The move towards personalisation and digital privacy is shifting how companies handle personal and biometric data. Rather than building fortresses, forward-thinking businesses are empowering their users to safeguard their digital identities, putting them in control and lowering the risk of expensive and dangerous mass breaches.
Data breaches are happening with increasing frequency. According to Forrester, data breaches and privacy abuses exposed a billion records which resulted in US$2.7-billion in fines in 2022. The company says that more than 70% of security decision makers experienced at least one breach at their firm, while 36% experienced three or more breaches.
Many organisations are currently opting to store users’ identity as well as biometric information in central databases. Their focus is on building higher walls in order to protect that data – in much the same way as one would try to protect the crown jewels inside a tower. All the efforts are about building an impenetrable system. A different way of approaching the problem is to decentralise how personal data is stored, empowering individuals to be in control of their digital identity.
The focus on personalisation and digital privacy has also led to a rise in the decentralised, distributed or self-sovereign identity when it comes to security.
It’s generally held that most users have upwards of 100 digital identities online. Each carries unique identifiers, such as e-mail addresses, ID numbers as well as biometric data that bind digital information to that physical person. Storing these identities in central databases makes it incredibly easy for hackers to access hundreds of thousands of identities with one hack. What’s more, it exposes companies storing the data to massive lawsuits if there is a breach. If, however, each person keeps their identity on their personal devices, for example in the form of a cryptographic key pair, protected using biometrics, short of using a soldering iron, an attacker won’t be able to get the data off the device, and individual hacks just aren’t worth the effort for hackers.
This method allows a password-free means of cryptographically proving who is conducting transactions each time they are carried out. This removes the need for centrally stored identifiers and lessens the appeal for hackers. What’s more, the device and software running on it can also be checked to ensure it isn’t compromised before banks and others issue a credential to the device, adding an additional layer of security.
Trust
We are constantly looking for the most secure way of verifying a user when server-side biometrics are involved. As soon as we have verified the person, we want to move the information down to the edge, handing off the identity to the user in their hand, rather than storing it on a server. As people become more concerned about their privacy, allowing them to take ownership and feel in control helps create an environment where trust can be built.
When it comes to lost devices, there will always be a need to have central repositories of biometric data, such as the department of home affairs, against which security companies can verify users, but these checks should happen only if and when they are needed.
An important part of digital privacy is keeping the user in the loop whenever a company collects information on them.
Read: TikTok ban could weaken personal cybersecurity
There are times when silent authentication can happen in the background for low-risk transactions, but letting the user know what is happening is key. Asking users if they want to create a digital fingerprint, or if they want to store biometric information puts them in control. For instance, when you set up a banking app on your new phone you should be explicitly asked if you will permit the collection of geolocation data. The collected data may allow the bank to make better risk decisions, but the choice should always be yours.
There are companies that are silently collecting data points on users’ behavioural patterns to create unique digital fingerprints. While this can be effective, if the company doesn’t inform the user that data collection is taking place, it might not be privacy preserving and runs against the current trend where the customer is in control of their data at all times.
- The author, Erhard Brand, is R&D team lead at Entersekt, a Stellenbosch-based digital authentication company