printer friendly version

Managing identities for 20 years

In this article on identity authentication, Marius Coetzee, MD of Ideco Biometrics, offers insights into identity management and identity authentication.

Marius Coetzee

Ideco offers biometric identity management solutions and services, boasting over 20 years of experience in this field (long-time readers may recall Ideco’s leading role in bringing biometrics to South Africa). Its services include biometric technology, systems design and engineering, change management, operational support, consulting and training services. The company includes a number of its own locally developed products in its portfolio of numerous best-of-breed international products.

What is happening in South African businesses in terms of identity authentication?

Coetzee: South African companies increasingly take identity authentication seriously as remote access and online transactions become the norm. The COVID-19 pandemic accelerated the adoption of digital tools and remote working, raising the need for secure identity management systems. The requirement for remote authentication has been increasing since COVID-19 with the introduction of work-from-home for many employees. Companies are now more aware of the risks associated with unauthorised access to sensitive data, and many are investing in advanced IDA technologies to mitigate these risks.

Technologies like biometric authentication (fingerprint or facial recognition) are becoming more widespread, particularly in the financial sector, where security is a top priority. Additionally, with the rise of mobile and digital payments, companies are exploring solutions like two-factor authentication (2FA), digital ID verification, and blockchain-based identity management to provide secure online transactions. While larger businesses generally lead the way in IDA adoption, many smaller businesses are still in the early stages of integrating these technologies.

Many companies are rolling out MFA to strengthen security, requiring users to provide multiple forms of authentication (e.g., passwords combined with biometrics, one-time PINs, or authentication apps).

• Biometrics: With the rise of smartphones, biometric authentication (fingerprint, facial recognition, and even voice recognition) is becoming more common in South African businesses, especially in mobile banking and secure access to enterprise systems.

• Single Sign-On (SSO): For ease of use, South African businesses are increasingly adopting Single Sign-On solutions to reduce password fatigue and streamline user access to multiple applications, while ensuring robust security.

Other technology advances include:

• AI and machine learning: Artificial intelligence and machine learning are playing a growing role in enhancing identity authentication systems. These technologies are used to detect unusual login behaviours and identify potentially fraudulent activity in real time.

• Blockchain: Some businesses are exploring blockchain technology to create more secure and decentralised methods of identity verification, although this is still in the early stages.

• Cloud-based solutions: Many companies in South Africa are moving their identity authentication systems to the cloud to improve scalability, flexibility, and reduce the cost of maintaining on-premises infrastructure.

While there is a significant investment in IDA, several challenges remain:

• Cost and complexity: Small- to mid-sized businesses may find the cost of implementing advanced IDA solutions prohibitive. This can result in slower adoption compared to larger enterprises.

• Lack of awareness: While larger businesses are generally aware of the importance of IDA, some smaller companies and startups may not prioritise identity security due to budget constraints or lack of understanding of the risks involved.

• Data privacy concerns: South African businesses are also navigating data privacy laws, including the Protection of Personal Information Act (POPIA), which requires companies to handle identity data responsibly. There is an increasing focus on balancing secure identity authentication with compliance with privacy regulations.

However, while digital identities are increasingly trusted and used for secure transactions, challenges like data privacy concerns, digital literacy, and equitable access to technology still exist. These barriers mean that mobile identities may not yet be universally adopted across all population segments.

With standards such as FIDO, are we moving away from PINs and passwords?

Coetzee: While Microsoft and other tech giants have embraced more secure authentication methods (such as Authenticator), many websites and services still rely on traditional methods like passwords and SMS-based one-time passwords (OTPs).

There are a few reasons why this is still the case:

• User convenience and familiarity: Many users are still accustomed to using passwords for authentication, and transitioning to newer methods (e.g., biometrics, hardware tokens) requires changes to their habits and devices.

• Infrastructure and scalability: Many organisations, especially smaller ones or those without significant IT resources, may not have the infrastructure or budget to implement more advanced authentication methods. SMS OTPs, despite their security shortcomings, are easy to implement and widely accepted.

• Resistance to change: Some companies may not see the immediate benefit or necessity of shifting away from passwords, especially if their existing authentication system is already ‘good enough’ in their view. Implementing passwordless or biometric authentication requires re-engineering login systems, which may be viewed as an unnecessary investment.

• Security issues with SMS OTPs: While SMS-based OTPs are a step up from relying on passwords alone, they are still vulnerable to SIM-swapping and man-in-the-middle attacks. Despite this, many websites continue to use SMS OTPs due to the ease of implementation and the fact that it is better than not using any additional authentication layer at all.

That said, we can expect a gradual shift as FIDO2 and WebAuthn standards gain traction. Browser and platform support (e.g., Google Chrome, Mozilla Firefox, Apple Safari) and mobile apps (such as Google Authenticator, Microsoft Authenticator, and Apple Face ID/Touch ID) are likely to make these passwordless solutions more common across websites, and gradually reduce reliance on SMS OTPs and passwords.

Passwords and PINs can be seen as keys to unlock a safe. The same is true for any other method that is followed, be it biometrics or key generators. Theoretically, all of these solutions can be broken into given enough time. It is important to note, however, that some of these keys are more difficult to break than others. With today’s quantum computing power, breaking passwords has become easier and easier.

With this in mind, NIST recently reviewed its recommendations for complex passwords. These recommendations have shifted from a mix of uppercase, lowercase, numbers and special characters to focusing on the length of passwords. It has been found that password complexity introduces more administrative overhead without any advantage in regard to difficulty in breaking the passwords.

Ultimately, complex passwords are better than simple ones, but they are not a long-term solution in a world where cyberthreats are evolving quickly. Passwordless authentication systems (such as FIDO2 and biometric authentication) offer a much stronger and more user-friendly alternative.

Is identity as a service (IDaaS) taking hold in SA, and if so, in which markets?

Coetzee: IDaaS is gradually gaining traction in South Africa, though its adoption is still in the early stages compared to more mature markets like North America or Europe. The global growth rate of IDaaS at around 20% per year reflects the increasing demand for cloud-based identity solutions that offer flexibility, scalability, and robust security.

In South Africa, IDaaS is being adopted primarily in sectors where security is a top priority, such as banking, financial services, retail, healthcare, and government services. These sectors are increasingly adopting cloud-based IAM (identity and access management) solutions to manage digital identities and ensure compliance with local data protection laws, such as POPIA.

Key drivers for IDaaS adoption in SA:

• Cost efficiency: Small to medium-sized businesses (SMBs) and larger enterprises are looking to reduce IT infrastructure costs. IDaaS offers a pay-as-you-go model, which lowers upfront capital expenditures.

• Scalability: With the growth of remote work and digital transformation, businesses need IAM solutions that can scale quickly without investing in on-premises hardware or additional IT resources.

• Security compliance: IDaaS helps organisations meet local and international security standards and regulations.

Trust in IDaaS in South Africa is growing, but it remains a concern for some organisations, particularly regarding the security, privacy, and availability of cloud-based services. The adoption of cloud technologies, in general, has been slower in SA compared to developed markets due to concerns around data sovereignty, privacy, and the local regulatory landscape.

Other factors affecting trust in IDaaS:

• Data sovereignty: South African businesses may have concerns about where their data is stored and whether it complies with local regulations like POPIA. IDaaS providers that offer data storage in local data centres or partner with local providers are seen as more trustworthy.

• Local support: Businesses also appreciate the availability of local support and services, particularly when it comes to training, troubleshooting, and customisation of IAM solutions to suit local needs.

While trust is improving, especially among larger organisations that already rely on cloud services, smaller businesses and certain sectors may still have reservations, particularly in industries where privacy is paramount.

Are devices on a network subject to IDA processes in South Africa, or is this something related to IoT that is not seen as part of the whole identity management process?

Coetzee: Devices on a network can be whitelisted to ensure that only the devices you approve access any assets within your network. It is important to note that not all devices on a network are IoT devices. IoT devices have sensors, actuators, and connectivity capabilities to collect and exchange data with other devices and systems over the internet or other communication networks. As with normal network devices, if IoT devices are utilised, it is important that they also go through the whitelisting process to be marked as trusted devices before being allowed to provide information to internal systems.

While historically, IDA was focused on managing user identities (people), device authentication is gaining importance due to the rise of connected devices across industries.

Cybersecurity is a core component of the above, but how important is it to people setting up or using IDA?

Coetzee: Both cybersecurity and usability are priorities for organisations and users, but the balance between the two can vary depending on the industry, the size of the organisation, and the level of digital maturity.

Cyber breaches are a top concern for organisations that deal with sensitive data. These companies are acutely aware of the risks posed by identity-related attacks, such as phishing, credential stuffing, or identity theft. The need to protect against unauthorised access, data breaches, and compliance violations drives these companies to prioritise robust cybersecurity measures in their IA processes.

Zero Trust security models (which assume that both internal and external networks are potentially compromised) are increasingly being implemented by organisations. They focus on ensuring that identity verification processes are more than just ‘seamless’ – they are also secure and continuously monitored.

On the other hand, many organisations, particularly in consumer-facing industries or those with a large number of non-technical users, still prioritise ease of use and a seamless experience. Businesses are aware that over-complicating the authentication process can lead to user frustration, lower adoption rates, and reduced productivity. There is often a trade-off between making the authentication process seamless and ensuring robust security. The balance depends on the industry, risk tolerance, and business priorities.

Many users tend to prioritise convenience over security, especially when managing their personal or workplace credentials. Research has shown that people often reuse passwords across multiple platforms, prefer easy-to-remember credentials, and may opt for less secure authentication methods to make their experience faster and simpler. Cybersecurity awareness tends to be secondary to ease of use for most individual users.

However, there is growing awareness of cybersecurity risks, especially as people experience more frequent phishing attacks or data breaches. This has increased demand for more secure and user-friendly authentication methods, such as biometrics and passwordless solutions. In a business context, employees might resist complex authentication methods if they add friction to their workflow, which can challenge organisations trying to enforce strong security protocols, while maintaining a smooth user experience.

Are SA companies in the move to Zero Trust?

Coetzee: As data breaches get reported in the media more and more, organisations are realising that having a strong security posture is essential. Principals that tie in closely with Zero Trust, which can also be implemented, are Least Privilege Access and Continuous Verification. NIST also has a Zero Trust Maturity Model that can help organisations assess their current security posture and help identify possible gaps within it (see https://www.cisa.gov/zero-trust-maturity-model and <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf+ target="_blank">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf+ </a>). With the help of these tools and principles, South African organisations, no matter their size, can start their journey to strengthen their security posture.

In South Africa, Zero Trust adoption is still in the early-to-mid stages for most companies, but interest and investment in Zero Trust strategies are growing. Several factors influence the pace of this adoption, including industry-specific requirements, security challenges, and resource constraints.

Adopting Zero Trust presents unique challenges and opportunities for organisations in industries where operational technology (OT) is critical, such as in manufacturing, energy, or mining.

Many, especially in mining or manufacturing, still rely heavily on legacy OT systems, such as scada (Supervisory Control and Data Acquisition) or PLC (Programmable Logic Controller) systems. These systems were not designed with modern cybersecurity practices in mind and often lack the capability to support advanced Zero Trust measures, such as continuous monitoring and device authentication.

OT systems often operate in real-time environments where latency is critical. Implementing Zero Trust, which requires authentication and authorisation checks for every access request, can introduce performance issues that could disrupt operational efficiency or even damage physical assets in sensitive environments.

What role does your company play in the IDA market, how do you approach IDA, and what products/solutions/services do you offer?

Coetzee: Ideco has also been an integral part of managing Identities within the South African context. Not only have we formed part of national solutions to create foundational bases for South African citizens but we have also assisted in making these bases available commercially to assist organisations with digital identity solutions. Currently, in the identity authentication market, our company plays a crucial role in providing secure, scalable, and innovative solutions that help organisations protect their digital assets, ensure compliance with industry regulations, and enhance user experience.

We specialise in offering next-generation identity and access management solutions that empower organisations to manage, authenticate, and authorise access to critical systems and data, while maintaining a seamless user experience. Our solutions cater to businesses across various industries, including banking, healthcare, government, telecommunications, and industrial sectors, ensuring they can adopt modern authentication protocols such as biometrics, MFA, passwordless login, and secure sign-on (SSO).

Our IDaaS and eKYC offerings, as well as ecosystems like nuID, give consumers back control of their identities. These solutions enable organisations to bind verified physical identities to digital identities to ensure compliance with national and international frameworks.

We offer a comprehensive suite of Identity Authentication solutions tailored to meet organisations’ diverse needs across various industries. Here are some of the key products and services we offer.

For companies looking to reduce the overhead of managing identity systems in-house, we offer Identity as a Service (IDaaS).

This cloud-based service includes:

o Scalable, on-demand IAM capabilities.

o Cloud-based authentication and access control.

o Integration with third-party applications (SaaS, HR platforms, CRM, etc.).

The Ideco eKYC solution is the latest addition to our IDECO’s suite of identity management solutions. Designed for seamless customer identification and robust risk management, this innovative service is powered by the Famoco FP200 mobile biometric device. With a comprehensive range of KYC functionalities, Ideco eKYC enables you to verify every aspect of your customers’ identities, safeguard your organisation against identity fraud and money laundering, and ensure full compliance with POPIA and FICA regulations.

In addition to our product offerings, we provide consulting and integration services to help organisations design, implement, and optimise their identity management frameworks. We work closely with clients to assess their unique security needs and deploy tailored solutions for their environments.

Share this article:

Further reading: