FB pixel

Centralized databases with personal information are a looming threat to mobile ID security

Centralized databases with personal information are a looming threat to mobile ID security
 

By Kevin Freiburger, Director of Identity Programs, Valid

The ID verification market is projected to hit $12.8 billion by 2024. Several states have joined the mobile driver’s license movement and other markets, like higher education, adopt mobile IDs for physical access control for campus facilities, logical access to network and computer resources, and payment card functionality.

This rapid adoption and the many use cases in the public sector have made the data security that underpins mobile ID technology a hot topic. Many implementations rely on a centralized data store managed by the ID credential issuer that protects the sensitive, personally identifiable information (PII) using an advanced, multi-layered approach that includes encryption and other techniques.

However, even these stronger security methods are at risk due to advances in the abilities of bad actors. In fact, 72% of risk managers believe that complex risks are emerging more rapidly than their own skills are advancing, putting the PII of millions in jeopardy.

Centralized, encrypted data may be threatened by quantum computing and other vulnerabilities

Encryption is a pillar of mobile ID data security. Cracking the encryption algorithms to gain access to PII requires high levels of compute power, and today’s compute resources are handicapped.

Classical computers “think” in 1s and 0s, and you can only have one of those states at a time. This technology caps the computational power of today’s machines and makes it expensive to scale up — but this cap also makes encryption safer. It is extremely expensive and difficult to create the computational power necessary to break encryption that protects data housed and stored by government institutions or other identity credential issuers. However, not all encryption is created equal and quantum computing makes weaker encryption vulnerable.

Quantum computing can have simultaneous states (1s and 0s at the same time). This technology enables extremely high levels of computational power. For example, Google researchers claimed that their quantum computer performed a calculation in three minutes and 20 seconds — a calculation that would take other computers approximately 10,000 years to complete. In theory, this level of power could give hackers a real chance at breaking weaker encryption algorithms and gaining access to the systems storing PII.

Quantum is a risk in the future, but there are many other attack vectors that exist today which can accidentally expose PII. These vectors include misconfigured networks and firewalls, unpatched servers and software and insider threats executed by staff within the issuing organization.

How can ID verification systems thwart these existing and emerging threats?

To mitigate today’s vulnerabilities and prepare for the emergence of quantum computing (and the inevitability that it ends up in the hands of bad actors), ID verification systems can follow two approaches.

1. Store PII outside of central databases. There are several implementation options that remove issuers as PII managers. However, the blockchain option exclusively allows for decentralized data storage and true decentralized identity which puts the credential holder in total control. Microsoft is currently working on such a product and other companies have similar initiatives. This unique approach decentralizes issuers, verifiers, credential holders and even Microsoft within the ecosystem. The credential owner alone manages the credentials and sensitive PII.

Credential verifiers (TSA, law enforcement, retailers and more) can trust the presented credential because of digital certificate technology and blockchain hashing. Verifiers can ensure the ID is authentic if the issuer uses a digital certificate, which acts as a unique signature or fingerprint that “signs” each piece of data. Mobile ID holders manage the sensitive data on a secure device like a mobile wallet and only share it with the verifiers they choose. A credential owner shares their data with a verifier and the verifier can authenticate the owner’s digital certificate and any issuer’s digital certificate using proven technology called public key infrastructure that has existed for years. It’s seamless to the mobile credential holder, the verifier and the mobile credential issuer.

2. Authenticate credentials with biometrics. Storing PII off the chain solves just one set of problems. But how do you securely authenticate the credential holder presenting the digital credential? You add biometrics to the process.

One use case allows the owner to add extra security to protect the digital credential. For example, digital wallets could require that the credential holder present a fingerprint or face verification to unlock the wallet before sharing any credentials.

Another use case adds trustworthiness for verifiers. Issuers can include a photo in the digital credential upon issuing it and “sign” the photo with a digital certificate. Verifiers can capture a photo of the person presenting the credential and compare it to the photo that was issued with the digital credential. If the biometrics match, the person presenting the credential is verified. And with AI continuing to imitate more than just the human response to CAPTCHA, perhaps mobile ID data security will begin using physiological biometrics as well, methods like heartbeat or voice that bots cannot imitate.

Mobile IDs are gaining popularity and will continue to spread as adoption is normalized. But as with all novel technologies, data security should be a top priority for those with the responsibility of rolling the technology out to the public. Encryption is critical but we know AI and quantum threats are emerging and other vulnerabilities already exist. It is more important than ever to consider other solutions to protect sensitive PII which begins with removing PII from centralized databases.

About the author

Kevin Freiburger is Director of Identity Programs and Product Management at Valid where he leads a team that builds and delivers large-scale identity management and biometric matching solutions to public and private enterprises.

DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.

Article Topics

 |   |   |   |   |   |   |   |   |   | 

Latest Biometrics News

 

Cyber Threat Observatory workshop advises on protections for national digital ID systems

The Alan Turing Institute launched the Cyber Threat Observatory last year to monitor cyber threats to digital ID systems. The…

 

Kyrgyzstan state printer wades into biometric passport market with Namibia deal

A shipment of 130,000 biometric passports has been sent from Kyrgyzstan to Namibia, after a contract was signed between the…

 

Spanish law among most comprehensive for age checks, kids’ online safety

Among EU nations pursuing child online safety legislation and age verification tools, Spain has been at the forefront. It has…

 

UN cautions govts to safeguard human rights in AI procurement

AI is a major trend of this decade with advancements in the technology having an effect across society, for both…

 

Optimistic plan would pair universal legal identity with basic income program

A new paper calls the lack of legal identity for millions of people around the world one of the “most…

 

Facia declares breakthrough deepfake detection scores

Facia has reached the point where it is scoring perfect accuracy for deepfake detection on third-party datasets, including Meta’s. The…

Comments

One Reply to “Centralized databases with personal information are a looming threat to mobile ID security”

  1. This is only true when woefully outdated approaches for security are used. Many *current* centralized deployments are, indeed, safe from threats mentioned here. Time for the industry to stop hanging on to old tech and old processes. Only then will we get past discussions like this.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Biometric Market Analysis

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events