Biometrics: the end of identity documents?

Fingerprint readers, facial recognition and iris scans are standard features on today’s smartphones. Biometric authentication is used as a form of ID and access control and has replaced passwords on our personal devices.

Two new SA tech developers are using biometrics to make it easy to verify a person’s identity. But is biometrics as secure as we’d like to believe?

The Guardian recently reported that fingerprints, facial recognition information and unencrypted passwords belonging to over a million people were found on an online public database belonging to tech company Suprema. Its Biostar 2 platform is used by more than 5,700 organisations in 83 countries, including banks, contractors and the UK metropolitan police.

Biometrics is the most reliable means of authenticating a personal identity, but when the stored data becomes publicly accessible, an affected person can’t simply change their fingerprints in the way they would with a password.

An SA company called Fides Cloud Technologies recently unveiled an app called WhoYou that allows businesses and individuals to remotely verify people. The app turns a smartphone camera into a fingerprint scanner that allows for real-time biometric verification, matched against the national population register (NPR), maintained by the home affairs department.

WhoYou business development director Craig Hills says biometric information is stored neither on the individual’s phone nor on a database. "The app is built in such a way that information is [available] for a limited time for the user to view the information retrieved, and thereafter removed."

WhoYou has put safeguards in place to protect people’s identities. "Only an NPR-verified individual will be able to use the app, and they will only be able to photograph another individual’s thumbs with their consent. Of course, we cannot protect against situations where individuals are forced to act against their will, but this risk is not specific to our application.

"Also, we are not doing any- thing new. We are democratising a service that banks and telecom companies have used for years to protect themselves against identity fraud — our aim is to make this available to all businesses and individuals."

WhoYou has been two years in the making, and has got National Credit Regulator accreditation.

When an individual requests the ID number of the person whose identity they seek to verify (for a permissible purpose in line with the National Credit Act) consent is sought. When it is obtained, it is kept on record in an audit trail.

"Once consent is obtained, the user captures a photo of the individual’s left and right thumbs. We then submit the ID number alongside the fingerprint images to the NPR and … get a response whether the fingerprints matched the ID," says Hills. Results are displayed only if the fingerprints match the prints stored at the NPR.

"The link to the NPR took our partners two years to obtain, which was a significant challenge, but our biggest hurdle was the refinement of the technology to make sure the fingerprint enrolments captured on the phone could match fingerprints enrolled on a fingerprint scanner," says Hills.

Another local company, Intergreatme, crowdfunded more than R32m in 10 days in May to offer a similar service that lets individuals verify themselves. The company wants to digitise the personal information of every South African.

Intergreatme’s app lets users upload documents like an ID, driver’s licence or passport, which the user then secures with a password or fingerprint. The data sits in a Microsoft Azure data centre in SA.

Fauve Duckworth, head of product marketing at Intergreatme, says it uses multiple layers of protection to safeguard information. "All information is encrypted using public-private key cryptography, so a user’s data is encrypted. If a malicious actor were to gain access to the database, they would need to understand how we encrypt data and access it."

The company employs several techniques to further obscure details. "We have intrusion/detection software on our servers, and have had external customers perform penetration tests. We also routinely test our infrastructure by running our own tests."

Intergreatme is linked to two major telecom companies and automotive and courier companies; and allows any SA company to use its self-service business portal to verify data from customers — with their consent. Consumers can also download the app.

Though the company does not partner the transport department, app users have presented a validated digital copy of their driver’s licence at roadblocks with success.

Duckworth says a nightclub in Stellenbosch has started accepting its app as a form of identity for students. "The owner explained how university students are notorious for ‘forgetting’ their IDs, bringing photocopies, and/or bringing fake IDs to his club. As our machine learning will reject fake documents, our app offered him a simple solution to this sticky problem."

And, she says, Intergreatme recently partnered with the Direct Marketing Association of Southern Africa to let its users add themselves to the "do not contact" list. "This will enable users to opt out of receiving unsolicited direct marketing via e-mail, SMSes or calls." The feature will be available later in the year.

Intergreatme is seeking partnerships with the Airports Company SA and airlines to offer digital identification for local travel. Customers have successfully used the app as a form of identification when flying locally.

"The more users actively use our app to interact with any type of business, the more demand for business to come on board increases," says Duckworth.