Nomidio launches cloud biometrics service with key-splitting to enable self-sovereign identity
Nomidio has launched a service it calls a PII (personally identifiable information) Cloud, with an Identity-as-a-Service offering which leverages biometrics to authenticate customers through the web or a call center as its first module, to enable organizations to transition to self-sovereign identity (SSI).
The IDaaS module employs industry-leading biometrics engines, according to the announcement, and is now available from the Amazon Marketplace. Individuals control their biometric and other personal data through an app, providing tokenized ID so organizations can gain the assurance provided by strong identity verification methods without storing the data.
Nomidio Head of Worldwide Sales Ben Todd, who recently joined on after serving as an EMEA cyber security sales leader at Cisco, told Biometric Update in an email that the company’s technology is designed on microservices, which allows it to swap in different components, including biometrics, with ease.
“With Nomidio the end-to-end security and privacy of the service are our top priorities,” Todd emphasizes. “This means we’ve actively avoided working with the Chinese biometric engines, even though they are some of the most powerful in the world, given the questions surrounding data integrity.”
Nomidio was spun out of Post-Quantum, and uses its patented key-splitting technique “Quorum,” which divides the key between stakeholders.
Asked by Biometric Update how the Quorum should be determined, Todd explains: “Quorum keys are best distributed by the subscribing business and detailed in their T&C’s as it is most likely that the subscribing business will initiate any decryption activities. We recommend that parties in the group include: the user, the subscribing business, one or more privacy groups, law enforcement and/or government representation.”
The company points out that PII storage represents a GDPR compliance risk, but with its new IDaaS offering, a company requiring PII for a business process like a marketing campaign can utilize Nomidio’s service via a secure API to do so without taking on the storage risk itself.
It sounds similar to the FIDO protocol, but Todd explains that its use of secure multi-party computing and the cloud makes it quite different.
“What’s important to note here is that government security services do not consider local devices to be secure, rather they work on the assumption the device has already been compromised. We work on a similar basis and the matching therefore occurs in the cloud, with all sensitive identity data also residing in our secure cloud-vault,” he says.
“The Nomidio cloud database is encrypted, and then each individual data attribute, such as a first or last name, also has its own encryption key. Even if an attacker were to capture the database and manage to remove it, they wouldn’t be able to actually use it given it is protected by quantum-safe encryption, as is every single record and attribute contained within it.”
Post -Quantum provides government-grade encryption and provided a finalist algorithm for NIST’s global public-key cryptography standard competition to identify a replacement or supplement to RSA. Post-Quantum holds 35 patents and serves NATO, NCSC and the UK Government.
“Nomidio is a novel re-think of today’s privacy dilemma,” states Post Quantum CEO Andersen Cheng. “Rather than hundreds of firms trying to secure PII in order to satisfy regulators, with many ultimately failing, why not do this once and extremely well? Businesses are waking up to the fact they don’t need vast amounts of PII to be successful and are increasingly prepared to help individuals regain control of their identities.”
Nomidio also announced a partnership with Avaya, which will provide its identity technology to its contact center client base, the second-largest in the world, to enable financial services and telecoms to cut 20 percent from their call-handling time with convenient customer experiences.
But is the world ready for SSI in 2020?
“The general resistance to any form of privacy for our Identity data stems from its high value to the businesses that monetise it. The watershed moment will be getting these companies to accept that they can have the best of both worlds. In all honesty there is still a lot of work to be done, owing to a lack of understanding on behalf of many consumers, and a lack of transparency from providers, but awareness is rapidly improving thanks to scandals like Cambridge Analytica,” Todd observes.
“At Nomidio we see this as a journey and believe the only way to get to real SSI is to start with the businesses that provide services and to work with them to show a reduction in cyber-risk exposure with low-to-minimal impact on their customer intimacy capabilities. It will be interesting to see which businesses embrace genuine Identity sovereignty and which resist.”