Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Digital Identity. Show all posts
Technology
Authentication Cybersecurity Digital Identity Encryption Passkeys Passwordless Technology

Hawcx Aims to Solve Passkey Challenges with Passwordless Authentication

 


Passwords remain a staple of online security, despite their vulnerabilities. According to Verizon, nearly one-third of all reported data breaches in the past decade resulted from stolen credentials, including some of the largest cyberattacks in history.  

In response, the tech industry has championed passkeys as a superior alternative to passwords. Over 15 billion accounts now support passkey technology, with major companies such as Amazon, Apple, Google, and Microsoft driving adoption.

However, widespread adoption remains sluggish due to concerns about portability and usability. Many users find passkeys cumbersome, particularly when managing access across multiple devices.

Cybersecurity startup Hawcx is addressing these passkey limitations with its innovative authentication technology. By eliminating key storage and transmission issues, Hawcx enhances security while improving usability.

Users often struggle with passkey setup and access across devices, leading to account lockouts and costly recovery—a significant challenge for businesses. As Dan Goodin of Ars Technica highlights, while passkeys offer enhanced security, their complexity can introduce operational inefficiencies at scale.

Hawcx, founded in 2023 by Riya Shanmugam (formerly of Adobe, Google, and New Relic), along with Selva Kumaraswamy and Ravi Ramaraju, offers a platform-agnostic solution. Developers can integrate its passwordless authentication by adding just five lines of code.

Unlike traditional passkeys, Hawcx does not store or transmit private keys. Instead, it cryptographically generates private keys each time a user logs in. This method ensures compatibility with older devices that lack modern hardware for passkey support.

“We are not reinventing the wheel fundamentally in most of the processes we have built,” Shanmugam told TechCrunch.

If a user switches devices, Hawcx’s system verifies authenticity before granting access, without storing additional private keys on the new device or in the cloud. This approach differs from standard passkeys, which require syncing private keys across devices or through cloud services.

“No one is challenging beyond the foundation,” Shanmugam said. “What we are challenging is the foundation itself. We are not building on top of what passkeys as a protocol provides. We are saying this protocol comes with an insane amount of limitations for users, enterprises, and developers, and we can make it better.”

Although Hawcx has filed patents, its technology has yet to be widely deployed or independently validated—factors that could influence industry trust. However, the company recently secured $3 million in pre-seed funding from Engineering Capital and Boldcap to accelerate development and market entry.

Shanmugam revealed that Hawcx is in talks with major banks and gaming companies for pilot programs set to launch in the coming weeks. These trials, expected to run for three to six months, will help refine the technology before broader implementation. Additionally, the startup is working with cryptography experts from Stanford University to validate its approach.

“As we are rolling out passkeys, the adoption is low. It’s clear to me that as good as passkeys are and they have solved the security problem, the usability problem still remains,” Tushar Phondge, director of consumer identity at ADP, told TechCrunch.

ADP plans to pilot Hawcx’s solution to assess its effectiveness in addressing passkey-related challenges, such as device dependency and system lockups.

Looking ahead, Hawcx aims to expand its authentication platform by integrating additional security services, including document verification, live video authentication, and background checks.

Read more »
YubiKey
Cyber Security Digital Identity Eucleak Password Security YubiKey

Protecting Your Digital Identity: The Impact of EUCLEAK on FIDO Devices

Protecting Your Digital Identity: The Impact of EUCLEAK on FIDO Devices

A new vulnerability has emerged that poses a significant threat to FIDO devices, particularly those using the Infineon SLE78 security microcontroller. Thomas Roche of Ninja Labs discovered the flaw. This vulnerability, dubbed “EUCLEAK,” has raised concerns among security experts and users alike, as it allows threat actors to clone YubiKey FIDO keys.

The EUCLEAK Vulnerability

EUCLEAK is a sophisticated attack that targets the Elliptic Curve Digital Signature Algorithm (ECDSA) secret keys stored within FIDO devices. These keys are crucial for the authentication process, ensuring that only authorized users can access certain systems and data. The ability to extract and clone these keys undermines the security of the affected devices, potentially allowing unauthorized access.

The attack requires physical access to the device, specialized equipment, and advanced knowledge in electronics and cryptography. This means that while the attack is technically feasible, it is not easily executed by the average threat actor. However, the implications of such an attack are severe, especially for high-value targets where physical access to devices is a realistic threat.

Impact on YubiKey Devices

Yubico’s YubiKey 5 Series, which is widely used for two-factor authentication (2FA) and other security purposes, is among the affected devices. Yubico has acknowledged the vulnerability and rated the risk as moderate. The company has emphasized that the attack’s complexity and the need for physical access mitigate the overall risk to users.

Despite this, the discovery of EUCLEAK highlights the importance of continuous vigilance and improvement in the field of cybersecurity. As attackers develop more sophisticated methods, security measures must evolve to stay ahead of potential threats.

Mitigation and Response

In response to the EUCLEAK vulnerability, Yubico and other manufacturers using the Infineon SLE78 microcontroller are likely to implement firmware updates and other security measures to protect their devices. Users are advised to stay informed about updates and follow best practices for device security, such as keeping their firmware up to date and being cautious about physical access to their devices.

Additionally, organizations that rely on FIDO devices for authentication should review their security policies and consider additional layers of protection. This might include using multiple forms of authentication and regularly auditing their security infrastructure to identify and address potential vulnerabilities.

Impact on Companies vs Users

The EUCLEAK vulnerability has far-reaching impact on the cybersecurity landscape. For one, it highlights the evolving nature of security threats. Even devices designed with robust security measures can be vulnerable to sophisticated attacks. This realization should prompt both manufacturers and users to adopt a mindset of continuous improvement and vigilance.

For manufacturers, this means investing in ongoing research and development to identify and mitigate potential vulnerabilities before they can be exploited. It also means being transparent with users about risks and providing timely updates and support.

For users, the EUCLEAK vulnerability says a lot about the importance of physical security. While digital threats often dominate the conversation, physical access to devices remains a critical vector for attacks. 

Users should be mindful of where and how they store their security keys and consider additional protective measures, such as using tamper-evident seals or secure storage solutions.
Read more »
Technology
China China Government Digital ID digital identification technology Digital Identity Digital system Technology

China’s National Digital ID System Trials Begin Across 80 Internet Service Applications

 

China has initiated trials for its new national digital identification system across more than 80 internet service applications. This move follows the release of draft rules on July 26, with a public review and comment period open until August 25. The proposed system marks a significant step toward enhancing digital security and privacy for Chinese internet users. Internet users can now apply for their national digital ID by logging onto a mobile app called National Web Identification Pilot Version, developed by China’s Ministry of Public Security (MPS). 

This digital ID, which displays the user’s name, a “web number,” and a QR code, requires users to complete several verification steps, including national ID card verification and facial recognition. The digital ID can currently be used on 81 different applications, encompassing 10 public service platforms and 71 commercial apps. Notable platforms participating in the trial include the popular social media provider WeChat, the online shopping service Taobao, and the online recruitment platform Zhaopin. This broad implementation aims to test the ID’s functionality across a diverse range of services, highlighting its potential to streamline user identification and enhance security across various online activities. 

The proposed digital ID, detailed in a draft provision released by the MPS and the Cyberspace Administration of China (CAC), aims to reduce the amount of personal information that internet platforms can collect from their users. The draft rules state that applying for the digital ID is voluntary, offering users the choice to opt-in to this new system. This initiative is part of a broader effort to address privacy concerns and reduce the risk of data leaks, which have been exacerbated by the misuse of the current real-name registration system by some internet platforms. The current real-name registration system has allowed internet platforms to accumulate excessive amounts of personal information, leading to heightened privacy risks. The proposed digital ID system seeks to mitigate these risks by limiting the data collected by platforms. 

By requiring only essential information for verification, the digital ID aims to provide a more secure and privacy-conscious way for users to interact online. In addition to improving privacy, the digital ID system also promises to enhance convenience for users. With a single digital ID, users can seamlessly access multiple services without repeatedly providing personal information. This streamlined process not only simplifies the user experience but also reduces the opportunities for data to be misused or leaked. The trial of the national digital ID system represents a significant step towards addressing privacy issues while streamlining the process of user identification online. By implementing a digital ID, China aims to create a more secure and privacy-conscious internet environment for its users. 

This initiative reflects a growing recognition of the need for robust digital security measures in an increasingly interconnected world. As the public review and comment period progresses, feedback from users and stakeholders will be crucial in refining the digital ID system. The insights gained from this trial will help shape the final implementation, ensuring that the system effectively balances security, privacy, and user convenience. China’s commitment to enhancing digital security and privacy through this national digital ID system sets a precedent that could influence similar initiatives worldwide.
Read more »
Threat actors
Consumer Data Data Breach Digital Identity Financial Fraud Personal Information Sensitive Data Leak Server Threat actors

Mr. Cooper Data Breach: 14 Million Customers Exposed

A major data breach at mortgage giant Mr. Cooper compromised the personal data of an astounding 14 million consumers, according to a surprising disclosure. Sensitive data susceptibility in the digital age is a worry raised by the occurrence, which has shocked the cybersecurity world.

Strong cybersecurity procedures in financial institutions are vital, as demonstrated by the breach, confirmed on December 18, 2023, and have significant consequences for the impacted persons. The hackers gained access to Mr. Cooper's networks and took off with a wealth of private information, including social security numbers, names, addresses, and other private information.

TechCrunch reported on the incident, emphasizing the scale of the breach and the potential consequences for those impacted. The breach underscores the persistent and evolving threats faced by organizations that handle vast amounts of personal information. As consumers, it serves as a stark reminder of the importance of vigilance in protecting our digital identities.

Mr. Cooper has taken swift action in response to the breach, acknowledging the severity of the situation. The company is actively working to contain the fallout and assist affected customers in securing their information. In a statement to Help Net Security, Mr. Cooper reassured customers that it is implementing additional security measures to prevent future breaches.

The potential motives behind the attack, emphasize the lucrative nature of stolen personal data on the dark web. The breached information can be exploited for identity theft, financial fraud, and other malicious activities. This incident underscores the need for organizations to prioritize cybersecurity and invest in advanced threat detection and prevention mechanisms.

"The Mr. Cooper data breach is a sobering reminder of the evolving threat landscape," cybersecurity experts have stated. To safeguard their consumers' confidence and privacy, businesses need to invest heavily in cybersecurity solutions and maintain a watchful eye."

In light of the growing digital landscape, the Mr. Cooper data breach should be seen as a wake-up call for companies and individuals to prioritize cybersecurity and collaborate to create a more secure online environment.
Read more »
Vulnerability and Exploits.
2FA Apple Devices Digital Identity iPhone Mac Password Manager PDF Exploits Safari Safari Browser Apple Sensitive Information Unauthorized access Vulnerability and Exploits.

iLeakage Attack: Protecting Your Digital Security

The iLeakage exploit is a new issue that security researchers have discovered for Apple users. This clever hack may reveal private data, including passwords and emails, and it targets Macs and iPhones. It's critical to comprehend how this attack operates and take the necessary safety measures in order to stay safe.

The iLeakage attack, detailed on ileakage.com, leverages vulnerabilities in Apple's Safari browser, which is widely used across their devices. By exploiting these weaknesses, attackers can gain unauthorized access to users' email accounts and steal their passwords. This poses a significant threat to personal privacy and sensitive data.

To safeguard against this threat, it's imperative to take the following steps:

1. Update Software and Applications: Regularly updating your iPhone and Mac, along with the Safari browser, is one of the most effective ways to protect against iLeakage. These updates often contain patches for known vulnerabilities, making it harder for attackers to exploit them.

2. Enable Two-Factor Authentication (2FA): Activating 2FA adds an extra layer of security to your accounts. Even if a hacker manages to obtain your password, they won't be able to access your accounts without the secondary authentication method.

3. Avoid Clicking Suspicious Links: Be cautious when clicking on links, especially in emails or messages from unknown sources. iLeakage can be triggered through malicious links, so refrain from interacting with any that seem suspicious.

4. Use Strong, Unique Passwords: Utilize complex passwords that include a combination of letters, numbers, and special characters. Avoid using easily guessable information, such as birthdays or common words.

5. Regularly Monitor Accounts: Keep a close eye on your email and other accounts for any unusual activities. If you notice anything suspicious, change your passwords immediately and report the incident to your service provider.

6. Install Security Software: Consider using reputable security software that offers additional layers of protection against cyber threats. These programs can detect and prevent various types of attacks, including iLeakage.

7. Educate Yourself and Others: Stay informed about the latest security threats and educate family members or colleagues about best practices for online safety. Awareness is a powerful defense against cyberattacks.

Apple consumers can lower their risk of being victims of the iLeakage assault greatly by implementing these preventive measures. In the current digital environment, being cautious and proactive with cybersecurity is crucial. When it comes to internet security, keep in mind that a little bit of prevention is always better than a lot of treatment.


Read more »
Technology
Biometric Authentication Digital Footprint Digital Identity Metaverse Technology

Role of Biometric Authentication in Metaverse Technology

 

As we approach a new era of virtual reality, the digital world is becoming increasingly real. Businesses will grow in this new reality as individuals and organisations soon enter a parallel reality known as the metaverse and show themselves as their avatars, or 3D versions of themselves. 

But, like with every new technology, every invention has two sides. On the one hand, you will be able to completely customise your avatar and appearance in the metaverse. But what about security, on the other hand? How do you safeguard your personal information in such an open virtual environment? How do you protect the security of your identities when connecting with individuals and businesses on a level you've never encountered before? Biometrics holds the key. 

Role of biometrics in the metaverse 

Biometrics is a subset of the larger area of digital identity management. It entails using distinguishing physical characteristics such as fingerprints or facial features to identify people. 

Biometric technology has been used in security systems around the world for years—think retina scans at airports or fingerprints on smartphones—but now we're seeing more companies use it for employee access control as well as customer service applications like digital banking services or e-commerce sites where purchasing specific items requires verification through a scan of your fingerprint or face before a purchase can be completed. 

The growing number of social engineering attacks and other security concerns has a significant impact on how firms verify and authorise their online users. And, when it comes to the metaverse, things are rapidly deteriorating as fraudsters target weak lines of authentication security. 

If a company leaves an opening in the overall authentication process, consumer-facing malware could compromise identities. Although many organisations are concerned about the metaverse's underlying security and authentication vulnerabilities, most aren't taking the necessary steps to mitigate them. 

This is where a strong identity management solution with biometric authentication comes into effect. Users can quickly and securely authenticate themselves using biometric authentication by using face recognition or fingerprint scanning. 

Because no two people have identical biological characteristics, this greatly reduces the likelihood of identity theft. Because it provides an easy means for people to authenticate their identity without having access to passwords or PIN codes, biometrics is at the heart of building safe digital identities in the metaverse. 

Biometrics, as opposed to passwords, is based on unique biological traits such as fingerprints, voice, and facial attributes. No two people can have the same biological parameters. And because it is robust, there is a very small possibility that it will be compromised. 

Biometrics challenges in the metaverse

While biometrics has the potential to improve security and user experience in the metaverse, it is not without its drawbacks and challenges: 

Concerns about privacy: Users in the metaverse may be hesitant to share sensitive biometric data, such as facial recognition or fingerprint scans, for fear of potential breaches or exploitation. Maintaining the security of this data becomes critical, posing a serious privacy concern. 

Security Risks: Biometric data in the metaverse, like in the real world, is vulnerable to hacking efforts. Cybercriminals may target biometric authentication systems, jeopardising users' identities and security. 

Accessibility Issues: Biometric authentication relies on specific physical or behavioural qualities that may not be available to everyone. Some users may require additional technology or have circumstances that make biometric detection problematic, preventing them from having a seamless metaverse experience.

False Positives and Negatives: Biometric systems are not perfect. False positives (recognising an unauthorised user as authorised) and false negatives (failing to recognise an authorised user) can occur, causing authentication challenges and potential user irritation. 

Biometrics' role in the metaverse is a two-edged sword. While technology has the potential to provide greater security, personalised experiences, and seamless interactions, it also poses privacy, security, accessibility, and ethical issues. To establish a secure and inclusive virtual environment, the successful incorporation of biometrics in the metaverse will require careful assessment of these issues as well as a commitment to addressing these challenges. 
Read more »
Worldcoin
AI tools Digital Identity OpenAI Technology Worldcoin

Worldcoin’s Iris-Scanning Technology: A Game-Changer or a Privacy Concern

Worldcoin

Worldcoin, a cryptocurrency and digital ID project co-founded by OpenAI CEO Sam Altman, has recently announced its plans to expand globally and offer its iris-scanning and identity-verification technology to other organizations. The company, which launched last week, requires users to give their iris scans in exchange for a digital ID and free cryptocurrency. 

Worldcoin’s Mission

According to Ricardo Macieira, the general manager for Europe at Tools For Humanity, the company behind the Worldcoin project, the company is on a mission of “building the biggest financial and identity community” possible. The idea is that as they build this infrastructure, they will allow other third parties to use the technology.

Privacy Concerns

Worldcoin’s iris-scanning technology has been met with both excitement and concern. On one hand, it offers a unique way to verify identity and enable instant cross-border financial transactions. On the other hand, there are concerns about privacy and the potential misuse of biometric data. Data watchdogs in Britain, France, and Germany have said they are looking into the project.

Despite these concerns, Worldcoin has already seen significant adoption. According to the company, 2.2 million people have signed up, mostly during a trial period over the last two years. The company has also raised $115 million from venture capital investors including Blockchain Capital, a16z crypto, Bain Capital Crypto, and Distributed Global in a funding round in May.

Potential Applications

Worldcoin’s website mentions various possible applications for its technology, including distinguishing humans from artificial intelligence, enabling “global democratic processes,” and showing a “potential path” to universal basic income. However, these outcomes are not guaranteed.

Most people interviewed by Reuters at sign-up sites in Britain, India, and Japan last week said they were joining to receive the 25 free Worldcoin tokens the company says verified users can claim. Macieira said that Worldcoin would continue rolling out operations in Europe, Latin America, Africa, and “all the parts of the world that will accept us.”

Companies could pay Worldcoin to use its digital identity system. For example, if a coffee shop wants to give everyone one free coffee, then Worldcoin’s technology could be used to ensure that people do not claim more than one coffee without the shop needing to gather personal data.

What's next

It remains to be seen how Worldcoin’s technology will be received by governments and businesses. The potential benefits are clear: a secure way to verify identity without the need for personal data. However, there are also concerns about privacy and security that must be addressed.

Worldcoin’s plans to expand globally and offer its iris-scanning and identity-verification technology to other organizations is an exciting development in the world of cryptocurrency and digital identity. While there are concerns about privacy and security that must be addressed, the potential benefits of this technology are clear. It will be interesting to see how governments and businesses respond to this new offering from Worldcoin.


Read more »
Threat Landscape
Aadhar Security Deepfake Digital Identity Generative AI Indian Government Technology Threat Landscape

Generative AI Threatens Digital Identity Verification, Says Former CTO of Aadhar

 

Srikanth Nadhamuni, who formerly held the position of chief technology officer (CTO) of Aadhar between 2009 and 2012, believes that the tremendous improvement we are seeing in the field of artificial intelligence, particularly generative AI, poses a clear and present danger to digital identity verification. He and Vinod Khosla co-founded Bangalore-based incubator Khosla Labs, where he serves as CEO. 

The trust mechanisms that have been meticulously built into identification systems throughout time are seriously threatened by deep fakes, synthetic media that effectively mimic actual human speech, behaviour, and appearance. The need for a "proof-of-personhood" verification capability, probably using a person's biometrics, becomes paramount in this increasingly likely future scenario where AI-generated impersonations cause chaos and erode trust in the system, the tech expert wrote in a LinkedIn post titled "The Future of Digital Identity Verification: In the era of AI Deep Fakes." 

Disinformation is now taking on a whole new dimension thanks to generative AI. Text-to-image AI models like DALL-E2, Midjourney, and Stable Diffusion can produce incredibly realistic visuals that are simple to mistake for the real thing. The ability to create misleading visual information has been made possible by this technology, further obscuring the distinction between truth and fiction.

Even though the Indian government has stated that it will not regulate artificial intelligence (AI), it has revealed that the impending Digital India Act (DIA) will include provisions to address disinformation produced by AI.

“We are not going to regulate AI but we will create guardrails. There will be no separate legislation but a part of DIA will address threats related to high-risk AI,” Union Minister Rajeev Chandrasekhar said. 

The draft hasn't been released yet, so it's unclear how it will address the challenge that generative AI poses to digital identity verification. 

How to identify deep fake images

According to Sandy Fliderman, president, CTO, and creator of industry fintech, it was simpler to spot fakes in old recordings because of changes in skin tone, odd blinking patterns, or jerky motions. But since technology has advanced so much, many of the traditional "tells'' are no longer valid. Today, red flags could show up as irregularities in lighting and shading, which deepfake technology is still working to perfect.

Humans can seek for a number of indicators to distinguish between authentic and fraudulent photographs, such as the following: 

  • Body components and the skin have irregularities.
  • Eyes have a shadowy area. 
  • Unorthodox blinking patterns.
  • Spectacles with an unusual glare. 
  • Mouth gestures that are not realistic. 
  • Lip colour is unnaturally different from the face. 
Read more »
Travel
Airside digital identification technology Digital Identity Identity verification Onfido Technology Travel

Onfido Acquires Airside to Strengthen Digital ID Verification


Tech company, Onfido, is moving a step closer to developing the digital passport of the future, through its acquisition of Airside Mobile, a US-based digital identity solutions provider primarily aimed at the travel industry.

Over 10 million travelers have utilized Airside's shareable digital identification technology, which is regarded as reliable by many U.S. government organizations, including the Transportation Security Administration (TSA). The major airlines in the world are among its clients, permitting travelers to use the apps like Airside Digital Identity to breeze through US airports since the app provides users with official documents like government-issued ID and health records.

According to Onfido, which already provides ID verification to a variety of industries, the acquisition “will enable businesses to create a seamless user experience that supports more effective onboarding and expanded customer relationships, while radically reducing fraud and minimizing the liability associated with handling sensitive data.”

This partnership may have wide-ranging effects on the financial services sector because it will enable financial institutions to confirm a customer's ID without requiring them to scan and submit papers each time they sign up. KYC screening has grown to be a significant compliance burden for banks and other financial service providers since Russia's invasion of Ukraine triggered a series of international sanctions. Other uses include e-commerce and internet platforms in addition to travel and finances.

Onfido Will Apply Airside’s ‘proven approach’ in Travel.

“Until now identity verification has digitised physical processes, but those processes haven’t changed[…]We’re still handing our identity over to be checked every time we access a new service. This partnership will change that, giving users control and organisations greater confidence in who their customers are. We plan to take Airside’s proven approach to the airline industry and apply it to other sectors requiring high customer assurance, such as financial services – providing a single, trusted view of each customer’s identity,” says Mike Tuchen, CEO of Onfido.

Meanwhile, Adam Tsao, Founder at Airside says, “By teaming up with Onfido and layering in their trusted verification technology with Airside’s Digital ID, we can take identity to the next level with the same ease and trust we have with online payments.” Apparently, Tsao is meant to stay with the company and supervise the product from within Onfido.

With the acquisition of Airside by Onfido, the company may move a step closer to digital IDs, which would be used anywhere once verified. Consumers will be able to utilize a single, integrated digital ID to authenticate their identity wherever they need to. Similar to how credit cards and mobile payments have lessened our daily reliance on cash, it may render traditional ID cards obsolete. 

Consider entering a local bar and presenting your digital ID, which is kept in your digital wallet and also grants you access to internet services, as identification. Additionally, there would be no need to continuously scan or upload documents because your digital ID would be available for use at several points of service and would remain in your wallet.  

Read more »
Subscribe to: Posts (Atom)