Much of our time, as consumers and overall engaged people, is spent online, where there’s an expectation that adequate security and privacy protections are in place. As we’ve seen with the most recent Saks Fifth Avenue, Lord & Taylor and MyFitnessPal data breaches, similar revelations proving our data is in the wrong hands, consumers’ privacy isn’t 100 percent protected.
All data breaches have their own story, but a common theme tying them together is that online service providers hold a tremendous amount of our data, and this data ultimately winds up getting hacked or accidentally lost.
Too much data is out of our control
The amount of data our banks and preferred retailers hold is incredible not just in the volume. It’s remarkable because of how far it’s taken us away from when personal information such as our driver’s license, credit cards, and others form of ID was indeed, personal. Years ago you wouldn’t have expected that when visiting a pharmacy you’d present your wallet, and the clerk would take it and match it against a copy of your wallet they hold alongside clones of all other customers’ wallets. Yet with today’s overly connected world, that’s just you’re doing.
Why you’re doing it many times daily is because most service providers authenticate you or authorize payments using your information matched against information held centrally. This is a familiar way of asserting one’s identity and processing payments, and it’s been around for a long time. That doesn’t mean it’s the only way to handle personal data used to for account login or payments, as pioneering enterprises like Mastercard already demonstrate.
An end to data breaches
The world’s turning its attention toward the way enterprises handle data. Verizon reports that over 80 percent of data breaches are rooted in a misuse of credentials like passwords. Security experts have grown skeptical of passwords, which have few champions due to their hassles on mobile, the need to recall or reset them, and so on. Many are looking at whether convenience features such as biometrics will eclipse passwords. There’s enormous pressure on ceo’s of large enterprises to get this right or face scrutiny.
The conversation we’re having about the safest modes to authenticate is constructive, but we should take note that passwords aren’t the problem and biometrics aren’t a cure-all. Biometrics, PINs, passwords, credit cards and other identifiers all have benefits and drawbacks. What’s critical is that the enterprises that serve us discontinue storing this information centrally, because it is risky and unnecessary.
Biometrics remove the nuisance of having to manage passwords, but a biometrics breach can result in one’s voice or iris template being permanently retired from online use. Passwords can be reset, but passwords and the layers of security upon them like texts prove that passwords are unsuitable for use on mobile, or in smart homes and cars.
The solution in our hands
The sophistication of today’s mobile devices ensures we are all holding digital keys to our connected world. The personal data we use for login and payments can be securely stored on our mobile devices, encrypted and isolated deep within the hardware layer.
As consumers when we want to login or pay, our smartphone and the retailer’s mobile app can exchange non-sensitive equivalent information that represents our fingerprints, PIN, or password without transmitting the original over the Internet. This is a marriage of existing methods such as cryptography as seen in the film The Imitation Game and advances in today’s smartphones.
How many of us use built-in features such as a fingerprint sensor to unlock our phone or check out bank balance? Who hasn’t used a front-facing camera to take a selfie? We already use our mobile devices to access all kinds of services and entertainment. It’s time we put them to their highest and best use by using their security features. There’s so much to gain through applying technology that is truly in our hands toward the obvious problem of fraud and the doubt that data breach headlines create.
The real benefit here is a trust revolution — we’ll be able to participate, re-create and transact with confidence, empowered by a renewed control over our data. This will greatly reduce the potential for data breaches because our service providers won’t be targeted for vast libraries of information for hackers to sell on the dark web. If our bank is not in possession of sensitive data used for login, then by definition it can’t misplace it and hackers can’t steal it.
Consumers and service providers have tons to gain through decentralized authentication, as it is called. We can eliminate fraud and the reuse of credentials that follows a data breach. We can enjoy a frictionless experience, as well as faster checkout times since an essential part of the verification, occurs locally on our devices. Service providers will have lower IT costs as they no longer store or protect tons of sensitive consumer data. They’ll also see savings in areas like password management because many people will choose password-less experiences through all the fun biometric options.
Personal data in our hands calls back to the days when you held your wallet on your person, and just as in the wallet analogy if you were to lose your smartphone you’d simply call the service providers to revoke access until you reregister a new device.
How we return to a safe data model
The technology that enables us to carry digital keys is here and the effort to implement it is catching up fast. Mastercard is a notable provider that’s way ahead of the curve and there are others. There’s a nonprofit industry consortium of finance and technology’s best and brightest called the Fast IDentity Online Alliance, which promotes open standards to achieve this and advocates for speedier adoption.
The transition to a decentralized future is mainly enterprise-driven. As consumers, we can ask our providers where they store data used for accessing services. Don’t be shy — enterprises already want to retain us as customers. If our financial and other providers want to remain competitive they already have a commitment to deliver the best customer experience. They also want to reduce risk and be associated with fewer security incidents. You want to trust them and in turn, they want to be able to trust everyone.
George Avetisov is chief executive officer and cofounder of HYPR Corp.