KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
So as I welcome everyone and thank you again for being here. As I mentioned in the world of biometrics, there were always this conundrum of privacy and security and the reputability of biometrics as a form of personal identity. And we were generally stuck when it came to biometrics.
So we, we continue to be stuck in a paradigm of tradeoffs. Most of us are familiar with biometrics as either pieces of data that are stored in central honeypots. These are large databases where we have all of our personal information, including biometrics, and there's generally more control over these central honeypots. They are closed loop systems. They're tied to rooted identity for those that, that are doing KYC processes and background checks, centralized identity systems take that rooted identity, create an authentication record.
And that authentication record is used to access facilities, access networks. We call that the circle of identity, and it's got lots of benefits because these systems are always on strong exception handling the issue and authority is in control. And how does the, the backup systems that they need in order to really ensure that people are who they claim to be. But obviously we've seen time and time again, and many of us are getting immune to this already that these central honey pots are vulnerable to breaches and to hacks. So on the other side of the equation are device based biometrics.
These are the face idea, the touch ID, the biometrics that we use on our phones every single day. They're very privacy friendly because the template is in the device and it never leaves. Obviously it's easily available. Most many of us have smartphones. And so we can just use, use the yes, no coming from the device as a, as a generic authenticator. So it makes it very easy for banks or others to, to adopt. But from a security standpoint, there are two main problems app to one or two failures of the face ID.
The system asks you for a passcode and we know how easy passwords are to, to circumvent. And also the face ID on the phone is not bound to a rooted identity. So you actually don't know who's behind, who's behind the device. A fraudster can call a bank and use the information stolen from the central honeypot to impersonate you and tell, tell the bank to send the one time password or to add your, their phone number to your account. And this is the number one attack vector today. And so these trade offs are continuing every day, all the time.
And when it comes to biometrics, there's really no solution regulations are also forcing new ways of thinking, right? We have GDPR, we have CPR, there are many, many countries today, as you can see on the chart here that already have data protection legislation around personal use of data, data minimization, and, and other specifications like the right to know and the right to be forgotten.
And all of that is, is well and good, but still enterprises, banks, governments, cryptos, help facilities, schools, anybody that is doing any kind of interaction still have to ensure strong authentication without any of these other, other, other restrictions. And so that really is forcing new ways of thinking and new, new approaches and thoughts around, you know, how can you, how can you manage both? And so what it's forcing is a think around, you know, new frameworks that don't center around these, the old paradigm between centralized databases and or device based biometric.
So what, what can it be? How can we do zero knowledge authentication, maybe without biometric templates, where there's nothing for a hacker to find and nothing for a hacker to steal, but you can still actually ensure that somebody is who they claim to be at any given interaction. In other words, how can we get to the root of the problem by securing and managing biometrics in a, in a different way. And there are these new emerging frameworks today that apply multi-party computing and zero knowledge proofs to decentralize the biometric information.
You can use these concepts beyond biometrics as well for any PII or any, any secret. But if you take these concepts and you distribute not only the storage of the information, but also the computation of the information, you actually make it possible to eliminate the tradeoff between privacy and security and close the gap. And the way these concepts generally work is that instead of relying on templates, because this is where the Achilles heel always was always needed a template to be in holistic form in order to do the match.
So instead of relying on, on biometric templates that were holistic and these frameworks biometric data essentially is broken up into anonymized meaningless pits that are distributed over a peer-to-peer network, where they're kept in never retrieved. So these bits are kept in these, in these storage nodes, if you will.
And the, the comparison and the computation of these bits also happen in a distributed way. So when you capture the biometric for the first time, it gets split up and stored in a network. And when you do a computation or an authentication, each of these bits get calculated separately, and then the authentication request gets resolved.
And the, yes, no answer is sent to, to the bank or the app or wherever the biometric identity verification needs to happen. You can also use these frameworks for one to many, for distributing and retrieving master passwords, crypto keys. You can private keys even for blockchain applications. This is all part of the same concept of not storing anything in one place and maintaining the privacy and security aspects of a total system. And by doing this, you actually end up with very significant benefits. This works across different devices. You're not reliant on a device.
It's not susceptible to device take over to specific attacks at the point of at the end point, you're not relying on pins and passcodes as fallback mechanisms, you essentially can leverage PII without maintaining PII and be completely GDPR CPR compliant using this as an authentication token, like a Fido authenticator, there is no ownership. There's no essential ownership of any of this data because this data is not sitting in any or with any single entity users have the right to know and the right to be forgotten.
And they, they are not, their personal data is not at risk of any exposure. And because these are cloud decentralized cloud based infrastructures, they also support built in KYC and other downstream applications as I should before. So they fit very nicely in, in a world of identity centric security. As I mentioned, these, these use cases and these applications will range. These are just some examples that you're seeing right here. You can just use these infrastructures as decentralized storage vaults. You can use them to provide zero knowledge authentication.
You can use them to store and retrieve passwords and secrets, and you can use them to validate and verify existing blockchain or decentralized and verifiable credential type of, of applications. So let, let's just double click on that for a moment, because there's a lot of things happening today with, with D IDs. And most of them are, have to do with storing the actual credentials on the blockchain and having different entities validate at the time that those credentials are being presented. But what happens when you need to reassure the credentials?
What happens when somebody gets a new device? What happens if the private key is somehow lost or stolen? So this is another very interesting way for decentralized biometric framework to support the broader decentralized ID frameworks that, that are going on. All of these, all of these are applications at a decentralized biometric infrastructure can ultimately support.
And I'll just close with this little cartoon because it's always, you know, in the world, since I've been involved with biometrics, it's always been, and you know, most security professionals, I will say, it's always been a trade off between privacy and security. You either have, you know, good privacy or good security.
And, you know, I was, I've tried to convey in my short time here. I think we have new frameworks that allow us to have our cake and eat too really for the first time in this space. So with that, I will end and open for questions.
