Centralized databases with personal information are a looming threat to mobile ID security
By Kevin Freiburger, Director of Identity Programs, Valid
The ID verification market is projected to hit $12.8 billion by 2024. Several states have joined the mobile driver’s license movement and other markets, like higher education, adopt mobile IDs for physical access control for campus facilities, logical access to network and computer resources, and payment card functionality.
This rapid adoption and the many use cases in the public sector have made the data security that underpins mobile ID technology a hot topic. Many implementations rely on a centralized data store managed by the ID credential issuer that protects the sensitive, personally identifiable information (PII) using an advanced, multi-layered approach that includes encryption and other techniques.
However, even these stronger security methods are at risk due to advances in the abilities of bad actors. In fact, 72% of risk managers believe that complex risks are emerging more rapidly than their own skills are advancing, putting the PII of millions in jeopardy.
Centralized, encrypted data may be threatened by quantum computing and other vulnerabilities
Encryption is a pillar of mobile ID data security. Cracking the encryption algorithms to gain access to PII requires high levels of compute power, and today’s compute resources are handicapped.
Classical computers “think” in 1s and 0s, and you can only have one of those states at a time. This technology caps the computational power of today’s machines and makes it expensive to scale up — but this cap also makes encryption safer. It is extremely expensive and difficult to create the computational power necessary to break encryption that protects data housed and stored by government institutions or other identity credential issuers. However, not all encryption is created equal and quantum computing makes weaker encryption vulnerable.
Quantum computing can have simultaneous states (1s and 0s at the same time). This technology enables extremely high levels of computational power. For example, Google researchers claimed that their quantum computer performed a calculation in three minutes and 20 seconds — a calculation that would take other computers approximately 10,000 years to complete. In theory, this level of power could give hackers a real chance at breaking weaker encryption algorithms and gaining access to the systems storing PII.
Quantum is a risk in the future, but there are many other attack vectors that exist today which can accidentally expose PII. These vectors include misconfigured networks and firewalls, unpatched servers and software and insider threats executed by staff within the issuing organization.
How can ID verification systems thwart these existing and emerging threats?
To mitigate today’s vulnerabilities and prepare for the emergence of quantum computing (and the inevitability that it ends up in the hands of bad actors), ID verification systems can follow two approaches.
1. Store PII outside of central databases. There are several implementation options that remove issuers as PII managers. However, the blockchain option exclusively allows for decentralized data storage and true decentralized identity which puts the credential holder in total control. Microsoft is currently working on such a product and other companies have similar initiatives. This unique approach decentralizes issuers, verifiers, credential holders and even Microsoft within the ecosystem. The credential owner alone manages the credentials and sensitive PII.
Credential verifiers (TSA, law enforcement, retailers and more) can trust the presented credential because of digital certificate technology and blockchain hashing. Verifiers can ensure the ID is authentic if the issuer uses a digital certificate, which acts as a unique signature or fingerprint that “signs” each piece of data. Mobile ID holders manage the sensitive data on a secure device like a mobile wallet and only share it with the verifiers they choose. A credential owner shares their data with a verifier and the verifier can authenticate the owner’s digital certificate and any issuer’s digital certificate using proven technology called public key infrastructure that has existed for years. It’s seamless to the mobile credential holder, the verifier and the mobile credential issuer.
2. Authenticate credentials with biometrics. Storing PII off the chain solves just one set of problems. But how do you securely authenticate the credential holder presenting the digital credential? You add biometrics to the process.
One use case allows the owner to add extra security to protect the digital credential. For example, digital wallets could require that the credential holder present a fingerprint or face verification to unlock the wallet before sharing any credentials.
Another use case adds trustworthiness for verifiers. Issuers can include a photo in the digital credential upon issuing it and “sign” the photo with a digital certificate. Verifiers can capture a photo of the person presenting the credential and compare it to the photo that was issued with the digital credential. If the biometrics match, the person presenting the credential is verified. And with AI continuing to imitate more than just the human response to CAPTCHA, perhaps mobile ID data security will begin using physiological biometrics as well, methods like heartbeat or voice that bots cannot imitate.
Mobile IDs are gaining popularity and will continue to spread as adoption is normalized. But as with all novel technologies, data security should be a top priority for those with the responsibility of rolling the technology out to the public. Encryption is critical but we know AI and quantum threats are emerging and other vulnerabilities already exist. It is more important than ever to consider other solutions to protect sensitive PII which begins with removing PII from centralized databases.
About the author
Kevin Freiburger is Director of Identity Programs and Product Management at Valid where he leads a team that builds and delivers large-scale identity management and biometric matching solutions to public and private enterprises.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.