Facing the quantum giant: Nomidio’s biometrics and Post-Quantum encryption algorithms

Having a secure one-stop authentication service is quite significant in today’s digital environment of separate log-ins for each of the myriad services offered. Users often have to choose between memorizing several passwords, or using the same password in different settings, a risky practice that opens the doors to massive breaches. Nomidio chose to address the need for this by offering biometric multi-factor authentication (MFA) instead.

In addition to this, Nomidio also provides unique security keys.

“Those security keys are specific to you and they sit on whatever device you registered with or multiple devices if you choose to use different devices,” says Nomidio Commercial Director Philip Black. “So, we’re doing MFA around the back, if you like, which is as secure as having those annoying authenticator apps and the MFA code generators. What we created is a simple, easy-to-use mechanism to authenticate using biometrics which has the added security of being MFA both in the biometrics and the layers behind them.”

Encryption is the key

Encryption builds the backbone of Nomidio’s multi-layered approach to biometrics. “Every individual’s data is encrypted with a different key, and then our entire system is encrypted on top of that. So, you’ve got double layers of encryption. It sits within a private cloud within AWS, so we sit within a secure boundary,” Black says.

He explains that even if the attacker manages to break in, and somehow find the key to decrypt the system, he would find a system still filled with individually encrypted data, preventing the exposure of biometric and other data. “A: You are never going to get in there as it is encrypted in the first place. B: Once you get in there, you’re never going to find the right key to the right place. So, it’s extremely secure in that sense,” he continues.

Nomidio and Post-Quantum CEO Andersen Cheng, a former computer auditor, also believes that the only answer to cybersecurity is end-to-end encryption and believes that the key to this is identity. “It doesn’t matter how good your infrastructure is if you get identity wrong,” he adds.

Nomidio is also well prepared to face the future as it uses quantum-safe encryption within its own mechanisms, according to Black. “We are waiting for the rest of the world to catch up because any interaction that you have over the internet involves browsers and devices and all sorts of different parts of that chain, none of which currently support quantum-safe encryption,” Black observes. “We do, however, at the underlying level of our system. We have that in place and ready to use, while the rest of the world catches up as these threats become real.”

Enter Post-Quantum

While Nomidio is the primary digital ID brand, its sister company Post-Quantum ventures into a largely undiscovered dimension of the digital frontier: Quantum-safe encryption. Cheng explains why he launched Post-Quantum ten years ago, “Post Quantum is all about deep tech, post-quantum cryptography, and some of the other, I would say funkier stuff.”

Post-Quantum believes that quantum computing poses a looming threat to our conventional public-key encryption that presently guards all data on the internet. The company fears that encryption algorithms such as RSA, Elliptic Curve, and ElGamal, while groundbreaking, are no match to quantum computers. Post-Quantum thus embarked on a journey to revolutionize the digital realm by creating a quantum-safe algorithm that might become the new international standard for data encryption.

Cheng thinks that previous estimates of the quantum threat’s arrival are several years off. One main reason for this is the accelerated digital revolution. Across the globe, various nations are funneling billions of dollars into R&D for their quantum computers. Nevertheless, today’s security infrastructure is not being future-proofed at the same rate. “If you ask people in the public domain they always say it’s between 10 and 20 years. The cyber-world thinks it is 5 to 10 years, in the intelligence world it’s less than 5 years,” Cheng estimates.

Due to its past ventures, Cheng believes Nomidio has unique insights into the current global state of post-quantum computing. “I would say 4 to 5 years ago, even the government agencies were not that fussed. But there has been a real change in attitude in the last three years. All of a sudden, they were scouting around for people who might have something they could trial,” he said.

According to Cheng, the United States is lagging in post-quantum computing, others such as Canada, Australia, Germany, Netherlands, and France are making more serious efforts to prepare. Despite this, he believes, post-quantum protection is only at its starting point and not enough is being done to protect today’s digital infrastructure.

Setting new standards

Realizing this looming threat, the National Institute for Standards and Technology (NIST) began searching for a new security paradigm and opened a competition to find the next quantum-safe encryption method. Now, Post-Quantum’s algorithm is the sole remaining finalist in one of two categories. The company is hopeful that its quantum-safe encryption algorithm will be chosen in 2022 by NIST to set the new global standard to replace RSA and Elliptic Curve algorithms.

Cheng also foresees a stampede once the NIST results are published. Governments and actors from various private sector industries will scramble as they have to revise their security algorithms. Yet, the implementation of quantum-safe algorithms is not an easy affair as it might carry unwanted secondary characteristics that might break existing infrastructure. Therefore, Cheng advises against inaction while waiting for the NIST results. “The entire ecosystem still needs to be built, and NIST only focuses on one aspect, which is the algorithm. But how about the rest?” Cheng adds.

Nomidio and Post-Quantum decided to start the future-proofing process by focusing on identity. “The entire architecture, the thinking, and the design were from the ground up,” he explains. When we designed it, we knew exactly where we would be using public-key cryptography, like Elliptic Curve. And when the time comes and we have to make the [post quantum] switch, we know exactly what to swap out and swap in. To us, this process would take only a few hours, and a few days to do the testing.”

Time will tell if this work to take a pole position in securing future digital identities will pay off, but not as much time as we may think, if Cheng is correct.

Article Topics

access management  |  authentication  |  biometric data  |  biometrics  |  cryptography  |  cybersecurity  |  data protection  |  digital identity  |  encryption  |  Nomidio  |  quantum computing  |  research and development