity number can be sent to Home Affairs for verification, but also to the Southern African Fraud Prevention Service (SAFPS) and/or a credit bureau. There are many companies that can identify the components of the identity layers. Including those that can verify your regular phone, where and how you use it and more. When it comes to biometrics, it goes without saying that accurate liveness detection algorithms are of critical importance.

This may sound like a lot of work and it is, but the critical factor is time, you don’t want to wait for an hour for your food order to be accepted. Shedden says the whole process is completed in under 20 seconds, at which time an identity metric is returned to the customer and if acceptable, an automated process can take them further. If the metric is too low, the transaction is cancelled and in a few cases the metric doesn’t pass or fail and the person can be redirected to a human for the decision to be made.

Every customer requires a different level of certainty, so less work needs to be done if you are ordering food delivery as opposed to opening a bank account.

Taking three inputs from the customer, for example, their mobile number, email address and a selfie, the Contactable platform returns around 30 identity components (layers) to make up the metric and decide if the identity is valid – again in under 20 seconds.

Ensuring trust is critical in a service like this and Shedden says the Contactable service is compliant with PoPIA and GDPR, as well as ISO27001 – which deals with securing information. Security is critical to meet these regulations and standards, but also to build trust in digital identities for companies that rely on them when conducting transactions, but also with the individual, who wants to know that their personal information is being made available for the right reasons, securely and won’t be sold to anyone and everyone with a dollar to spend.

For more information contact Contactable, +27 10 100 3647, [email protected], www.contactable.co.za

The Life of PIEs

Liminal, a strategy advisory firm focused on digital identity, fintech, cybersecurity and more, has published a research report titled The Life of PIEs, covering ‘The journey to personal identity ecosystems’.

The report expands dramatically on the digital identity concepts mentioned in the above article. The company states: “Digital identity is a how, not a what and the path to establishing personal identity ecosystems (PIEs) will be a journey, not a destination.

“This report maps this journey, from today’s fragmented framework of one-to-one relationships, to one-to-many federated identity relationships, to many-to-many relationships of private and perhaps public decentralised ecosystems.”

There is too much in the report to cover here, but its conclusion starts with a critical statement on trust: “Meeting the criteria of trust and ubiquity are going to be critical steps for the development of PIEs, but the solution does not need to be isolated to a specific vertical or organisation. In reality, the solution that is most appropriate will encompass as many entities as possible, blending the strengths and minimising the weaknesses that each has.”

The full report is downloadable at https://liminal.co/wp-content/uploads/2021/12/Liminal-Life-of-PIEs-Q4-2021-Report.pdf, or via the short link: www.securitysa.com/*liminal1

Share this article:

Further reading: