I'm Didier. I'm the CEO, founder, I CEO of PIO company that incorporated five years ago, we provide digital ID as a service to bank insurance, healthcare industry, and recently HR and government. Our solution is a component of several layers of, of infrastructure, including blockchain part, which you say permission based blockchain, which means that we are since day one with privacy by design in mind and distributed, not just ledge, but distributed architecture.
Hello, I'm, I'm advocating the concept of identity share by our own version and proposing as a solution. I expanded past the system that can accept the images as well as characters today, I would like to talk about two of the major threats coming, unfortunately from the circle of cyber security and the ID management professionals. One is the concept of the depth of password or password this authentication. The second is the biometrics touted as one of the factors of multifactor authentication. I would like to talk about them later.
Okay. Thank you.
Hello everyone. My name's Chen. I'm the CEO of fire ID. We were found it's German company. We're founded in 2004. We are one of the very early biometrics as a service provider and we advocate privacy by design. We only, only took us like less than four weeks to be a GDPR compliance. So this is where we are. So we, we like to empower companies like to deploy biometric in their services. Thank you.
Okay, great. Thank you. So when I thought about the, the initial yeah, question of, of, of this panel, actually the name of the panel, how do defend your customer from current and future threats? So the current threats that's, that's quite easy fishing. It's it's, it's it's data leakage, it's data breaches, it's credit card fraud. It's it's yeah. There are many aspects from, for that. And how do your solutions actually deal with our use that all, all the threats that we actually used to. So what, where, where do you come in before we come to the future threats? I assume it's it's about biometrics then later on, anyway, but, but how do your solutions aid in preventing the, the customers from,
From, yeah, from these threats, say there are many threats known already, and I would like to talk about the unknown threats, say known to a few people. One threat is coming from both coming from our four, from the professionals of security and it management one is the death of password or password less authentication. My understanding is that password less authentication or death of the password. If implemented the literally democracy would be dead where we were deprived of the chances and the means to get our position confirmed in having our identity or authentication or authenticated democracy introduced
The value of the de society are not compatible. I don't like let my children and the grandchildren live in such a horrifying place. That's a first one. And the second one is the biometric style period is one of the factors for multifactor authentications factors of multifactor. Authentications must be deployed in series say in the way both a and B shall pass, not in parallel, say the way either a or B B pass. And in cyberspace biometrics is used together with a fallback password against false rejection and biometrics and the fallback password I usually deployed in parallel the way either a or B shall pass. Meaning
Biometrics brought in this way, brings down the security. The password has so far provided is good to promote biometrics as a tool for better convenience. But if biometrics is brought this way is recommended for enhancing security, we have to be worried. And for those problems, the proposition I would like to make is that the current headache about passwords can be summarized. Rather simple passwords are also necessary and yet passwords are hated. Then the reasoning can lead us to only one way out. We need to come up with the sort of password that is not the hated, desirable love. That's what I would like to propose.
Okay. We have now three different thesis in the room. Maybe we, maybe we, you want to reply to one of them because it's one, one is the, the, the password list authentication. Second is the biometrics plus fallback password and the third. Yeah. Friendly, easy to use password as a replacement for the, for the hated one. Maybe you want to, to directly reply to that
Direction. Reply. Yeah.
Well, I, I, I have a different view. I think the current situation that we are in right now is users are not part of the process. I think this is why we see a lot of bridges, I think, and for the future, we believe that we should empower users and to be part of the process. I think this is what we are seeing right now and the past, or even up to today, we've heard about a lot of CRM is customer relationship management. That's coming from the enterprise or service provider. We believe we, we are looking at in the future is CRM a CMS, right? Is a customer managed relationship. Customers should be empowered to manage their own data. And if they're part of the process, you think, we think that the, the, the, the threat or the, the, you know, those cybersecurity problem will be much more improving in our opinion.
Okay.
Yeah, definitely would agree on that. And the, I think there's several aspect to, to your question. One is about privacy, which is definitely a trend. One is about the, the breachers they hacking, et cetera. It's not exactly privacy, but it's fraud after that were abusive. Use of her ID. I think there's another trend as well, which is profiling. That means it's comes from the, the last decade or two of accumulation of data, and then crunching some kind of algorithm to, in order to detect some trend, which that's not too bad, but also try to put you into a sort of a persona then push offers to you that I find as a individual, as travel as the rest and that, so the, the answer or, or the answer to all these different trends is, is not unique. You have to compose a, a puzzle. And part of it is definitely at least in terms of privacy to give back control on the data.
We've had several panels on that to the customer, and I think that's what GDPR is all about. And, and indeed some part of PSD two, and that's very important. It's not easy to implement, but that's definitely a, a part now in terms of thread for hacking or diagnosed, was that it's very much linked to the centralization because the, the bigger depart, the most attractive it is, right? So if you do have a decentralization system, then you don't have to accumulate data. It's just a matter to know where, where it is, or where is the certification about that data. That means you don't have to have sort of future redundancy of accumulative system just need to incorporate among ecosystem that reduced tremendously. First of all, the amount of data on the market duplicate and, and also reduce the transfer of data. That means just the moving data from one part to another is another thread. It's actually that big one weak point. And so you avoid that. So it's, it's several components that we are actually trying to provide to our customer,
Right. But this is actually a bit a different dimension than what mentioned, which is the authentication part, which is the, a bit of the authorization part as well, but maybe the, mostly the, yeah. The way how to handle biometric data and, and, and how to deal with yeah. The authentication process in general, this is actually something that happens afterwards.
Right? Well, it, it is kind of linked because all of the indeed is trying to move away from what's called knowledge based access. Right. So everything based on a secret or based on a, something that's shared with you instantaneously or something like that, I think when you have so much pro I mean, profile API available on product market, it's pretty secure to know that at least somebody else know what you know, so it's not efficient at all. So if you can find ways to either what suggest here or already, which is, I think it's a little bit more in the future, but in the meantime, if you can already implement at least some biometric element in, in the access, then you already increase the security drastically.
Right. That's
Okay. Yeah. I think both the privacy and data breachs are equally crucial today. And I know many countries are struggling with the data privacy and try to avoid the big browser thing. And, and of course this voice now to exactly how user the users share their data while if the user are not in a way to be able to make the consent in no way, way how the data get used. And of course, that cause a lot of problem for the, the security side as well. So both data privacy, as well as the data protection, they are sort of equally important, but then this is the versus the convenience versus the security. And it is always the, the threat of both sides. So, and, and we believe that the, if the data subject is exactly what this vital about, okay. If the data subject is aware about the, the threat and is much more easier for the service provider to incorporate the technology like authentication or biometric, whatever you have, okay. It's much more easier for them to accept the technology to increase the security.
I think consent always means informed consent. Otherwise it's not consent. Absolutely. If you don't understand what you're giving consent to, that is not consent at all. So, so maybe, maybe we can dig a bit deeper into that, that biometrics part as well, maybe also where the actual biometrics data resides afterwards, if it stays within a device or locked device, or whether it's actually stored offsite or somewhere in a central database, which of course is then subject to potential breaches as well. And it's mostly difficult to exchange our eyes afterwards once the retina scan has been breached. So, so maybe that is something that we should look as well look at as well when it comes to creating solutions, spread our future proof when it comes to dealing with, with biometric data as well. And I think this fallback password thing is the same that, that, that you were talking about.
I would try make complicated matter as simple as possible. So as assume that we talk about a weak door, we could think over two possibilities door panels is weak or the look, and the key is weak enhancing. The door penalty is a good thing, but it cannot be an alternative to enhancing the look and the key, the vice versa, I am in the business of making look and the key as strong as possible and the easy to use as possible. And I have no expertise for talking about how to enhance the door. So I am, I am focusing only on how to enhance the look and the key and the rest of the discussion. I will leave it to other professionals.
Right. Okay.
Just one comment on the, the issue about where you store biometric and whether or not your bombies can be stoned. I think in the last session that in Seattle, I think Maxo the lady who was giving a Skype session as well. She actually made it very clear that they so very big misconception of the biometrics. I think you already said it. If users do not understand the kind of technology they're dealing with, of course, you know, they're more scared to, to embrace it, to, to adapt it. The biometrics design is if you, even though, if you have the biometric template, you cannot reuse it. This is the, the fundamental science of our metrics. So the, the fear of you have my faith and then you can fake to be me and then, and so on and so forth. I think this is the misconception, the technology evolution.
As of today, we are able to identify whether or not this is a live person or whether or not the person is involved in the, during the authentication process or authorizing process. This is very, very important. Unlike, you know, the century ago that we talking about law enforcement that you only have is your fingerprint, and this is how you identify a person, but no, we are talking about biometric. As of today, it is something that you are part of the process. If you are not there to participate the, the, the process, then it will not happen. This is exactly what the misconception is.
Yeah. I fully, I fully agree to the extent that we're, we present that this more and more to our customer, because they can, if, if you add that layer with such a advanced process, then they can not just go to the authentication process. Let's go kind of onboarding process once, but they can also have a access management tool. That's pretty, it's pretty efficient now regarding to which is important as well, because then of course, when you, it's not just access, but again, when you talk about banks or financial institution, you talk about credit cards, by example, and credit cards have a extremely strong paying point with chargeback because they cannot link who's behind the card when the transaction is made, and that opens the door to all kinds of fraud and it's growing. So if you have a way to link on that or age, access, age verification, to access to a certain thing, then you, you get rid of a lot of, of, of the fraud or, and, and certainly make compliance much easier. So we do include that more and more in, in our solution because the customer realize it's not just a one single time process, it's an ongoing process.
Okay. So maybe also we can open up the discussion at that point. So if there are any questions in the room, I went with regards to this topic of, of preventing the customer from current and future risk or threats, please, please sign up and then let me know. And I'll integrating in the discussion. I want to go back to the, to the, to the zero trust authentication part of that, cuz I know that it's something that we will be talking about tomorrow as well. I think Katrina will talk about zero trust tomorrow anyway, and there was quite some, some criticism on that mechanism as far as I understood. So could you elaborate a bit more on, what is your issue with this zero trust authentication part?
I would like to make it clear that I'm not against the biometrics biometric used for forensic and the other purposes of personal identification. That's fine. I'm against only, I'm only against the, the spread of false sense of security worrying is that when security is actually brought down and yet the people are later to believe that the security has gone up, it's false sense of security.
In what case does that happen? Hmm. When does that happen? When, when do you see such a situation coming up?
I think it's already happening or spreading say apple and Google. All of those people are promoting biometrics, all biometrics, embedded the product as a tool for enhancing security, but it's, it's not the fact. The fact is those biometrics are used together with a full back means password in most cases. And those two factors are deployed in parallel the way either a or B and sharp pass in this case, convenience goes up, that security goes down and most of the multifactor applications, two factors are deployed in series series means both a and a both a and a B shall pass in this case. Security goes up though, convenience goes down. If this those two are mixed up, then we will have many people are trapped in a false sense of security. And that's I understand is a very major threat, which is not yet fully understood by not only consumers, but many of the professionals.
Okay. But, but that could be healed by changing the process. As you said, really, to make sure that you have this a plus B or sequence check, which, which might require some more additional factors, but this can be healed.
Yeah. I, I think it
Doesn't matter if this is a parallel process or serial process. If I use and inform a device to, to present my fingerprint, it can still be pair because first of all, you must present your fingerprint on the right device. And this is a two factor. It can be impair. There's no nothing wrong to, to, to pro to provide a, a and B para in para I don't think is a problem. There is one obvious problem. If you do a theory because the ERs things never disappear. If one of them is, is the weakest link of the whole process, it's going to be a weakers link, no matter what. So in para process, if you are able to deploy or implement in a way that a and B, I think that's a good thing. For example, we are using it with our device. You want to use fiber, have the phone, you must register your phone, you present your fingerprint on the right device. It is a parallel process. I think this a and B I think is equally good, all even better. In my opinion,
I, I have to say half years and half an O in, in terms of using both the physical object as a form and biometrics, it looks like two factor, but when you are false, you are rejected by biometric. You would have to rely on password on pink code. Then in that case, mobile phone together with pink code is safer than more by phone with the pink code or password. So in terms of convenience, this mobile phone together with king code or biometrics, that's fine. I, I don't, I'm not against it. I'm only against people are little to believe that the, the security has gone up, even though security has gone down,
What would, what would the, what would the attack look like if you, if we have the citizen scenario that you've described, so you have passport plus device, so stealing the device, plus having the password would enable access.
So usually two factor authentication is password and something you have, right?
Yeah. It's the device that you stolen.
So every device is stolen. Password would, would still work, right? So two factor authentication must be better than one factor because it's simple because two is that all is larger than one.
So let's find a solution for that issue.
Yes. So two factor authentication is a solution. The I'm not talking about it. I'm talking about full sense of security. Sure. That could be brought by wrong understanding about whether the security has gone up or gone down, right.
Fully understood. So we have to make sure that this common notion of what is actually going on is, is equally distributed. And everybody understands. If I choose that weaker mechanism, my security goes down and otherwise, again, informed consent. I don't have to understand what I'm doing. So I have to use the right, the right level of security. And if that means inconvenience that it means inconvenience.
It's a matter of informed the consent, right. And that informed the consent should not be displaced by the missing, informed the consent.
Okay.
Also in, I mean, what we see before when we implement solution is that we can sequence it. So it's, it's a smoother process and journey for the customer. It's to access a certain part of the app for doing things that are not risky. You it's enough to have one factor of identification. It doesn't have to be knowledge based, but it can. And then the more you go into risky business just for yourself, but also for the company like transaction, then of course you, you start to increase and ask an additional layer. And when you do that, you see, we see a much better traction among the customer of course, needs to be informed, but also it makes sense. And it kind of layer the risk, perceived the perception of the risk by customer and, and the, the, the understanding, and then the agreement to participate that higher security.
I just wondering one more comment about he system brought out this law lock and lock issue. Yeah. We we've been in the process working with several smart log companies. Okay. Those are the IOT companies. Okay. And can you imagine that those people, the most traditional industry, they are now going for smart logs or smart home, and one reason of course is for convenience, but very importantly, they also want to provide secure and convenient access for the customers, for the users. If I want to enter my apartment with my smartphone, I better be sure that this is, this is me, myself. And so they actually proposing to use multifactor incorporating biometric. So the device itself must, must be registered. And then later on, they incorporate either an FC NFC code or they use biometrics. So I think the, the adoption of this kind of technology to cope with the, the threats or the security matters is pretty much down all the way links to the, to the customers or the user itself. So the threat will be much more lesser if the user feels that yeah, they are in procession of their, or they are embracing the security process instead of they are forced to follow certain process because it's perceived not, not secure.
Okay. Maybe a final question as we already getting close to the discussion, but you've brought up the, the example with the, with the smart home and authentication via phone and fingerprint, but in my experience, and I think, I think this is something that wasn't the other talks over in the other room as well. People are not really caring about security. And if it's cheaper, the, the, the, the smart, smart block is cheaper, then they might choose the, the cheaper one, even if it's just using a password. So, so how would you, how would you act to, to be more a, a, an advocate defending the security or for security, what would you do to actually teach people to achieve that? Just making it cheaper is not, not, not an option,
Right? Absolutely. I might be a little bit cynical there, but it's, I'm not sure you teach it's, you can just translate that maybe because I live in America, but translate that into what they have to spend. And you'll see, cuz at the end of the day, it's risk management right. For, for vendors. So it's, they can very well come up with pricing difference. If you choose a low high risk setting, then that's fine for you. That's that's your privilege, but you're gonna pay more than if you actually reduce the risk for the company. And I think that's, we, can we begin to see that model coming up?
Yeah. I, I think pricing is not really the, the issue to smart, smart block market is not. Yes, absolutely. It's a, it's a user convenience. Okay. Right, right. So there are applications that this is good. For example, if I work in the office, they come to my office. Yeah. It's okay to use market. I think this is what people want to use, but of course your main door, the access to your, to your premises. I think people still will not use smart log alone by itself. There are many other mechanism they're built in instead of just a smart log using a smartphone to do so. And, but of course it's, the management is, is, is of management, making, making the security process much more easier for the security people to manage and also offer a solution for the custom, the users, a way to be part of the, the security concern. Okay. It's not really the pricing that, that those industry are talking about. Okay.
So lastly, my simple advice to the population is where convenience matters more than security. The, that new iPhone featuring the touch ID and the face ID would be fine where security matters more than convenience. All the iPhones with only pink code is better.
Okay. We we'll do a poll about that. Thank you very much for your time and for the discussion. Thank you. Let's see if each other with, at the coffee and let's see later on for the final keynotes for today. Thank you very much for your
Participation. Thank you.
