Table of Contents 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 IBC OBC

SMART Access & Identity 2025

A guide to access control and identity management in a digital world access & iden i y 2025

conferences&events2025 SMART Security Solutions has scheduled five in-person conferences for 2025, along with several virtual events, to address various industry pressure points. The aim is to provide a comprehensive platform that enables attendees to learn about the latest industry trends and advances while also fostering an environment for networking and collaboration. Educating security users on the best practices and processes essential for implementing optimal, integrated security solutions. www.securitysa.com | sharon.chauke@technews.co.za Inform, Integrate, Simplify Watch press for details! FebruaryAprilJuneAugustOctober

CONTENTS From the editor’s desk........................................................................................................ 2 Identity & Authentication Identity and authentication..................................................................................................4 Federated identity orchestration.......................................................................................6 Managing identities for 20 years........................................................................................9 iiDENTIFii publishes landmark Identity Index in South Africa.......................12 Biometrics Fingerprints are so 1999.......................................................................................................16 Access selection guide................................................................... 20 Biometrics selection guide............................................................ 24 Access Control Video entry systems basics.................................................................................................28 Mobile Credentials Mobile credentials taking off.............................................................................................30 Mobile credentials broaden their scope....................................................................32 Company Insights One-stop SMB solutions.......................................................................................................34 Four technologies of the future.......................................................................................34 Integration and IoT made easy.........................................................................................35 What if security is just the beginning, not the end?...........................................36 A promising year for Dahua access control solutions........................................37 Directory of access and identity suppliers..................................................... 38 AI-powered facial authentication for access control transforms security by providing a seamless, efficient, and highly secure way to protect sensitive spaces. Imagine walking into a building or office and gaining access with just a glance – no more fumbling for badges or remembering PIN codes. Suprema leads in AI. On the cover 14 A guide to access control and identity management in the digital world access & iden i y 2025 access & iden i y 2025

Andrew SMART Access & Identity 2025 LETTERS TO THE EDITOR Letters to the Editor should be addressed to Andrew Seldon at andrew@technews.co.za. Sending material to this publication will be considered automatic permission to use in full or in part in our Letters column. Be sure to include your name, e-mail address, city and postal code. We reserve the right to edit all letters. All rights reserved. No part of this publication may be reproduced, adapted, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior written permission of Technews Publishing (Pty) Ltd, Reg No. 2005/034598/07 A division of Technews Publishing (Pty) Ltd Wild Fig Business Park, Block B, Unit 21, 1494 Cranberry Street, Honeydew Tel: +27 11 543 5800 ISSN 1562-952X Editor Andrew Seldon: andrew@technews.co.za Advertising sales Heidi Hargreaves: heidi@technews.co.za Sharon Chauke: sharon.chauke@technews.co.za Subscription Services For address changes, orders, renewal status or missing issues, e-mail: subs@technews.co.za Subscribe online: www.technews.co.za Design and layout: Technews Production Department Disclaimer While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements, inserts and company contact details are printed as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material. FROM THE EDITOR’S DESK www.securitysa.com Published by Welcome to SMART Security Solutions’ first print publication of the year, the SMART Access & Identity Handbook 2025. This year’s print issue is smaller than usual, so we include some articles in the magazine, while many more will be online at www.securitysa.com. All the articles will be sent out in our weekly news briefs every Tuesday, so you can catch them there. (If you don’t receive the news brief, feel free to go to https://tinyurl.com/yj542v7y or drop me an email.) This issue is all about identity, specifically identity authentication in our ever-changing world. We haven’t forgotten about the traditional access control market. However, the issue of being able to identify people accurately is more important than ever. Advanced AI systems (and even some available commercially) can make amazing fakes of real people or, alternatively, convince other people and systems that totally fake identities are real. While the fakes are causing problems, more people want to avoid the queues and do everything online – as do businesses as they can reduce the number of branches and staff they must have available. Now that our mobile devices are glued to us most of the time, it seems reasonable that identities can be kept safe in our smartphones and that, perhaps one day, we will have control over our own data and what information is shared with others. Of course, that is not possible right now as billions of (choose your currency) are made each year by exploiting and manipulating personal information. And we give it away without a second thought. People generally choose insecurity (knowingly or not) if it’s convenient to be insecure. If adding to the profile large corporations have of us, without letting us see what they have collected, allows us to see the viral video or cute picture on social media. And we haven’t even started considering important things like banking credentials. Apathy is a cybercriminal Companies are much the same, although we’re told this is changing. It’s only when something happens that most take cybersecurity and protecting clients’ personal information a little more seriously. Larger corporations are inclined to make an effort, but they won’t kill themselves as the repercussions are minimal, despite the much-hyped threat of fines by the Information Regulator. We have yet to see a company significantly harmed by a fine or the so-called ‘reputational damage’ marketers talk so much about. Hence, the concept of Self-Sovereign Identity, where you look after your own sensitive data, is growing. It’s a great idea, but most people couldn’t be bothered, and we have yet to see global corporations letting go of their very profitable, albeit unethical (in my opinion), profiling business. Perhaps I am too cynical. Drop me an email and let me know your thoughts. In the meantime, I hope you enjoy the SMART Access & Identity Handbook 2025.

IDENTITY & AUTHENTICATION Identity management and authentication have always played a crucial role in security, ensuring that only authorised individuals can enter a building or access digital assets. Adding the myriad cloud computing and general internet services available to businesses and individuals today, only serves to exacerbate the challenge of knowing who you are dealing with and transacting with. The importance of identity management (IDM) and identity authentication (IDA) has further escalated due to the rise in crime in both physical and digital realms, as well as the increasing use of artificial intelligence (AI) to bypass the security measures that companies implement. IDA is not only a business issue, as individuals are victims of fraud and various crimes when they, or the companies they trust, lose sensitive information. The POPIA Act in South Africa was developed to safeguard sensitive information. Still, the Information Regulator only gets involved once the damage is done, and no matter how steep the sanctions may be, the information that should have been protected is out in the wild and accounts and identities are compromised. Everyone has been and is subjected to some form of identity authentication, especially those who bank online or set up passwords for other online or mobile services. Put simply, IDA is similar to a digital handshake that confirms you are who you say you are – and this is where the risk comes into play. The most common IDA mechanism is the much-abused password. Some (old) measures to improve security involved asking preset questions that only the real user would supposedly know (your dog’s name, for example). Naturally the additional security provided by a set of questions is, to be polite, questionable. More recently, biometrics became popular as they combine convenience with additional security, especially when transacting on mobile devices. But there are still security and user issues with biometrics, which led to the introduction of two-factor authentication Identity and authentication By Andrew Seldon Identity authentication is a crucial aspect of both physical and cybersecurity. In this feature, SMART Security Solutions asks three companies for insight into the latest developments. (2FA) and multi-factor authentication (MFA), combining something you know (like a password) with something you have (like a phone) and/or something you are (biometrics). In this year’s handbook, SMART Security Solutions asked three companies involved in the identity market to expand on the progress and challenges of IDM and IDA, and how they are addressing the market. To avoid including all the responses in an excessively long and complex article, we split the answers into separate articles which follow this introduction, one of which will be online due to space restrictions. The FIDO Alliance This feature refers to the FIDO Alliance. We include this brief explanation for anyone unfamiliar with the organisation’s work. The FIDO Alliance is an open industry association focused on reducing the world’s reliance on passwords. To accomplish this, the FIDO Alliance promotes developing, using, and complying with authentication and device attestation standards. The FIDO Alliance aims to change the nature of authentication with open standards for phishing-resistant sign-ins with passkeys that are more secure than passwords and SMS OTPs, simpler for consumers and employees to use, and easier for service providers to deploy and manage. The alliance also provides standards for secure device onboarding to ensure the security and efficiency of connected devices operating in cloud and IoT environments. The FIDO Alliance currently has published three sets of user authentication specifications for simpler, stronger authentication: FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF) and FIDO2, which includes the W3C’s Web Authentication (WebAuthn) specification and FIDO Client to Authenticator Protocol (CTAP). The alliance also has a specification for secure onboarding of edge and IoT devices (FDO). The specifications are open and free for global use. Find out more about the FIDO Alliance at https://fidoalliance.org/

Talk to our team today to unlock more sales.za@security.gallagher.com or +27 11 974 4740 security.gallagher.com

IDENTITY & AUTHENTICATION Jason Shedden, Chief Operating Officer of Contactable, offers insights into today’s identity authentication realities. Federated identity orchestration By Andrew Seldon

www.securitysa.com 7 access & iden i y 2025 IDENTITY & AUTHENTICATION In our first article of the Smart Access & Identity Handbook, we focus on identity authentication. Jason Shedden, chief operating officer at Contactable, offers insights into identity authentication’s realities. Contactable offers digital identity solutions that eliminate the need for traditional, paper-based identification methods. It designed a platform to create a federated identity service where an individual’s identity is managed and controlled by securely maintaining a database of different aspects of their identity, and sharing this with known and authorised businesses. Its Integrated Identity Platform (IIP) streamlines the identity verification process, using digital identity, KYC (Know Your Customer), biometrics, and seamless data integration. (More about the company can be found at www.securitysa.com/15287r.) What is happening in South African businesses in terms of identity authentication? Shedden: Identity authentication is becoming a real requirement in South Africa, especially as the regulator steps up to the batting plate in its battle against the Sovereign Risk Status in South Africa, which has seen a material increase in the role of strong identity authentication in a move to combat money laundering in South Africa. An increase in biometric verification across all vertical industries (banking, gambling, medical, telecommunications, insurance, etc.) is rising, and a drive to truly know your customer is underway. Regulatory pressure in the form of fines and harsh penalties is becoming a reality, and ownership of the customer authentication process is consequently moving ‘closer to home’ as accountable institutions are impacted. Simple trends like companies with distributed broker networks no longer rely on third-party distributors to perform the overall IDA process independently. In addition, telcos are being forced to introduce biometric data points into their authentication and re-authentication processes to combat the increase in SIM swap fraud resulting from a material rise in digital mobile wallets on offer through telecommunications companies. Overall, the heat is being turned up, and IDA resides at the heart of the industries’ resolve. Companies also rely more on remote transactions to deliver services, as extending a physical network, via a branch or distributed agents, is expensive. The challenge remains, however, that remote access transactions are Jason Shedden the most vulnerable to exploitation as they are, by definition, remote and outside of a trusted network. For this reason, technology has had to step in and step up to create a trust fabric in which to transact in this regard. Understanding exactly who resides at the end of a digital device is key, and simple identity number verification by the Department of Home Affairs is no longer a viable solution on its own. Digital identities are very real, not only in South Africa, but globally. There are multiple use cases where digital identities are being used daily to conduct services like opening digital mobile banking wallets, RICA of SIM cards onto networks with strong KYC authentication, and authentication of users for online gaming (especially at the payout stage), amongst others. In addition, Web 3 brings about new possibilities with defederated ledger technology to introduce more robust digital transacting in the future through digital financial identities (DFIDs) and Sovereign State Identities (SSI). [A defederated ledger is a type of distributed ledger technology (DLT) that combines elements of centralised and decentralised systems. In general, a defederated ledger aims to use the advantages of decentralisation, while maintaining a level of control and efficiency. - Ed.] With standards such as FIDO, are we moving away from PINs and passwords? Shedden: There is certainly a drive to move away from the traditional authentication methods, however, there is a notable battle between moving forward with technology and legacy systems that prevent this from happening seamlessly. OTPs, passwords, and PINs remain at the core of banking systems, mobile platforms, etc., and will continue to do so as long as the market is not fully educated on the alternatives. If one considers how tools in Web 3 are assisting in future-based authentication (blockchain and digital wallets), then one must also consider that understanding how such tools work requires significant consumer education. Only a handful of the total digital population is familiar with the principles that Web 3 imparts. Until such philosophy is second nature to many, it will remain in the starting blocks despite its potential. One cannot imagine that PIN and password protocols will be redundant soon. [According to Google Gemini, Web3 is vision for a new iteration of the internet, characterised by decentralisation, blockchain technologies, and token-based economics. It aims to shift control and ownership away from large corporations to individual users. – Ed.] What about ‘non-password’ options? Shedden: The philosophy of consumer education remains, as the Authenticator requires a degree of sophistication that the average consumer is not able or willing to engage. One must consider the entire digital audience when thinking about the success rate of new technologies. In South Africa alone, if you consider that most digital mobile consumers are in the mid to lower LSM market segments, then something like Authenticator has little place in this world. This is why legacy technologies like OTPs, PINs and passwords will remain into the foreseeable future. How dangerous are passwords and PINs for IDA? Shedden: It is hard to make a call on the dangers of PINs and passwords for IDA, specifically because context matters in this regard. How PIN and passwords are implemented is often where the danger is mitigated or not. For example, two-factor authentication is coupled with PIN or password mechanisms to enhance their efficacy, or CAPTCHAs are used to prevent robotic attacks where password interfaces are required. Without such mitigation standards, pure PIN and password standards are not secure given the processing power available today. In this light, there is a definite move away from them as primary tools, and the inclusion of biometric data with strong NIST (National Continued on page 8

8 www.securitysa.com access & iden i y 2025 IDENTITY & AUTHENTICATION Institute of Standards and Technology) rated liveness algorithms is taking their place. One must always caution, however, to not spend significant time and effort to create a secure identity using IDA methodologies only to compromise the identity post creation by allowing PIN and password protocols as a means to modify or replace existing identity data. This is why biometric data is critical as the primary re-authentication protocol, and PIN and password should be part of a secondfactor authentication only. Is Identity as a service (IDaaS) taking hold in SA? Shedden: There is no doubt that IDaaS is taking hold in South Africa. In the context of IDA, there are new synonyms to describe IDaaS, such as Integrated Identity Platforms (IIP’s) or Federated Identity Orchestration. At the heart of these services, regardless of what they are called, lies the ability to validate and authenticate a person’s identity using a digital channel only, and the growth rate of such services is material across almost all vertical sectors of the South African industry. The best definition of trust is the extent to which organisations adopt and deploy IDaaS services; in this instance, many large corporations are leading the way. The role of IDaaS services are being fulfilled in collaboration with companies’ compliance divisions due to the regulatory pressures and rules imposed on them. It is no longer a purely operational process as it has to speak to a company’s risk management and compliance processes, which in turn speaks to the trust element of IDaaS as it addresses legal compliance. Are devices on a network subject to IDA? Shedden: In our experience, you cannot separate IoT from the requirements for IDA. We have seen some movement in including IDA for digital devices, but we have not yet seen the uptake in this regard. The philosophy, however, remains universally true in that a device entering any trust framework should be fully authenticated, just like a human. It contains the same (if not more) potential to do harm inside of a trusted ecosystem. Some South African companies have made significant inroads into IoT and device authentication; however, the first challenge has been to provide a universal language that can connect all devices on the edge into a standardised integration framework. A good comparison of the problem is finding a universal translator for all spoken languages in the world so that one can communicate in a common tongue. Experience has shown that the focus in this regard has preceded IDA authentication of devices as a priority; however, now that certain service providers have developed reputable gateways that can translate all devices into a common tongue, there is no doubt that IDA is part of the overall road map for IoT going forward. How important is cybersecurity to people setting up or using IDA? Shedden: Any institution that does not consider cybersecurity, identity management, IT security or any component of it as a singular concept has made its first material error. The principle of ‘absolute security’ and how data and identity management are handled across all facets of processing is fundamental. Frameworks like ISO 27001, as a minimum standard, are fast becoming a mandatory requirement for any provider looking to offer IDaaS services to reputable institutions. There is a palpable thought movement driving an awareness regarding data protection as a collective responsibility in which all players in a value chain have a part to contribute towards protecting a consumer’s identity end to end. The proverbial ‘weakest links’ are being held accountable through things like ISO 27001 policies that enforce data processing standards and data processing responsibilities onto contracting parties to ensure a security standard is maintained throughout the value chain. While this is not easy to do, it has led to companies only doing business with companies with a good track record and well-established operations, including aspects like cyber security solutions, ISO 27001, governance, client list etc. As to whether companies and users worry about cyber breaches when it comes to identity management, as opposed to focusing on making it as seamless and easy as possible, is a relevant question because, sadly, evidence of ‘quantity over quality’ still dominates a lot of corporate behaviour where revenue is the primary driver of success. The philosophy of closing out a sale is often done ‘at all costs’, and the consequences of such action are dealt with as a reactive remedial event for many companies. It is less than ideal, and the role of the regulator, and to a greater extent the IDaaS service providers in the respective industries, is critical to driving a change in behaviour to ‘quality over quantity’. Ensuring efficient and streamlined IDaaS technology that contributes positively to user experience is fundamental to driving change. Where IDaaS companies can contribute materially is to ‘force’ a minimum standard of IDA rather than offer their services as a mechanism to solve the requirements of IDA where the absolute minimum standard has been applied. IDaaS players have a great responsibility to educate their clients about the consequences of ‘quantity over quality’ in today’s changing landscape. Where are SA companies in the move to Zero Trust? Shedden: I am not qualified or experienced enough to talk on behalf of the industry as a whole, however, based on my experience, I can contribute that the difficulty of implementing Zero Trust resides principally in the granularity required to monitor or control micro aspects of a greater security system. This is all fine and well if you have implemented the latest cloud infrastructure and your company is state of the art in terms of its technology standards. because this is part of the offering at the time of implementation. Where legacy systems exist, however, it becomes substantially more difficult to implement Zero Trust as such systems were never designed with Zero Trust in mind. Legacy systems hold true for many large corporates out there, especially where stability and consistency of performance is critical (banking systems), resulting in change only taking place over extended periods. Implementing the required checks and balances into legacy frameworks is a significant development investment in both time and money, and often the benefits of Zero Trust frameworks are not well understood or palpable enough for decision-makers to endorse such efforts as a core priority. What role does your company play in the IDA market, how do you approach IDA, and what products/ solutions/services do you offer? Shedden: Contactable is proudly South African and has been independently listed as the leading provider of integrated identity platform services in Africa. It provides IDA services for many large corporations in South Africa that transcend many industry verticals, including telecommunications, retail services, insurance, banking, motor, gambling, medical, and financial services. The focus is on providing a strongly authenticated digital identity by layering up and assessing various identity attributes in a collective digital journey. This allows for the highest probable outcome for accurate IDA assessment and the establishment of trust. For more information, contact Contactable, +27 10 100 3647, info@staycontactable.com, www.contactable.co.za Continued from page 7

IDENTITY & AUTHENTICATION Managing identities for 20 years By Andrew Seldon I deco offers biometric identity management solutions and services, boasting over 20 years of experience in this field (long-time readers may recall Ideco’s leading role in bringing biometrics to South Africa). Its services include biometric technology, systems design and engineering, change management, operational support, consulting and training services. The company includes a number of its own locally developed products in its portfolio of numerous best-of-breed international products. What is happening in South African businesses in terms of identity authentication? Coetzee: South African companies increasingly take identity authentication seriously as remote access and online transactions become the norm. The COVID-19 pandemic accelerated the adoption of digital tools and remote working, raising the need for secure identity management systems. The requirement for remote authentication has been increasing since COVID-19 with the introduction of work-from-home for many employees. Companies are now more aware of the risks associated with unauthorised access to sensitive data, and many are investing in advanced IDA technologies to mitigate these risks. Technologies like biometric authentication (fingerprint or facial recognition) are becoming more widespread, particularly in the financial sector, where security is a top priority. Additionally, with the rise of mobile and digital payments, companies are exploring solutions like two-factor authentication (2FA), digital ID verification, and blockchain-based identity management to provide secure online transactions. While larger businesses generally lead the way in IDA adoption, many smaller businesses are still in the early stages of integrating these technologies. Many companies are rolling out MFA to strengthen security, requiring users to provide multiple forms of authentication (e.g., passwords combined with biometrics, one-time PINs, or authentication apps). • Biometrics: With the rise of smartphones, biometric authentication (fingerprint, facial recognition, and even voice recognition) is becoming more common in South African businesses, especially in mobile banking and secure access to enterprise systems. In this article on identity authentication, Marius Coetzee, MD of Ideco Biometrics, offers insights into identity management and identity authentication. • Single Sign-On (SSO): For ease of use, South African businesses are increasingly adopting Single Sign-On solutions to reduce password fatigue and streamline user access to multiple applications, while ensuring robust security. Other technology advances include: • AI and machine learning: Artificial intelligence and machine learning are playing a growing role in enhancing identity authentication systems. These technologies are used to detect unusual login behaviours and identify potentially fraudulent activity in real time. • Blockchain: Some businesses are exploring blockchain technology to create more secure and decentralised methods of identity verification, although this is still in the early stages. • Cloud-based solutions: Many companies in South Africa are moving their identity authentication systems to the cloud to improve scalability, flexibility, and reduce the cost of maintaining on-premises infrastructure. While there is a significant investment in IDA, several challenges remain: • Cost and complexity: Small- to mid-sized businesses may find the cost of implementing advanced IDA solutions prohibitive. This can result in slower adoption compared to larger enterprises. • Lack of awareness: While larger businesses are generally aware of the importance of IDA, some smaller companies and startups may not prioritise identity security due to budget constraints or lack of understanding of the risks involved. • Data privacy concerns: South African businesses are also navigating data privacy laws, including the Protection of Personal Information Act (POPIA), which requires companies to handle identity data responsibly. There is an increasing focus on balancing secure identity authentication with compliance with privacy regulations. However, while digital identities are increasingly trusted and used for secure transactions, challenges like data privacy concerns, digital literacy, and equitable access to technology still exist. These barriers mean that mobile identities may not yet be universally adopted across all population segments. Continued on page 10

10 www.securitysa.com access & iden i y 2025 IDENTITY & AUTHENTICATION With standards such as FIDO, are we moving away from PINs and passwords? Coetzee: While Microsoft and other tech giants have embraced more secure authentication methods (such as Authenticator), many websites and services still rely on traditional methods like passwords and SMS-based one-time passwords (OTPs). There are a few reasons why this is still the case: • User convenience and familiarity: Many users are still accustomed to using passwords for authentication, and transitioning to newer methods (e.g., biometrics, hardware tokens) requires changes to their habits and devices. • Infrastructure and scalability: Many organisations, especially smaller ones or those without significant IT resources, may not have the infrastructure or budget to implement more advanced authentication methods. SMS OTPs, despite their security shortcomings, are easy to implement and widely accepted. • Resistance to change: Some companies may not see the immediate benefit or necessity of shifting away from passwords, especially if their existing authentication system is already ‘good enough’ in their view. Implementing passwordless or biometric authentication requires re-engineering login systems, which may be viewed as an unnecessary investment. • Security issues with SMS OTPs: While SMS-based OTPs are a step up from relying on passwords alone, they are still vulnerable to SIM-swapping and man-in-the-middle attacks. Despite this, many websites continue to use SMS OTPs due to the ease of implementation and the fact that it is better than not using any additional authentication layer at all. That said, we can expect a gradual shift as FIDO2 and WebAuthn standards gain traction. Browser and platform support (e.g., Google Chrome, Mozilla Firefox, Apple Safari) and mobile apps (such as Google Authenticator, Microsoft Authenticator, and Apple Face ID/Touch ID) are likely to make these passwordless solutions more common across websites, and gradually reduce reliance on SMS OTPs and passwords. Passwords and PINs can be seen as keys to unlock a safe. The same is true for any other method that is followed, be it biometrics or key generators. Theoretically, all of these solutions can be broken into given enough time. It is important to note, however, that some of these keys are more difficult to break than others. With today’s quantum computing power, breaking passwords has become easier and easier. With this in mind, NIST recently reviewed its recommendations for complex passwords. These recommendations have shifted from a mix of uppercase, lowercase, numbers and special characters to focusing on the length of passwords. It has been found that password complexity introduces more administrative overhead without any advantage in regard to difficulty in breaking the passwords. Ultimately, complex passwords are better than simple ones, but they are not a long-term solution in a world where cyberthreats are evolving quickly. Passwordless authentication systems (such as FIDO2 and biometric authentication) offer a much stronger and more user-friendly alternative. Is identity as a service (IDaaS) taking hold in SA, and if so, in which markets? Coetzee: IDaaS is gradually gaining traction in South Africa, though its adoption is still in the early stages compared to more mature markets like North America or Europe. The global growth rate of IDaaS at around 20% per year reflects the increasing demand for cloudbased identity solutions that offer flexibility, scalability, and robust security. In South Africa, IDaaS is being adopted primarily in sectors where security is a top priority, such as banking, financial services, retail, healthcare, and government services. These sectors are increasingly adopting cloudbased IAM (identity and access management) solutions to manage digital identities and ensure compliance with local data protection laws, such as POPIA. Key drivers for IDaaS adoption in SA: • Cost efficiency: Small to medium-sized businesses (SMBs) and larger enterprises are looking to reduce IT infrastructure costs. IDaaS offers a pay-as-you-go model, which lowers upfront capital expenditures. • Scalability: With the growth of remote work and digital transformation, businesses need IAM solutions that can scale quickly without investing in on-premises hardware or additional IT resources. • Security compliance: IDaaS helps organisations meet local and international security standards and regulations. Trust in IDaaS in South Africa is growing, but it remains a concern for some organisations, particularly regarding the security, privacy, and availability of cloud-based services. The adoption of cloud technologies, in general, has been slower in SA compared to developed markets due to concerns around data sovereignty, privacy, and the local regulatory landscape. Other factors affecting trust in IDaaS: • Data sovereignty: South African businesses may have concerns about where their data is stored and whether it complies with local regulations like POPIA. IDaaS providers that offer data storage in local data centres or partner with local providers are seen as more trustworthy. • Local support: Businesses also appreciate the availability of local support and services, particularly when it comes to training, troubleshooting, and customisation of IAM solutions to suit local needs. While trust is improving, especially among larger organisations that already rely on cloud services, smaller businesses and certain sectors may still have reservations, particularly in industries where privacy is paramount. Are devices on a network subject to IDA processes in South Africa, or is this something related to IoT that is not seen as part of the whole identity management process? Coetzee: Devices on a network can be whitelisted to ensure that only the devices you approve access any assets within your network. It is important to note that not all devices on a network are IoT devices. IoT devices have sensors, actuators, and connectivity capabilities to collect and exchange data with other devices and systems over the internet or other communication networks. As with normal network devices, if IoT devices are utilised, it is important that they also go through the whitelisting process to be marked as trusted devices before being allowed to provide information to internal systems. While historically, IDA was focused on managing user identities (people), device authentication is gaining importance due to the rise of connected devices across industries. Cybersecurity is a core component of the above, but how important is it to people setting up or using IDA? Coetzee: Both cybersecurity and usability are priorities for organisations and users, but the balance between the two can vary depending on the industry, the size of the organisation, and the level of digital maturity. Cyber breaches are a top concern for organisations that deal with sensitive data. These companies are acutely aware of the risks posed by identity-related attacks, such as phishing, credential stuffing, or identity theft. The Continued from page 9

www.securitysa.com 11 access & iden i y 2025 IDENTITY & AUTHENTICATION Marius Coetzee need to protect against unauthorised access, data breaches, and compliance violations drives these companies to prioritise robust cybersecurity measures in their IA processes. Zero Trust security models (which assume that both internal and external networks are potentially compromised) are increasingly being implemented by organisations. They focus on ensuring that identity verification processes are more than just ‘seamless’ – they are also secure and continuously monitored. On the other hand, many organisations, particularly in consumer-facing industries or those with a large number of non-technical users, still prioritise ease of use and a seamless experience. Businesses are aware that over-complicating the authentication process can lead to user frustration, lower adoption rates, and reduced productivity. There is often a trade-off between making the authentication process seamless and ensuring robust security. The balance depends on the industry, risk tolerance, and business priorities. Many users tend to prioritise convenience over security, especially when managing their personal or workplace credentials. Research has shown that people often reuse passwords across multiple platforms, prefer easy-to-remember credentials, and may opt for less secure authentication methods to make their experience faster and simpler. Cybersecurity awareness tends to be secondary to ease of use for most individual users. However, there is growing awareness of cybersecurity risks, especially as people experience more frequent phishing attacks or data breaches. This has increased demand for more secure and user-friendly authentication methods, such as biometrics and passwordless solutions. In a business context, employees might resist complex authentication methods if they add friction to their workflow, which can challenge organisations trying to enforce strong security protocols, while maintaining a smooth user experience. Are SA companies in the move to Zero Trust? Coetzee: As data breaches get reported in the media more and more, organisations are realising that having a strong security posture is essential. Principals that tie in closely with Zero Trust, which can also be implemented, are Least Privilege Access and Continuous Verification. NIST also has a Zero Trust Maturity Model that can help organisations assess their current security posture and help identify possible gaps within it (see https://www.cisa.gov/zero-trust-maturitymodel and https://nvlpubs.nist.gov/nistpubs/ SpecialPublications/NIST.SP.800-207.pdf). With the help of these tools and principles, South African organisations, no matter their size, can start their journey to strengthen their security posture. In South Africa, Zero Trust adoption is still in the early-to-mid stages for most companies, but interest and investment in Zero Trust strategies are growing. Several factors influence the pace of this adoption, including industry-specific requirements, security challenges, and resource constraints. Adopting Zero Trust presents unique challenges and opportunities for organisations in industries where operational technology (OT) is critical, such as in manufacturing, energy, or mining. Many, especially in mining or manufacturing, still rely heavily on legacy OT systems, such as scada (Supervisory Control and Data Acquisition) or PLC (Programmable Logic Controller) systems. These systems were not designed with modern cybersecurity practices in mind and often lack the capability to support advanced Zero Trust measures, such as continuous monitoring and device authentication. OT systems often operate in real-time environments where latency is critical. Implementing Zero Trust, which requires authentication and authorisation checks for every access request, can introduce performance issues that could disrupt operational efficiency or even damage physical assets in sensitive environments. What role does your company play in the IDA market, how do you approach IDA, and what products/solutions/ services do you offer? Coetzee: Ideco has also been an integral part of managing Identities within the South African context. Not only have we formed part of national solutions to create foundational bases for South African citizens but we have also assisted in making these bases available commercially to assist organisations with digital identity solutions. Currently, in the identity authentication market, our company plays a crucial role in providing secure, scalable, and innovative solutions that help organisations protect their digital assets, ensure compliance with industry regulations, and enhance user experience. We specialise in offering next-generation identity and access management solutions that empower organisations to manage, authenticate, and authorise access to critical systems and data, while maintaining a seamless user experience. Our solutions cater to businesses across various industries, including banking, healthcare, government, telecommunications, and industrial sectors, ensuring they can adopt modern authentication protocols such as biometrics, MFA, passwordless login, and secure sign-on (SSO). Our IDaaS and eKYC offerings, as well as ecosystems like nuID, give consumers back control of their identities. These solutions enable organisations to bind verified physical identities to digital identities to ensure compliance with national and international frameworks. We offer a comprehensive suite of Identity Authentication solutions tailored to meet organisations’ diverse needs across various industries. Here are some of the key products and services we offer. For companies looking to reduce the overhead of managing identity systems in-house, we offer Identity as a Service (IDaaS). This cloud-based service includes: o Scalable, on-demand IAM capabilities. o Cloud-based authentication and access control. o Integration with third-party applications (SaaS, HR platforms, CRM, etc.). The Ideco eKYC solution is the latest addition to our IDECO’s suite of identity management solutions. Designed for seamless customer identification and robust risk management, this innovative service is powered by the Famoco FP200 mobile biometric device. With a comprehensive range of KYC functionalities, Ideco eKYC enables you to verify every aspect of your customers’ identities, safeguard your organisation against identity fraud and money laundering, and ensure full compliance with POPIA and FICA regulations. In addition to our product offerings, we provide consulting and integration services to help organisations design, implement, and optimise their identity management frameworks. We work closely with clients to assess their unique security needs and deploy tailored solutions for their environments. For more information, contact Ideco Biometric Security Solutions, +27 12 749 2300, contact@ideco.co.za, www.ideco.co.za

A landmark study by iiDENTIFii – the Identity Index 2024: South Africa Edition – published in partnership with World Wide Worx, reveals heightened concern over identity fraud threats in South Africa, with 56,7% of businesses expressing concern or strong concern about future threats. The iiDENTIFii Identity Index 2024 report provides an in-depth analysis of the current landscape of identity fraud concerns, practices, and preparedness among businesses. The findings highlight significant trends, investment priorities, and the effectiveness of various identity verification solutions as businesses of all sizes navigate the evolving threat of identity fraud. About the Identity Index 2024 The Identity Index 2024 provides an in-depth analysis of the current landscape of identity fraud concerns, practices, and preparedness among businesses. The findings highlight significant trends, investment priorities, and the effectiveness of various identity verification solutions as businesses of all sizes navigate the evolving threat of identity fraud. The research was completed by World Wide Worx in 2024, across a sample of 200 enterprises from large, medium, and across industry sectors. The primary Identity Index is based on the percentage of companies that regard their identity management processes as Very Effective, which currently stands at 24,5%. Additionally, those that consider their processes Somewhat Effective, make up 62%, which highlights the potential of the index at 86,5%, despite the actual index remaining relatively low at 24,5%. Gur Geva, founder and CEO of iiDENTIFii says, “We commissioned the first Identity Index in order to gauge and track local industry sentiment around digital identity and identity fraud in the country. The results of the independent survey provide an important foundation of measurement for how identity is being authenticated in the country, how confident businesses are in the face of growing threats, and where the potential fault lines are in mitigating the risk of fraud.” Businesses expressed growing concern about identity fraud Overall, the index showed that businesses are becoming more aware of, and prepared for, the challenges posed by identity fraud. Those surveyed in the study expressed concerns about growing identity verification fraud and its impact on their business. These concerns centred around the potential for financial loss (35,3%) and reputational damage (34,8%), illustrating that financial and brand implications are almost equally weighted when considering the future outcomes of a business. The concern for AI-driven fraud was particularly pronounced, with up to 63,2% of smaller businesses and SOUTH AFRICAN IDENTITY INDEX REPORT A S U R V E Y O F 2 0 0 E N T E R P R I S E S iiDENTIFii is proud to establish the South African Identity Index, which offers a critical framework for monitoring the evolution of identity and effectiveness of identity management practices in our country. The Index is based on the percentage of companies that regard their identity management processes as ‘Very Effective’. In 2024, this stands at only 24,5%. iiDENTIFii publishes landmark Identity Index in South Africa IDENTITY & AUTHENTICATION

60,9% of larger businesses identifying it as a critical threat. These findings emphasise the need for businesses to stay ahead of increasingly sophisticated fraud tactics by implementing more advanced and adaptive security measures. Businesses are adopting robust identity verification (IDV) solutions Businesses in South Africa are adopting IDV solutions with the aims of enhancing security and reducing fraud. The report shows that adoption rates of AI-based fraud detection are at 50,5% and biometric methods are at 39,5%. This demonstrates a strategic shift towards leveraging cutting-edge technologies to mitigate identity fraud risks. However, the implementation of IDV solutions does not come without its challenges. Barriers to effective IDV implementation Arthur Goldstuck, author, thought leader and founder of World Wide Worx says, “Despite the trend towards investing in IDV solutions, there are still some significant barriers to implementation, with 31% citing regulatory compliance and 23% citing user acceptance as the most substantial barriers.” This is further reflected in the investment patterns in fraud prevention technologies. Many businesses, particularly those with 201-1,000 employees, allocate between 10-20% (46,4%) of their budgets to these technologies, underscoring the prioritisation of fraud prevention in their corporate strategies. Larger companies also display significant investment, with 42,2% dedicating 10-20%, and 26,6% allocating more than 20% of their budgets to fraud prevention technologies. However, a lack of collaboration among industry stakeholders is evident, with 45,6% of small businesses and 31,3% of large businesses never engaging in cooperative efforts to share intelligence and combat fraud. “This points towards an opportunity for more coordinated industry-wide approaches to digital identity, from stronger collaboration to a sustained commitment to investing in advanced technologies. This could enhance the effectiveness of fraud prevention at an industry level and build a more resilient ecosystem against identity fraud,” says Geva. Setting a course for the future of identity in South Africa “iiDENTIFii is proud to establish the Identity Index, which offers a critical framework for monitoring the evolution of identity in our country. By serving as a benchmark for the effectiveness of identity management practices, the index can help identify gaps and opportunities for improvement across businesses of all sizes,” says Geva. “As companies respond to emerging threats and adopt new technologies, tracking progress through this index will be essential to ensuring that identity verification systems are not only robust, but also responsive to the evolving landscape of identity fraud. This dynamic approach, supported by the Identity Index, will ultimately drive stronger and more cohesive efforts in safeguarding against fraud and enhancing trust in digital interactions,” says Goldstuck. www.iidentifii.com ABOUT THE INDEX The South African Identity Index 2024 research report provides an in-depth analysis of the current landscape of identity fraud concerns, practices, and preparedness among businesses. The findings highlight significant trends, investment priorities, and the effectiveness of various identity verification solutions, as businesses of all sizes navigate the evolving threat of identity fraud. The primary South African Identity Index is based on the percentage of companies that regard their identity management processes as Very Effective, which currently stands at 24,5%. Additionally, those that consider their processes Somewhat Effective make up 62%, which highlights the potential of the index at 86,5%, despite the actual index remaining relatively low at 24,5%. The research was completed by World Wide Worx in 2024, across a sample of 200 enterprises from large, medium, and across sector. Download the Identity Index South Africa Edition at https://tinyurl.com/444ckrub

RkJQdWJsaXNoZXIy MjEzMjU=