The end of identity documents
Biometric data makes it easy to verify a person’s identity, but is it safe to hand fingerprint and other information to third parties?
Fingerprint readers, facial recognition and iris scans are standard features on today’s smartphones. Biometric authentication is used as a form of ID and access control and has replaced passwords on our personal devices.
Two new SA tech developers are using biometrics to make it easy to verify a person’s identity. But is biometrics as secure as we’d like to believe?
The Guardian recently reported that fingerprints, facial recognition information and unencrypted passwords belonging to over a million people were found on an online public database belonging to tech company Suprema. Its Biostar 2 platform is used by more than 5,700 organisations in 83 countries, including banks, contractors and the UK metropolitan police.
Biometrics is the most reliable means of authenticating a personal identity, but when the stored data becomes publicly accessible, an affected person can’t simply change their fingerprints in the way they would with a password.
An SA company called Fides Cloud Technologies recently unveiled an app called Whoyou that allows businesses and individuals to remotely verify people. The app turns a smartphone camera into a fingerprint scanner that allows for real-time biometric verification, matched against the national population register (NPR), maintained by the home affairs department.
Whoyou business development director Craig Hills says biometric information is stored neither on the individual’s phone nor on a database. “The app is built in such a way that information is [available] for a limited time for the user to view the information retrieved, and thereafter removed.”
Whoyou has put safeguards in place to protect people’s identities. “Only an Npr-verified individual will be able to use the app, and they will only be able to photograph another individual’s thumbs with their consent. Of course, we cannot protect against situations where individuals are forced to act against their will, but this risk is not specific to our application.
“Also, we are not doing anything new. We are democratising a service that banks and telecom companies have used for years to protect themselves against identity fraud — our aim is to make this available to all businesses and individuals.”
Whoyou has been two years in the making, and has got National Credit Regulator accreditation.
When an individual requests the ID number of the person whose identity they seek to verify (for a permissible purpose in line with the National Credit Act) consent is sought. When it is obtained, it is kept on record in an audit trail.
“Once consent is obtained, the user captures a photo of the individual’s left and right thumbs. We then submit the ID number alongside the fingerprint images to the NPR and … get a response whether the fingerprints matched the ID,” says Hills. Results are displayed only if the fingerprints match the prints stored at the NPR.
“The link to the NPR took our partners two years to obtain, which was a significant challenge, but our biggest hurdle was the