Key takeaways on the future of identity and security at CogX2020
10 June 2020

Key takeaways on the future of identity and security at CogX2020

10 June 2020

Our co-founder Fabian Eberle recently had the opportunity to discuss how privacy-enhancing technologies and biometrics are being used to protect users against identity theft and financial crime.

The panel discussion, moderated by Tarah Wheeler from New America, allowed Fabian, Husayn, from Onfido, and Ellison, from Enveil, to dive deep into how privacy-enhancing solutions can help strengthen cybersecurity in the next ten years and beyond.

These were the key takeaways from yesterday’s panel:

  • Biometrics are an inherently weak authentication factor on their own

  • Privacy-enhancing technologies will help protect us against identity theft and fraud

  • Seamless biometric authentication doesn’t need to compromise security

  • Deep Fakes can be used to generate biometric training data in privacy-preserving way

  • Private biometric authentication can help with cross-jurisdictional compliance

  • To get the next ten years right, we need to be transparent

You can watch the panel here, or continue reading for a recap…

Biometrics are an inherently weak authentication factor on their own

Biometrics are insecure when used as a single authentication factor, but when combined with other factors and privacy enhancing technologies, biometrics can be used to seamlessly and securely identify users, protecting them from the growing threat of financial fraud and identity theft.

“…. Biometrics, when done right, are the answer to solving the authentication trade-off in aligning seamless user experience with strong security and built-in privacy protection.” — Fabian

Advancements in behavioural biometrics, multi-factor authentication and privacy-enhancing technologies are allowing us to develop authentication and identity management solutions that are virtually impenetrable to cyberthreats, while also seamless for the user.

Our solution has in-built multi-factor authentication. In order to verify that a user is who they claim to be, we launch a series of challenges, some of which are naked to the user’s eye. In the first challenge, we validate whether the device the user is authenticating from is registered or not. If the device is registered, we move onto the next challenge, where we confirm that samples of the user’s unique biometric templates match those stored across our network.

Our solution is much more robust than passwords and SMS one-time-codes — both of which are susceptible to social engineering attacks like sim-swapping and phishing.

But, as stressed yesterday, multi-factor authentication is not enough on its own to protect users against fraud and identity theft. We must also leverage advanced privacy-enhancing technologies when dealing with private data — especially biometrics.

Privacy-enhancing technologies will help protect us against identity theft and fraud

Emerging solutions that are leveraging privacy-enhancing technologies like secure multi-party computation (sMPC) and homomorphic encryption are potential solutions to fighting cybercrime and improving privacy online.

Both Fabian and Ellison discussed how Keyless and Enveil use these advanced cryptographic techniques, while also touching on how such techniques can be applied to data protection in a broader sense. As the first cybersecurity platform to ever combine biometrics with privacy-enhancing technologies like sMPC and Shamir’s Secret Sharing algorithm, we’re glad to see other leaders in privacy and security advocating for the widespread use of these technologies.

“What we’re pioneering with Keyless are several breakthroughs in the area of secure, private, and distributed biometric authentication that are based on more than 10 years of research in biometrics and cryptography.” — Fabian

Our unique combination of privacy-enhancing technologies with biometrics allow us to securely store and verify biometric data without needing to expose the raw contents of the data at any time during the authentication or verification process. In doing so, we’re able to provide a seamless, biometrically-enabled alternative to passwords.

Ellison also discussed the benefits of homomorphic encryption. Her data security platform, Enveil, is using the technology to allow third parties to share data in a way that preserves privacy.

The advanced cryptographic technique allows data to remain encrypted while it’s being shared with and processed by third parties. In other words, companies can share, collaborate and leverage data to find solutions to common problems — without ever needing to view the raw contents of the data. Such solutions will enable governments, banks and organizations to combat international cybercrime without needing to jeopardize privacy and security.

Seamless biometric authentication doesn’t need to compromise security

As we mentioned earlier, biometrics on their own are a weak means of authenticating users. This is because a user’s biometric features never change, meaning that if they’re compromised, they can’t simply be altered to prevent fraud and identity theft.

To protect users from even the most sophisticated threats, we need to ensure that we’re able to recognise and detect when fake biometric data is being used.

Liveness detection and anti-spoofing

We leverage advanced liveness detection and anti-spoofing technology to rule out the possibilities of an imposter using either a photo or stolen biometric data — like photos or videos. This technology allows us to pick up on subtle movements that indicate whether a person is truly present in front of the device’s camera.

Physical vs Behavioural biometrics

Our protocol allows for the combination of physical biometrics (facial recognition and fingerprint technology) with behavioral biometrics. Behavioural biometrics is a new modality of biometric technology that allows us to verify users based on the way they interact with their devices — whether that be through unique keystrokes, or unique swiping patterns.

By incorporating multi-modal biometrics, our solution allows for unconscious, continuous authentication. This is what makes our solution unique — in that it is seamless for the user — while simultaneously secure and privacy-enhancing.

Deep Fakes can be used to generate biometric training data in a privacy-preserving way

As expected, the conversation yesterday led to the risks of Deep Fakes. With the rising adoption of biometrics, Deep Fakes could become a real security threat. That’s why it’s crucial to combine traditional biometrics with new biometric modalities that protect users from fraudulent biometric attacks.

While the risks of deep fake tech are certainly worth preparing for, our co-founder Fabian also discussed how Keyless is leveraging the technology to train our machine learning algorithms. By using GANs (generative adversarial network), we can enhance the reliability of our product in ways that were not previously possible.

For example, we can ensure our algorithms are able to accurately detect and verify users from a more diverse landscape. This is especially important, as facial recognition machine learning systems have previously proven to be ineffective and biased when identifying users when only trained with datasets from limited demographics.

Cross-jurisdictional identity management is possible with biometric authentication solutions

The global demand for privacy has never been greater than it is today — Ellison

Regulations like GDPR and PDS2 are ushering the world into a new era of privacy — yet they also pose problems for enterprises and organizations that need to process personal data in multiple jurisdictions.

The other issue highlighted by the panel yesterday, is that regulators in different regions each need to be educated on the benefit these breakthrough privacy-enhancing technologies have when it comes to protecting personal data against security threats.

At Keyless, we help organizations comply with data privacy regulations by providing a secure multi-factor authentication solution that relieves companies from the burden of storing data, like usernames and passwords, on centralized servers. In doing so, we are helping companies to actively reduce cyberthreats caused by compromised credentials, thus making unauthorized access virtually impossible.

Distributed vs centralized data storage

Our solution also helps organizations become less of a target for cybercriminals, as the “honeypots” of usernames and passwords are no longer stored on centralized databases with the organization.

At Keyless, we use distributed cloud architecture to store encrypted biometric data. The key here is that no single node in our network has access to a full decrypted biometric template — making our authentication solution private by design.

Husayn from Onfido advocated for giving users full control of their data as a solution. An interesting point, that we completely agree with. However such a solution may not work cross-jurisdictionally in the short-term, while we wait for corporations and governments to change their perception around data ownership.

Transparency is key when it comes to secure and private data management

Lastly, the key to protecting identities is balancing transparency with security. As highlighted by Ellison, we can do this by being transparent about the protocols and algorithms we use, how we implement them, and by allowing third party auditing of our source code and platform.

At Keyless, we’re looking forward to helping enterprises, organizations and users from around the world improve privacy and security. With our privacy-enhancing authentication and identity management solutions, we can actively reduce cyberthreats, improve security and transform the authentication user-experience.

It’s our mission to allow anyone to seamlessly access any digital service from any device, at any time, while keeping personal credentials safe, private, and under control. We’re excited to continue working on this as we rapidly move into a world powered by digital technologies.

. . .

Do you have further questions about any of the technologies mentioned in this article, or about how Keyless can help fight financial crime and identity theft?If you do, please feel free to ask away in the comments.

Interested in trialing Keyless to enable secure work from home?

If you’re interested in how Keyless™ authentication can help deliver secure and seamless digital experiences, whether for your end-users or for an ever more important and dynamic digital workplace, or if you’d simply like to learn more about our platform, then please feel free to get in touch with our team.

You can email us at info@keyless.io

We’re always keen to have a chat about how we can help businesses on their journeys towards a complete zero-trust security model.

Get In Touch

Find out how our private-by-design MFA can help your organization prevent ATOs, improve UX, and protect your bottom line.