Emerging privacy-preserving frameworks for biometrics and identity limit the need to store personal data while still ensuring digital security.
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Emerging privacy-preserving frameworks for biometrics and identity limit the need to store personal data while still ensuring digital security.
Emerging privacy-preserving frameworks for biometrics and identity limit the need to store personal data while still ensuring digital security.
You know, as you mentioned, there's a lot of talk around security and a lot of talk around privacy, but I personally, haven't heard that much about how to bring these two worlds together and the proper solutions, because most of the time we have to choose between one or the other. So as, as we, you know, we, we get through today's session. I wanna talk about, you know, whether and how we can have both before we get into the, how I thought it would be a good idea to have us a little bit grounded in terms of where we are in this space, what are the different trade offs that are happening?
What are the considerations that we see that, that are being made every day, which lead us to the point where we're at. So firstly is the fact that we are living in an open ecosystem. We cannot always control what devices people are using. We cannot always control what browsers people are using. Sometimes we have multiple devices. We have shared devices. Sometimes there is no specific device at all, and it's more of a sensor that, that we're using at, at any single point of entry. And so any system that is takes this privacy security identity into account must recognize this reality.
And I'll talk a lot about reality checks. Second of all, globally, the regulatory landscape with respect to privacy is very fluid. So obviously GDPR has been around for longer than many of these emerging privacy regulations, but the confusion in the marketplace is making it very difficult for, for us to figure out what is the best way to move.
Thirdly, as we do move on and create new frameworks, we find that the notion of devices and thoughts and private keys become more and more difficult to manage, who's holding them. How do you provision them? How do you deprovision them? How do you secure them? These all become different questions in our conversation around, around this topic.
The next one is going to be the, the focal point of, of my discussion, which is, you know, as we think about these different trade offs, one of the biggest weaknesses or biggest blind spots that we see hackers exploiting is the separation between account registration, account access and account recovery. I actually was just reading a paper this morning by somebody in the cybersecurity space that I respect very, very much. And he was really promoting a decoupled process between the account registration and the authentication and really pushing privacy, which is obviously very, very important.
But the question is, if these processes are decoupled, how do you ensure that it's actually the same person across the board? So like I said, this is gonna be most of the, the talk for today. Then there is the question around, how do you unify multiple accounts and multiple identities, right? I can have multiple accounts within an enterprise. And how do you know that it's not a mule account? How do you know that somebody's not exploiting my identity to create multiple accounts? And Acton is me.
And finally just the reality is that because we have so many legacy applications in the enterprise that use passwords and that people are conditioned to use passwords all day long. It's really hard to get rid of them, no matter how much we, we really want to. So these are the themes that, you know, that I think are tying everything that, that, that is forcing these, these trade offs that, that we've been talking about the whole time. So a reality check, number one, every two seconds. There's another victim of identity theft.
And whenever there's a breach, I don't need to tell you all, but whenever there's a breach, it's like the gift that keeps on giving, right? The hackers combine different data sets. There's usually a lag between the time of the breach and, and then the actual fraud. So right now in the United States, we're seeing tremendous amount of increase in scams related to mobile payments. And there's a lot of questions on whether this is connected to a very big data breach that happened with one of the telco providers several months ago. So oftentimes we don't see the impact of the breach right away.
We see it a few months or years later. Second reality check private sector is not the only one that is vulnerable to, to these breaches just a month ago. Big headline government of Argentina database was hacked into, as long as you have a central honey pot of data data, it doesn't matter where it is there. Those databases are vulnerable. And there are many, many, many initiatives right now around decentralized IDs and verifiable credentials.
And, you know, these are all around pushing the, the credential to the device, but at the back end, there is still essential database. And those databases still face the same questions as, as any private sector. That's holding data as well. And thirdly is the rise in Bitcoin and cryptocurrency and what is going on with that world.
And we, this cannot be ignored. There's obviously a lot of talk, whether this is going to be legitimate or not, but every single day we see vulnerability attached to Bitcoin. There's. Some of it is being addressed through emerging regulations around KYC, but the security of the Bitcoin and the identity management around cryptocurrency and FTS is a very, is a, a very big area that all of us need to be cognizant of. We're hearing governments starting to legalize cryptocurrency. We're hearing about online merchants starting to accept cryptocurrency as payments.
So what does that mean for identity theft? What does that mean for the security of, of the system overall?
And these, these are real questions that, that we have to address and in order to get real security around these things, I mean, why are we where we are is that there is to get real security. We always have to trade friction and cost and a as well as the notion of the sea and in this, and in this schema, as we start to build systems, oftentimes we think of the front door, but we don't think about the back door. And as long as passwords and KBAs and pins are used to reset, accounts are used as fallbacks. There really is no real security because as I said, it all goes back to the data breaches.
And this is the heart of it. The heart of it is at the central of identity is broken. The circle of identity is broken. I alluded to this before that we have different processes. We have account registration, and this applies whether it's a consumer application or enterprise, but you have, you know, when, when you register the person into the account, the actual authentication, the account recovery, and then any step ups that need to be done today, these processes are all separate. And the fact that these are all separate is what makes the system ultimately weak? Why is it separate?
It's separate because we're stuck in old paradigms where we have to choose between centralized databases in the cloud, where enterprises will store everything or the reliance on the device, the biometric that's stored in the device, which might be the, the template or the biometric in the device might be really secure. But if I'm a hacker, I actually don't need the device because I can just call and impersonate you with the information that I just stolen. And these choices, our work is causing us to be where we are today.
And I wanna talk about some new frameworks that are emerging, that can actually eliminate these trade offs. And these frameworks have to do with eliminating the reliance on a biometric template. We don't re, we don't have time to get into why, why the template is, is key to, to solving this problem. But the fact that we have templates in order to authenticate people, and the fact that these templates need to be in a holistic form and they have to be stored in a single place, is what has been the problem for the industry in driving both privacy and security in a single framework.
But there are emerging technologies and capabilities that rely on multi-party computing and zero knowledge, proof principles where the biometric can be anonymized and distributed over a peer-to-peer network of a peer-to-peer network, such that you can still authenticate people without having all of this data stored in a central place. And without having to recompile the data in order to do the match and using these technologies, we can eliminate the risk of a data breach by storing all of the information in a distributed manner.
And once you have this concept, then you can extend it to private keys and other real secrets. So that step up authentication can be done using things that really only, you know, and not things that are pub or data that is publicly available, or that has been stolen or breached before. And when you have this approach, it actually enables both privacy and security because the data is not owned by anyone, and it's not sitting in any central location, neither at the consumer level, and neither at the enterprise level, it is distributed.
And everybody has the benefit of, of managing authentication processes in a privacy by design way. The other main benefit of this approach is that it is by definition compliant with all of the, all of the emerging data regulations, because you can delete, it's not blockchain, and it is flexible to handle all different kinds of modalities and, and different types of data. So these, these frameworks are, are coming out and they overcome a lot of the, the trade offs that, that have been made. And with these frameworks, you actually can close the circle.
You can, you can link the authentication process to the account registration process without creating a whole privacy problem or privacy issue of generating and creating more and more and more databases. The, the way these frameworks work is that they link the biometric and the other data that is captured at the account registration process. And that's the data that is used for account access and ultimately for account recovery. And in this process, as I alluded to before, you can also store other types of data to use for higher and transactions or for privileged access scenarios.
And for other cases where you want to elevate the different elements of authentication for greater and greater assurance. And so I think I only have a couple of minutes to, to allow for questions. So I know I'm going quickly, but these frameworks essentially allow us, as I said, to have both these frameworks are not device dependent, so they don't have the problem of what happens if the private key gets lost. What happens if an employee is no longer with the company and you have to retrieve the device with these frameworks, you're not looking at device authentication.
You're looking at who's the person behind a session, and there's no need to fall back on a pin or a passcode or a KBA in order to properly ascertain somebody's identity in a step up scenario in these frameworks, you are lever essentially you're leveraging, leveraging PII, you're leveraging identity information without maintaining it.
So it's very friendly from a GDPR perspective, it's compliant with the fi frameworks for us, listeners, CPR, a and all of the other biometric privacy laws, Latin America, and Asia, all of the laws where you're not allowed to distribute data outside the country's borders. All these frameworks allow you to define and ensure that you're in compliance from a consumer perspective, you have the privacy aspect where you are in control over, or where and how your identity is used. Your data is not held in any by any single entity.
And there is no ownership of your data that, that you're transferring over at the end of the day, there's nothing for a hacker to find nothing for a hacker to steal. And you are, are in control from a, from a holistic perspective for the security designers in the, in the audience. These frameworks also support different use cases. So it's not just for remote access for employees that are working from home. You can apply this for travel.
You can apply this for retail, frictionless payments, any aspect where you're trying to, or you need to manage identity and verify that people are who they claim to be, and you do not want to give up the privacy aspect. So I think with that, I'm pretty much, I think at time, I'm very happy to take some questions.