NeuroID is a behavioural analytics company that assesses human interactions with websites and mobile applications. NeuroID has analysed millions of customer journeys over 10 years; Nash Ali, Head of Operational Strategy at Neuro ID discusses both verifying user journeys with digital identity technology and data versus understanding human interactions and behaviour.
We ask: has digital identity taken away fundamental techniques like observing the human characteristics and behaviours of a fraudster, or is this technology transformative?
The interview also covers whether behavioural analytics are integrated enough into IAM strategies for enterprises, compared with digital identity.
Watch the full interview to find out:
1. How does NeuroID optimise data protection for businesses and customers?
3. What behavioural insights during the onboarding process can reveal more about the person’s identity than data itself?
5. What loopholes exist to enable illegitimate digital identities?
6. What do you hope to get from exhibiting at Identity Week America?
CVS Health was involved in this year’s Identity Week America as a healthcare entity invested in enhancing digital systems used by the medical profession to deliver a quality standard of patient care services. This interview starts by asking Abbie Barbir, Senior Security Advisor and Co-Founder of ADIA, at CVS Health whether driving public sector funding and budgets would have an impact on improving cybersecurity so that communication portals between the patient and profession and third parties can not be compromised by any bad actors.
The sector needs to assess what the new threats and deficiencies are while digital identity is evolving to increasingly bind the patient to their personal data.
With the minimum security standards for REAL ID looming in May 2025, Spencer Moore, Commissioner at the Georgia Department of Driver Services, sits down with me for Identityweek.net to discuss the proactive stance the state of Georgia has taken since 2012 to establish integral identification cards.
As the U.S. does not possess a national ID, more pressure is piled on individual states to ensure the fabric and foundational structure of ID licenses and documentation – from the physical card to its security features – has credibility, converging with interoperable standards.
Georgia has sought to equip residents with REAL ID driver licenses as holders to essential services and identity assurance.
99% of citizens in Georgia are REAL ID compliant. Mobile Driving License adoption in wallets, which was introduced in Georgia in May of this year, has identified 250,000 people that already have the application in their wallets.
Hear about their mobile license integrations with Apple and Google that are proof that Georgia is ready for the May 2025 deadline.
Axon Wireless, a technology solution company specializing in large-scale customer enrolments for telecommunication and financial services in developing markets, and TECH5, an innovator in the field of biometrics and digital identity management, announce their partnership and technology integration. Axon Wireless has incorporated T5-AirSnap Finger, a patented contactless fingerprint biometric capture and liveness detection technology from TECH5, powered by AI and deep learning, into their remote eKYC application for self-enrolment, as well as its biometrics handheld terminals COMET-10 and COMET-20.
The integration of T5-AirSnap Finger enables Axon Wireless to offer customers a fully remote solution, allowing for biometric capture and verification, as well as document authenticity checks. First, a customer uploads their ID document, which is read by optical recognition technology and tested for authenticity. The application then sends a request to the Ministry of Home Affairs to determine which finger of the user should undergo biometric verification against their biometrics stored in the ministry’s database. Once this information is received by the application, it prompts the user to present the selected finger for contactless capture and verification of its fingerprint. T5-AirSnap Finger captures and prepares biometric data for further processing, ensuring compliance with interoperability standards within seconds. During biometric capture, T5-AirSnap technology performs liveness detection, ensuring the finger is real and not replaced by a photo, video, or an artificial finger with a copied fingerprint, thereby excluding the possibility of a spoofing attack and ensuring the integrity of the process. The captured fingerprint is then submitted by the Axon Wireless platform to the Ministry of Home Affairs for verification.
Following biometric verification, Axon Wireless can implement any business process required for the selected use case, including SIM card registration, opening a bank account, and more. “We are very impressed with the fingerprint matching rates and comforted by the anti-spoof capability offered by the T5-AirSnap. We have evaluated many technologies, but certainly, TECH5’s focus in this space is paying dividends in its result.” – Comments Justin Lipshitz, CEO at Axon Wireless.
Ameya Bhagwat, Senior Vice President of global sales and business development at TECH5 commented: “We are delighted to announce our partnership with Axon Wireless and are looking forward to empowering customers in MENA and other regions with a fully automated, inclusive system, ensuring fraud prevention and allowing users to access services in a fast and frictionless manner.”
The partners plan to provide this new offering enhanced by contactless fingerprint capture capability for testing in several countries in the MENA region within the next month.
Ofcom has been challenged by the Age Verification Providers Association for crediting its enforcement programme for age assurance, as it announced a major UK adult video sharing site, TAPNET, has just implemented age verification measures, three years after the law making it mandatory was passed.
“Kudos to TAPNET!”
Jessica Zucker, Director of Online Safety Policy at Ofcom, was criticised for promoting the company’s late compliance with age verification legislation which the AVPA campaigns to ensure exists across regulators, governments, companies and the market force of age verification technologies.
She commented on the “positive outcomes of constructive regulatory engagement” between regulators like Ofcom, in the media and digital domain, and digital services. The accusation was levelled to the Online Safety Director that companies should comply with their responsibilities to keep children, in particular, safe online before regulatory intervention is necessary.
Ofcom opened an enforcement programme in January to identify UK digital video-sharing sites which operated without complying with the standard for age assurance for users. Whilst seeming to crack down on the visibility of adult content sites to young users, the news of TAPNET implementing the changes enforced by Ofcom only comes to light now despite it approaching nearly 1 year since the investigation was opened on 10 January 2023.
The fact that a law has existed for three years shows no urgency of regulators or companies. Ofcom “considered” the measures that platforms had implemented to gain “assurance of the age of their users and prevent “under-18s/ minors from watching pornographic videos” online, which indicates a divide of companies not complying with the rules as next iterations of the internet like WW3 emerge.
The analysis of RealMe – TAPNET’s pornographic platform – did raise some concerns, Ofcom said, regarding ineffective measures to protect and verify underage users using their service, however the “period of close engagement” to enforce compliance with its requirements still suggests not enough was done soon enough and to avoid intervention.
The comment in retaliation to Ofcom’s press release on LinkedIn argues that “if this approach is taken to the Online Safety Act (by all companies), it would be 2028 before better protection for children is offered online”. This would mean child protections in online spaces would be in fact delayed in practice 7 years behind the ICO’s Age-Appropriate Design Code of 2021, as required by the Data Protection Act (DPA) 2018.
The Code is enforceable under the UK GDPR and DPA laws and imposes a set of standards that must be met by the design of online services in the best interests of a child.
Ofcom’s duties
Ofcom’s role is to meet the legal provisions in Part 4B of the Communications Act 2003 to ensure video-sharing platforms (VSPs) based in the UK “have appropriate systems and processes in place to effectively protect their users from harmful video content in the scope of the VSP regime”.
Ofcom also noted that since January the programme worked closely with platforms to better understand their “approaches and any challenges they faced when considering implementing age assurance measures”. Whilst not responsible for creating the law, they had demonstratable powers to enforce sites’ compliance with the requirements for age assurance solutions and show no tolerance for excuses.
The assessment drew conclusions about the lack of meaningful measures enacted in Schedule 15A of the Act which should have better protected users under the age of 18 from videos containing restricted material, specifically pornographic content.
Arguably only being forced to make the changes with intervention, TAPNET did however in the wake of Ofcom’s report obtain the assurance of the age of RevealMe users by requiring age verification upon entry to the site or authentication through a validated and registered account. The site could not implement a third-party automated age verification tool to the timeline Ofcom require to verify valid user identification documents.
The statement also said: “Tapnet quickly introduced its own interim age verification measure until its longer-term solution was ready to go live”.
Ofcom concluded the company’s “willingness” to address their concerns and “desire” to protect users led them to decide no further investigation was needed. Ofcom overlooked earlier action taken against TAPNET for failing to respond to a freedom of information request, but said it would continue monitoring the site.
On 29 September, 2023, Ofcom announced the extension of the enforcement programme for a further 3 months, expected to end in December. Notified and non-notified adult VSPs were assessed, some gaining certification and others not.
The Central Bank of Cyprus which is embarking on a new digital onboarding project has offered a tender to two companies, Aqubix Ltd and Infocredit Group Ltd. The joint collaboration will implement Aqubix’s KYC portal, which supports regulatory compliance and risk management for customer onboarding, and data capabilities to protect existing and new credit customers.
Aqubix boasts solutions to store and retrieve big data which enables the financial sector to operate in a consumer-empowered economy and assess risks. Without the need to visit physical branches, customers of credit institutions across the Cypriot banking landscape can easy onboarding, secure verification and authentication to give banks full assurance of knowing their customer. The agreement has secured a myriad of banking institutions onboard including the Bank of Cryprus, Hellenic Bank, the Cyprus Development Bank and Eurobanks with the support of the Bank of Cyprus governor.
Web3 Foundation, the launchpad for the Polkadot blockchain protocol, has announced new applications to grow their Decentralised Futures Program.
Raising over $45 Million USD for 2024, the initiative’s objective is to encourage more investment to support the growth of connected blockchain systems for the next iteration of the internet. The funds will be channelled into teams and individuals working to scale projects for the blockchain ecosystem and explore decentralised data models.
Newly appointed Chief Executive of the Web3 Foundation, Fabian Gompf, commented: “The Foundation believes its strongest asset is the community itself. The decentralized Futures Program doubles down on this belief, allocating sizeable investments and grants that can accelerate the growth of decentralized technologies. By empowering our community to lead the next phase of the development of Polkadot we are tapping into the diverse capabilities of our community, and moving away from centralized stewardship of the protocol. In doing so, the program represents a meaningful step closer to realizing the fundamental vision of the Foundation: creating a decentralized internet where users control their own data, identity and destiny”.
Norwegian authorities are imposing a temporary ban on Meta companies – Instagram and Facebook – for targeting personalised ads to their users using their personal data. The adverts are driven to specific users by behaviour insights based on their region and online activity.
Meta’s data use has been probed by regulators before like the Court of Justice in Luxembourg and Irish Data Protection Commission. The 3 month ban, which commenced in August, will still allow Meta to power personalised campaigns to users however users must have given consent in their ‘about me’ section.
Social media platforms have flouted GDPR regulations since 2018, according to SurfShark with Meta’s fines eclipsing $2.5 Billion. If Meta fail to comply they will be handed a hefty fine of 1 million Norwegian Krone.
Brian Broderick shares what impact daily fraudulent applications have on the USCIS, where fraudsters feel emboldened to apply for legitimate citizenship using false identities and passport photographs. This interview, captured at Identity Week America 2023, also delves into the growing number of fraudulent interview appointments.
However, with the USCIS successfully delivering thorough checks of evidence-based documents, no stone is being left unturned when assessing applicants’ full immigration journeys. Hear about data privacy, including for vulnerable populations and lots more!
The UK government has made a series of changes to the Data Protection and Digital Information Bill which it calls “common sense” to prevent fraud and protect the public.
Transparency over data in general is emphasised in the changes to enhance cooperation with the government to tackle common benefit fraud. The government will require third parties such as banks and financial institutions to be fully cooperative on sharing mandatory data.
And privacy concerns are still taken seriously by the government’s own standards, meaning only a necessary amount of data will be accessed and “only in instances which show a potential risk of fraud and error”. However, it is clear the government desires more control over data available to them in the private sector to quickly detect fraud within government operations.
The government’s aim is to reduce benefit fraud and safeguard up to £600 million of tax payers money over the next five years.
Anti-terrorism police will also possess additional powers under the amended bill to enforce the collection of biometric data, such as fingerprints, from foreign criminals to enter into the national police biometric database. The data shared by INTERPOL will be able to be retained indefinitely just the same as for convictions secured in the UK.
Secretary of State for Science, Innovation and Technology, Michelle Donelan, said:
“These changes protect our privacy and data while also injecting common sense into the system – whether it is cracking down on cookies, scrapping pointless paperwork which stifles productivity, tackling benefit fraud or making it easier to protect our citizens from criminals”.
The big tech firms rallying together against the EU’s AI Act, which they argue is “over-regulating” powerful foundation models like GPT-4, also known as General Purpose AI, will almost certainly be disbanded. These companies lobbying against the type of strict regulation contained within the AI Act are in danger of negating what the Act set out to achieve.
Throwing out the proposal, Axel Voss, Member of the European Parliament for the Cologne/Bonn region (CDU), said the regression of the Act on Foundation Models in favour of such minimal “mandatory self-regulation” would require the same insufficient benchmark for standards on issues like “transparency, cybersecurity and information obligations”, standards that are well-defined in the Act.
He suggested on social media the proposal was backwards, non-sensical and would dilute necessary strong regulations to manage all AI technologies, including the advanced models of General Purpose AI which power the famous generative chatbot, ChatGPT.
He also said: “The regulation of #AI has a global dimension, even the US executive order calls for it. We cannot fall behind. Of course, I have always said and maintain that we should not over-regulate. But we cannot simply ignore or downplay the risks that come with it, including on foundation models”.
The attempt to derail the AI Act which is entering its final phase to be implemented came on Nov. 23 when a letter was written to the EU Commission trying to protest against “harsh” regulations. The letter was undersigned by 33 companies, allegedly containing supporting data that only 8% of EU companies use AI. The commotion of Chat GPT and OpenAI is only evidence that AI innovation is happening worldwide, but it’s innovation, carrying significant harms too, needs to be carefully managed.
MEPs also assembled a close ring defending stricter regulation for those powerful AI models. After initial consensus on a tiered-approach, the mediation with techs derailed even more seriously when German, French and Italian governments seemed to take the oppositions’ side, pushing back on obliging to the Act’s stance on foundation models. This recommenced the chaos within Parliament.
Axel Voss has equally shared his view that the Parliament has bowed to AI Act protesters in this way with a final Act looking to be diluted.
Sebastiano Toffaletti, Secretary General (CEO) of the European DIGITAL SME Alliance also took to social media to vent his disappointment. If AI foundation models are not to be regulated, as part of a completely compromised and different AI Act, then some quarters will be asking why we even need an AI Act. And it will disappear altogether, despite the process already undertaken to legislate regulation.
He argued for what impact no AI Act would actually have on companies:
“Such outcome of the AI Act negotiation would dump all the regulatory burden and compliance cost to the companies downstream: those that train foundation models to develop AI applications for specific use cases. These are mainly SMEs. Frankly, I do not understand this”, he wrote. It makes the compliance requirements for innovative companies even harder to meet.
“It makes Europe even more dependant on a handful of, mostly foreign, dominant players.
Isn’t it better, even for the EU’s aspirant AI champions like #Mistral and #AlephAlpha, to work with the regulators and outcompete #OpenAI and the rest with products that are designed with inbuilt compliance?” he continued.
Companies are just played the “narrative of BigTech against the DMA” in wanting to be similar European wannabe AI foundation models rather than seizing the opportunity to join forces with the regulators.
A digital wallet produced by fintech company, RD Wallet Technologies, will integrate banking and e-commerce applications that enable traditional cross-border payments to be made as well as crypto.
Digital wallets have a fragmented place amongst Hong Kong’s cash-legacy economy much like mainland Europe and the rest of the world excited about wallets but still fine-tuning their openness on standards and technical interoperability while even navigating the potential to intermix real and cryptocurrencies.
With 9 in 10 consumers having used a digital wallet, China has been just as receptive to digital credentials but enwrapped in the necessary licensing requirements.
A taskforce was first assembled in 2014 to study a course of direction for the development of a Central Bank Digital Currency (CBDC) and Hong Kong’s readiness in issuing a CBDC to retail and e-commerce set the trend going across the world. The Hong Kong Monetary Authority in 2022 embarked on the e-HKD Pilot Programme, which called on participants for prototyping and testing of electronic versions of bank notes within the e-wallet entity to make any retail purchases.
Just in October 2023, the HKMA formed the CBDC Expert Group for creating policies and nurturing technical cohesion of cryptocurrencies across wallets through partnership and knowledge exchange on CBDC research. This
With no national wallet, bankers like the fintech founder, Norman Chan Tak-lam, or other firms focused on stablecoins or Web 3.0 could emerge in the near future, but China is looking to stabilise the emerging digital banking space at least by 2024.
The RD Wallet will see other fintechs pushed to innovate China’s economy further into a financial capital of the world, converting multiple dominant currencies: the Hong Kong dollar, the yuan, the US dollar, the yen and the euro.
A stored-value facility licence for the RD wallet came into effect in December, giving the final approval from the Hong Kong Monetary Authority (HKMA) in April.
New In-Camera Signature Solution Attaches Digital Certificate to Photos at the Point of Capture to Certify Legitimacy
Today, Sony has announced the completion of a second round of testing for its in-camera authenticity technology in collaboration with Associated Press.
As generative AI continues to gain traction, this in-camera technology allows for higher levels of validation in official documentation as well as eliminating the possibility of undetected manipulation in professional settings, for example, within photographic journalism.
This in-camera digital signature allows for the creation of a birth certificate for images, validating the origin of the content.
Sony’s authenticity technology provides a machine-based digital signature, removing the opportunity for undetected manipulation at the start. The digital signature is made inside the camera at the moment of capture in the hardware chipset. This security feature is aimed at professionals wanting to safeguard the authenticity of their content and provides an extra layer of security to aid news agencies in their fight against falsified imagery.
“While the rapid evolution of generative AI (Artificial Intelligence) brings new possibilities for creative expression, it has also led to growing concern about the impact of altered or manipulated imagery in journalism,” said Yann Salmon Legagneur, Marketing Director, Imaging and Product Solutions, Sony Europe.
“The dissemination of false information and images has real world social impact that brings harm not only to our photojournalist and news agency partners, but to society as a whole. We care deeply about this challenge and are committed to using our resources to help solve it. Through Sony’s work on the steering committee for C2PA (Coalition for Content Provenance and Authenticity), we have helped set the current industry standard for the tracking of editing and manipulation of imagery. Additionally, our in-camera authenticity technology has shown valuable results, and we will continue to push its development towards a wider release.”
“Fake and manipulated images are a major concern for news organisations. Not only do they contribute to mis- and disinformation but ultimately, they erode the public’s trust in factual, accurate imagery,” said David Ake, AP Director of Photography. “We are proud to be working alongside Sony Electronics to create an authentication solution that can help combat this problem.”
Sony and AP’s most recent field test was completed during October of 2023. In this month-long test, both capture authentication and workflow process were evaluated. To accomplish this, Sony partnered with Camera Bits – the company behind the industry standard workflow tool, Photo Mechanic. Alongside Sony and AP, Camera Bits created technology in Photo Mechanic that preserves the camera’s digital signature all the way through the metadata editing process.
“We appreciate the significant challenge that manipulated imagery poses for our partners, and we are highly motivated to play a role in helping solve it,” said Dennis Walker, President and Founder of Camera Bits. “Photo Mechanic has been used by the photojournalism industry for 25 years and continues to evolve as the industry introduces new technology. We are committed to ensuring Photo Mechanic remains a trusted and authentic workflow solution.”
Sony’s new in-camera signature and C2PA authentication is planned for release in a firmware update in the newly announced Alpha 9 III, Alpha 1, and Alpha 7S III in the Spring of 2024[i].
Datakeeper, digital wallet app that boosts the real estate sector for KYC procedures and mortgage applications, is to break away from its parent company, Rabobank.
The privatisation signals the growth and standardisation of Datakeeper since being launched in 2017 as a privacy-minding wallet solution to share mortgage applications with sellers, estate agents and other parties. The Rabobank powered start-up is built on a set of KYC and credentialing procedures to securely verify the identities of all parties involved in mortgage applications.
Taking to LinkedIn, Marnix van den Bent, Co-Founder and CTO of Datakeeper announced: “I am thrilled… that the Rabobank spin-off Datakeeper Nederland now continues as a separate company! As CTO I will continue to deliver top-notch tech that exceeds our scaling ambitions”.
Whether applying for a mortgage or renting a car, the Datakeeper app ensures the applicant’s personal details and financial information is protected through a self-sovereign data exchange.
Separating the two company’s operations will allow other organisations to support its development to standardise transactions made through the wallet application.
In a secured verifiable transaction, the verifier receives “all the data he wants about a client in the best way that’s possible – structured, semantic and signed”.
As well as prioritising a decentralised solution, where Datakeeper cannot access any of the applicant’s data, privacy means enabling the customer can have selective disclosure of their private information which the company takes extremely seriously.
Datakeeper promises that the customer does not “have to share a whole document containing for example their social security number” for third-parties to trust the “correctness and actuality” of data shared to them.
“The privatisation of Datakeeper will allow us to focus on our core banking services while granting Datakeeper the autonomy it needs for specialized growth and innovation”. – John Doe, CEO of Rabobank.
“Rabobank aims to unlock new market opportunities, attract strategic investors, and foster dedicated innovation in the data management sector”.
We may be witnessing the revival of the US state’s relationship with Silicon Valley tech firms for capital surveillance.
AI guru Sam Altman, creator of Chat GPT at OpenAI before his shock dismissal this week, is an investor of a number of Silicon start-ups developing drones.
Skydio is a Silicon Valley firm deploying artificial intelligence to make self-operating drones and one of the contractors engaged by the New York Police Department, as well as another start-up, Brinc, where Altman is an investor in night-vision camera surveillance.
The trend of Silicon Valley companies signing contracts with the state for capital control is making a re-emergence.
It comes as OpenAI, Google and Meta as well as other firms signed an agreement at the UK Summit to allow their technologies to be risk assessed by governments against the need to uphold national security, despite the American state clearly employing emerging AI tech firms to invade people’s privacy.
The legal agreement was made between UK, US and Singapore governments involving OpenAI.
In addition, the Summit assembled a global panel of experts who will produce an annual report on the risks of AI around privacy, bias and misinformation.
Biden’s administration keeps embarking on a myriad of different courses for AI, to police AI – the U.S. also said it planned to set up its own institute – and endorse AI drone companies.
“The state is dragging itself into the digital age”, The Economist writes, in order to be seen to deliver national security of its infrastructure and invade more civilian lives.
At the end of 2022, The Economist reported that the Pentagon awarded a $9 Billion cloud-computing tender to giant tech companies including, Amazon and Microsoft, which Altman has now joined to develop their AI team.
AI is being used by the American state to its own ends to bolster national defence and rekindle a surveillance state with tech companies supplying the government again.
“Techies are also selling tools to help law enforcement make better use of the profusion of images and information now at their fingertips”.
As a path the state has already ventured down, surveillance capabilities may soon be further “fortified by generative AI, of the type that powers Chat GPT”, in spite of the state claiming to take a stand against the risks of AI.
“Surveillance is likely to remain lucrative, not least because governments are not the only customers for these technologies”.
Taking us through the modern landscape of financial services, comprising of traditional and challenger services, Denny Prvu, Director of Architecture – Innovation and Technology, Royal Bank of Canada, gives his view on whether responses across the sector are immediate to customers reporting fraud incidents.
Emerging banks wanting to adapt to remote services versus the face-to-face model that legacy banks want to sustain determine different ways of how the financial sector tackles fraud today.
Find out more on new Know-Your-Customer (KYC) protocols for customers and employers and lots more in this full 4-minute interview for Identityweek.net at Identity Week America 2023.
The dates for next year’s event have already been announced! On 11-12 September 2024, plans are already underway to bring you an even bigger forum for 4,000 leaders in the identity industry. Look out for more details!
Luxembourg will perform four pilot use cases of the EU’s proposed digital wallet spanning public and private sector applications, such as eGov services.
The proposal is led by the EU Commission which delegates use cases to the POTENTIAL Consortium (Pilots for European digital Identity wallet). Luxembourg is a member of the Consortium.
Over 26 months of the running pilot scheme, countries will test the effectiveness if they launched their own digital wallet saving digital credentials onto their mobile device, which could open up easier digital banking services, eGov services, mobile driving licences and legally signed digital documents. While the EU digital identity proposal, eIDAS, may seem imposed on member states, ongoing partnership still needs to establish if tested solutions can be implemented on a large scale for EU-wide citizens, not just individual countries, ensuring technical interoperability and standards at a European level. Doubts over privacy and data ownership have also been entangled in the recent amendments of eIDAS regulations, which were accepted last week.
The Ministry for Digitalisation and the CTIE will participate in testing the national digital wallet against variables like speed and efficiency when verifying and onboarding a citizen to access government services. The merits of having a digital bank account that can be opened securely and seamlessly with a digital identity go far beyond the financial services to enabling unlimited access to everyday services.
Moreover, their pilot will scrutinise the benefit of having electronic driving licences integrated in their digital wallet to present to police forces or recognised by car rental agencies throughout Europe. The integration of a “Qualified eSignature” to sign digital documents that have legal value also serves the EU citizen wherever and however they want to transfer an e-document to a constituent like an employer.
Enabling citizens to sign documents remotely – if interoperability is achieved across Europe – should be recognised by all Member States when the EU digital identity wallet is implemented. The EU Commission’s objective is to evolve these national digital ID apps to integrate eIDAS protocols and standards.
The second revision of the eIDAS regulation aims to provision at least 80% of citizens of European member states with an open, interoperable digital identity solution by 2030.
POTENTIAL, which is fully aligned with eIDAS, call upon 140 public and private members from 19 Member States of the European Union to solve technical, business and regulatory issues around providing a digital identity.
Solving the authentication problem would have an immediate and significant impact on improving cybersecurity worldwide. So has a garage-level tech start-up based in Austin done just that?
The Trust Nexus (https://www.trustnexus.io) claims to have solved the authentication problem without the passkey, ensuring the longevity of passwords that still remain a popular authentication method for users. The company is not following FIDO’s consensus of passkeys over the password. The technology has been notably recognised for ensuring simple passwords become highly secure on trusted systems and that the user’s private key stays securely on the user’s mobile device.
In FIDO Passkeys (Microsoft, Apple and Google) the operating system controls the user’s private key and it can be transferred to other systems through the user’s account. It also means that Microsoft, Apple and Google have access to your private keys (and data metrics on every application you use).
“We have created a simple and elegant solution to the authentication problem that is completely phishing resistant. All those who are committed to existing multi-factor authentication systems, including FIDO passkeys, are like engineers in the 1890s working diligently to perfect the telegraph system; all their work will soon be eclipsed by a much better technology.” – Michael Duffy, Trust Nexus.
Their authentication technology is called WebAuthn+.
Unlike the approach from the FIDO approach that uses the Trusted Platform Module of your computer to store and manage your private keys, under WebAuthn+ the user’s private key is stored securely on his/her mobile device and can be used to authenticate to any system without pre-registering the system, which FIDO requires.
Under WebAuthn+, securing data on a mobile device is accomplished by creating a cryptographic key that is stored off the device and is brought down to the device when the WebAuthn+ app is initiated. A user is locked out of the application after a configurable number of failed logon attempts so there is no way a bad actor could launch a brute force attack against the application. Your data and digital credentials are secure even if you mobile device is lost or stolen.
WebAuthn+ cannot be compromised even if there is a complete breach of the server data because the user’s private key is stored securely on his/her mobile device and never leaves the mobile device.
In order to make this all work, they had to create our own version of the Chromium browser: “Nexus Chromium”. The prototype code will be made available to all.
This prototype version of Chromium writes the domain name characteristic through Web Bluetooth from the browser application context to the GATT server running on the user’s mobile device and not from the JavaScript context of the web page which can be easily hacked by anyone creating a fake web page.
In order for the bad actors to compromise your authentication under WebAuthn+ they would need to install malware on your system or a completely fake version of the Nexus Chromium browser on your system (in this case, it is game over, the bad actors have won). Corporate desktops or home workstations with decent anti-malware systems will be secure.
This prototype version of the Nexus Chromium Browser also supports “Session Specific Pairing”; a far more secure and user friendly Web Bluetooth pairing mechanism than is used in Google Chrome, Microsoft Edge or any other Chromium based browser.
Their most amazing claim is that simple passwords will become highly secure on trusted systems (e.g., your home computer or office work station). They assert, “This is what consumers really want. They do not want physical security keys or biometrics. They do not want to be required to use their smart phone for every authentication to every web application. They want simplicity (this is why basic user names and passwords have stuck around for so long).”
Time will tell if this is for real. The Trust Nexus is in the process of setting up tests of their prototype with government and university labs.
Their technology will be open-source and mostly free: “We are going to give this technology away for free to everyone for authenticating their own users (both internal and public). For three party credential transactions (e.g., finance, insurance, government services), we will maintain the required meta-data infrastructure, creating a worldwide identity ecosystem that surprisingly will contain no personal data. We will also maintain cloud-based services for organisations who do not want to run their own private ecosystem.”
Some of the key aspects of the technology:
It is open-source and mostly free (they retain the rights to cloud based services).
It can be run as a closed ecosystem within a corporation or government agency
Eventually, for three party digital credentials (finance, insurance, government services, etc.) there will be a worldwide identity ecosystem, that surprisingly will not contain any private user data.
Trust Nexus are attempting to form a research consortium that will first perform an in depth technical review and then deploy a POC.
Their dream scenario is to engage major financial institutions, leading universities and key government agencies; most notably, the National Cybersecurity Center of Excellence: “At the NCCoE, we bring together experts from industry, government, and academia to address the real-world needs of securing complex IT systems and protecting the nation’s critical infrastructure.” https://www.nccoe.nist.gov/
They also hope to engage some of the major players in biometrics, which can be integrated into their digital credentials.
The change over to digital immigration status documents looks set to accelerate in 2024.
Starting with more trusted assurance of someone’s real identity during the application process, a common loophole which fraudsters take advantage of, the UK’s scheme will be massively improved by implementing digital documents.
eVisas already exist within the UK immigration system, however, in the new year a bigger tide of changes to make digital visas permanent as part of the EU Settlement Scheme will get underway.
The changes will be constant throughout visa applications, to entering the UK border and evidencing a legitimate right to work.
Positive impacts will also be felt by international recruitment by being able to identify eligible workers more effectively who can add value back into the economy. The e-visa will be more robust and secure to reduce counterfeiting unlike a physical document, as well as reduce waiting times to physically collect a visa in-person.
The trust and assurance that digital provides generates convenience and better processing at border controls.
Throughout 2024, all relevant visa holders – skilled workers first – will be contacted to register an UKVI account and switch to an e-visa, which their relevant information can be shared on securely to third parties and constituents like employers.
Applicants will be able to update personal details, such as passport information and work history, and provide access codes to potential employers to demonstrate their right to work.
An EU MP, Rob Roos has publicly cast doubt over Europe’s stance on digital identity as regulation changes to eIDAS were approved last week. Roos said digital identity is an ‘instrument nobody asked for’ which has been pushed down from the top parliamentary authority, in an interview for Sky News Australia.
With new digital ID wallet pilots just announced in Estonia and Luxemburg, digital identities have become a crucial part of delivering government mandates for digitalisation, social inclusion, economic stability and promoting innovation. The amendments to Regulation No 910/2014 have been promoted as going to ‘harmonise conditions’ around decentralised data ownership for citizens in the EU’s proposed digital identity framework, but since being legislated in 2014, there is no doubt eIDAS’ role in governing the widespread use of digital identities.
Critics opposed to eIDAS put forward the adjoining argument concerned with privacy, as well as delivering social inclusion for citizens who will have more access to public and private services. Both a challenge of and a perspective on eIDAS is that the EU has been pushing and driving for a cross-border digital identity which is accepted by international organisations and financial institutions. At a cost, those who reject eIDAS believe it enables governments more than citizens in the capture of more data used to monitor how people are interacting with government and private services.
The definite direction towards digital raises potential concerns for citizens’ privacy when they can bypass verifying via a commercial provider to use their own wallet storing their digital credentials. A disconnect with verified physical identity appears even greater and opens the increased risk of identity-related fraud and cyber crime.
The digital identity is sold as a solution for ‘convenience’, enabling people by 2023 to access key services online, electronic medical records and hold an eID.
“When governments have access to infrastructure, they will use it. Always”
Current situation
Whilst setting out milestones that digital identity will help achieve, the communication around eIDAS built upon the 2020 strategy for Europe’s digital future has not addressed problems such as how companies will often access more personal data than they require for verification by requesting digital identities. Moreover, citizens’ personal data is not safe. The eIDAS framework proposes to ‘govern’ currently 19 national eID systems implemented by 14 member states, which all follow “varying standards” and “focus on a relatively small segment of the electronic identification needs of citizens and businesses”.
Moreover, there is currently no requirement for all EU Member States to develop an national eID which is interoperable and open with eIDs developed by other member states where partnership would be necessary. More broadly, regulatory EU bodies have not converged standards and certifications ensuring compliance of all technical solutions in the market for digital identity verification. For example, while in the UK the Digital Identity Trust Framework makes recommendations on the trust assurance qualities of any digital solution, there is no current passed requirement enforced by the Home Office for certification of third-party digital verification solutions.
The “Updating the European digital identity framework” briefing report, produced by the European Commission, includes the views of an expert group on eID and know-your-customer (KYC) processes that recognised that “national regulatory bodies across the EU have different standards regarding the compliance of technical solutions for digital identity verification”.
“Meanwhile, identification and authentication means developed by the private sector outside the eIDAS framework can only go so far in responding to the challenge. User friendly third-party authentication services (for instance, using a Facebook or Google account to log in to different services) are common for accessing unregulated private online services that do not require a high level of security, but they cannot offer the same level of legal certainty, data protection and privacy, mainly because they are self-asserted and do not provide a link to trusted and secure government eIDs”.
