Great. Thanks for having me. I'm going to put this in presenter mode. Hopefully everybody can see the slides properly. It's really a pleasure to participate as always in, in these events. Thank you for having me again. I'm going to jump in as I hinted just now the, the topic for today is new frameworks for biometric security and identity beyond the blockchain. So for those who do not know me, I've spent the last 20 or so years in the biometrics and identity space, tackling all kinds of issues pertaining to identity management, specifically around biometrics.
And I want to bring back an old concept that, that we used to talk about that actually, I don't hear about so much, very often, and that is the circle of identity. And what we mean by the circle of identity is, is really ensuring that whoever you are doing the initial enrollment with is the same person that you're ultimately credentialing and provisioning and allowing into your network, and then proving that, that they are who they claim to be across the entire journey.
And when we used to talk about this concept, for the most part, we would talk about it in the, in the context of physical identity or identity management in the enterprise. But since, since we've started, since, since we've started really interacting digitally through devices, this circle has been broken. And the fact that this circle is broken is causing an enormous amount of issues and contributing to a lot of the fraud and identity theft that we see today, simply because we're not able to properly authenticate the people that we are enrolling.
And what we'll talk about today is really how to close this and how to use different frameworks of identity management that are privacy oriented, but still allow us to, to really close the, the circle I'm going to start with with the hype cycle, from our good friends from Gartner.
I think that there, there are a lot of interesting things. This is the newest hype cycle that they released in the summer. And there are a lot of interesting things. I think that we can all pay attention to. I'm gonna highlight with respect to what we're covering today.
I'm going to highlight our couple finger Vido, the notion of bring your own identity and mobile MFA. All of those which you see are, are starting to get into what they call the trap of disillusionment. And I'm going to PO that the reason that we're seeing these starting to move to the right is the, is the fact that they're contributing to this broken circle of identity. If we are bringing our own identity, how do we know what the root of trust is? If we're relying on device based biometrics, how do we know who's behind the device?
If we are relying on mobile MFA or mobile authenticators, how do we know that it's the right person that is submitting the code? All of these, all of these methods can and have been circumvented.
And the reason that we're seeing a lot of this is that we're stuck in a paradigm in, within the biometric space where we have to trade off privacy and security.
The, the, the, the tactics that, that I was just talking about are very privacy oriented, but they leave a lot on the table when it comes to really securing the entire again, circle of identity. I'm gonna use that term a lot. Part of the reason to be stuck in this paradigm is that we continue to rely on I on a biometric template that has to be stored in a holistic form in some place. So either the, the information is stored in centralized databases that you then have to protect.
And we all know how hard that is to do, or we rely on biometric that are stored on devices, whether they're mobile phones or keys or whatnot.
And then typically the process of enrolling into that device is completely separate from the process of enrolling or opening an account or enrolling in into the system. You're essentially counting on the fact that the person who is coming with their own device and their own biometric is the same person that you've allowed into your enterprise.
And when it comes time to do a step up, or if there is a new device or a new application that you want to allow, it's very hard to, to know whether it's really the same, the same person. So I'm gonna talk about new frameworks and new paradigms in a moment, but it's important to understand why, why we are where we are, and that is the reliance on that, on that holistic template.
So, as I, as I've been implying, new frameworks are emerging.
And if we look more to the left of the Gartner hype cycle, we see a couple of, of highlights that I know have been discussed already a lot today. And throughout the conference, one of them is decentralized identity. And the second that I wanna highlight is zero knowledge proofs. There's a third one that's kind of implied through this whole thing, which is leveraging multi-party computing when it comes to decentralized identity.
Almost all of the applications that we talk about today is really about securing and digitizing existing credentials. We are not talking about biometric authentication in a decentralized manner, and this is one of the areas that is emerging to enable the security and the privacy that, that we desperately need and driving that are the zero knowledge, proof capability, as well as multiparty computing.
And what that, what that does for us is that instead of relying on this biometric template, that has to be stored in a, in a single place, which this has been the Achilles heel for the industry I've been, I've been working on these issues for much longer than I, I care to, to admit at this point.
So, so what these new capabilities MPCs and do your knowledge proofs are allowing us to do is to separate out the requirement of the, of the, and the reliance of the biometric template.
And instead break up biometric data in a way that can be anonymized and distributed anonymized and, and, and broken up first, and then distributed over a peer-to-peer network of nodes that have different capabilities to do both the storage and the matching in a decentralized way. And when you leverage these kinds of technologies and frameworks, what you can do is capture the biometric data, distribute it, keep it for authentication purposes and also for lookup purposes.
But moreover you can take it to the next level and store real secrets, not your mother's maiden name and your address and things that can be found all over the web, but you can actually store real secrets and use the biometric in order to retrieve, retrieve and invoke that secret.
And this is very applicable to, to blockchain applications or crypto type of applications, but even in other places like in healthcare, maybe you wanna have a wallet that stores your blood type and other emergency contact information or prescriptions.
And you wanna have that all in a, in a wallet that only you have access to. So there are many, many ways to store and, and manage these secrets. But the key here is to also ensure via the biometric that only the, the right person has access to it. And that's what these new frameworks allow, allow us to to do. And so from a, from a delivery standpoint, what it actually looks like is a cloud based distributed authenticator that, that does not sit in any single location, neither at the enterprise, nor nor at the consumer level.
And this peer-to-peer network provides the assurance that people really are, who they claim to be when they interact with the enterprise and also gives the enterprise the peace of mind that there is no central honeypot of data that can be, that can be tapped into.
And this, obviously the focus of today is biometric and identity information, but I've already explained that we can expand this to beyond using the biometric, to actually secure all of the, all of the data. This also means that I'm a GDPR standpoint from a data minimization perspective.
We're also, you know, not storing things that can be, you know, found or stolen by hackers. And, you know, this is really like a privacy by design framework that that allows enterprises to still have the identity management that they need. So I've explained a little bit about like technology and, you know, the, the multiparty computing and the zero knowledge proofs and these frameworks in the context of identity management. But let me bring it back to how we use these frameworks to really close the circle of, of identity from a, from a security standpoint.
So what I talked about before and in the beginning is that you're doing admit, and then, and that process is finished and then the user rolls themselves on a mobile device.
And that process is separate from the enrollment. What we're seeing here is that you can grab the enrollment biometric and any other secret or PII that, that you need upon the identity verification process and insert that into, into this new framework in a distributed manner and use the biometric that is collected in order to unlock whatever information is stored.
So now you're ensuring that the person you're credentialing provisioning is ultimately the same person that would be authenticating. We reduce and eliminate the reliance on pins and passcodes on other KBA. And we introduce the idea of using real secrets and back up biometrics and other policies in order to actually step up. So this becomes very important for, again, new device applications for shared device applications like kiosks at airports or other applications where you're not where you do not want. And you do not need to have the device as the, as a thing that you, that you actually have.
So in closing, I'm going to propose go forward principles. And I should say, I, I said this in the beginning, this is not blockchain. These new frameworks do not rely on blockchain because you can't do a lot of the things that we're talking about on the blockchain. We cannot process the biometric data on the blockchain. We cannot ensure the step up and the close circle of identity, because we need to tie back, keep on adding and, and deleting as, as needed. And we need to support many, many different use cases that are not a device oriented.
And so in my mind, the future of privacy and security with respect to biometric and identity comes from these four principles. And I know we have a panel in a couple of minutes and I can't wait to debate with Maxine, but, you know, these are the four principles that, that we need to consider as we, as we move forward.
So one is we must be able to work across device and eliminate the dependency on the device, which is I've mentioned several times is a major attack, not only for device takeover, but also just to circumvent the entire process, because if it ultimately you're flowing back on a passcode, then it, the whole, your whole schema is weak. Two is to be able to leverage PII in a decentralized manner without it actually being kept in a holistic form, which is in line with the principles of phyto and GDPR and other emerging privacy legislation.
Number three is not to have personal data held by any single entity, giving hackers, nothing defined and nothing to steal and supporting different use cases that incorporate the, the collection of data from the IDV up standpoint, through authentication and beyond. And I think that if we can all agree as an industry on these four principles, we will be able to really unleash the potential of everything that, that we are all after, which is ultimately privacy and security for, for all of us. I think that's it for my presentation.
I don't know if we have time for questions now, or if we're gonna do that on the.
