Security

IDEE’s authentication, authorization, and identification solutions run on a singular technology that is built on the principles of public key cryptography.  This means that each user has her own private key and this private key is generated on the user device using a hardware random number generator.  Additionally, the user can utilize the private key for signing and decryption, but she does not know the private key and cannot copy, edit, or download this private key. 

Micro-Services architecture

IDEE security services are built on a robust state-of-the-art security architecture based on proven technology. IDEE employs microservices architecture to ensure a resilient system that is ready to scale to demands in real-time.

End-to-end encryption

In addition, the communication between IDEE devices and the IAS (or 3rd party services) is protected with end-to-end encryption to prevent the capture of authentication data in transit and to preserve its integrity.

Prevent phishing attacks

With IDEE there’s no password and no one-time password (OTP) to phish. IDEE ensures that every access request is authentic and the identity (request origin) of the service provider can be independently verified and trusted by the user authenticator prior to approving a login request.  

Multi-Factor authentication

IDEE uses the user’s device (i.e. smartphone or PC) as a multi-factor authentication (“MFA”) cryptographic device (an authenticator that requires a second factor for the first authentication factor to become usable). The first factor is only activated when the user provides the correct second factor such as Face ID. In cases where user data is needed to login for example to a PC, the authentication data is secured with end-to-end encryption between the user device (authenticator) and the consumption device (e.g. PC, Web service). Not even IDEE could access the user’s authentication data.

Every IDEE authentication is unique and based on two or more authentication factors such as possession, inherence and knowledge. The authentication data (response) are produced on-the-fly for each transaction as such cannot be re-used.  Additional security is achieved by ensuring that the authentication data cannot be reproduced from the knowledge of a previous authentication data. Therefore, IDEE authentication meets the regulatory technical standards dictated by the European Banking Authority (EBA) for strong customer authentication.

Based on Public Key Cryptography

IDEE leverages public key cryptography (PKC) to assure user/device authenticity, integrity and identity coupled with non-repudiation. This ensures that only IDEE authorized devices could communicate with IDEE Authentication Services (IAS) via a secure authenticated channel that is achieved with transport layer security (TLS) mutual authentication.

Challenge-response authentication protocol based on PKC is used to eliminate the security issues associated with symmetric cryptography where the secret keys are shared with the identity provider to be able to validate a transaction. With PKC, IAS doesn’t share or have access to any user authentication credentials. All the user authentication attributes (such as private signing keys) are generated and stored securely on the user’s device secure enclave (or secure element). These keys are not accessible to IAS, not even at recovery. In an event of a breach, no user data will be at risk. Therefore, IDEE is verifier compromise resistant as defined in NIST SP 800-63B digital identity guidelines.

Stop Man-in-the-middle attacks

IDEE employs verifier impersonation-resistant authentication protocol (client-authenticated TLS) as defined by NIST to bind IDEE authentication output to the specific transaction and session that is authenticated. This prevents replay and man-in-the-middle (MiTM) attacks. 

Zero-Knowledge

IDEE’s zero knowledge security concept ensures that users who choose to back up their data could do so with high confidence as their backed-up data are protected with military grade encryption security and only the user could recover the data. In an event that the user’s IDEE-enabled device is damaged or lost, IDEE provides a self-service for the user to be able to deactivate/destroy their data on the damaged device. 

NIST Compliance

IDEE’s security complies 100% with the guidelines defined in NIST SP 800-63B digital identity guidelines. Here’s a full comparison according to NIST of IDEE vs. other M-FA solutions in the market.

Privacy

IDEE products are built from scratch with privacy by design to ensure a true, private and secure identity ecosystem. Our zero-knowledge architecture means that we know nothing about the users and their information, and we never store any personal information on our servers. IDEE’s products are 100% compliant with regulations such as GDPR and PSD2.

Privacy by design

IDEE services are built with privacy by design. In-line with IDEE’s zero knowledge security architecture this achieves enhanced protection of enterprise and individual assets. IDEE is therefore 100% compliant with current regulations such as PSD2 and GDPR.

Data minimization and anonymity

Data minimization and anonymity is achieved by default. IDEE doesn’t store any personally identifiable information (PII). Only the information (such as email address) required to establish the real user identity when the user is enrolled on IDEE for the first time is requested from the user. The real user data is never stored or used for any other purpose by IDEE.

User-centric design

If the user chooses to back-up their data with IDEE, the backup is encrypted on the user’s device with a key that is under the sole control of the user and there’s no shortcut to recovering the backup without the user providing the backup key encryption key (KEK). The recovery operation is performed on the user-controlled device – this means that IDEE doesn’t have any knowledge of either the user data or recovery key.

Confidentiality

IDEE ensures the non-disclosure of not only the authentication factors, but also of any other user PII with client-side end-to-end encryption. The usual risk of user key and personal data exposure that is endemic to most identity provider’s server is eliminated completely.