Privacy By Design

Security and privacy go hand in hand and NoPassword privacy by design means going beyond compliance with privacy regulations. Privacy is considered throughout the development, implementation, and usage of NoPassword.

Privacy by Design

No Centralized Credential Database

NoPassword does NOT store users’ credentials, such as passwords or biometrics, on a centralized database. The user’s biometric information remains on the user’s phone.

Eliminating Biometric Raw Data

During the registration process, users’ biometrics are converted into mathematical models via an irreversible process. This means that the biometric raw data CANNOT be extracted from its mathematical model. The model is further encrypted and the encryption key is stored in a tamper-proof, secure element on the user’s phone.

Local Biometric Authentication

Biometric authentication always occur locally on the user’s phone. The mathematical models of the user’s biometrics are encrypted using AES-256 encryption and securely stored on the user’s phone. These models do NOT leave the user’s phone.

User in Control of their Privacy

Users are empowered by being in full control of their biometrics and other private information.  The user is able to delete all their information from their device at any time, including the mathematical model of their biometrics.

Biometrics are not Exposed

NEITHER the NoPassword team NOR the enterprise system admins employing NoPassword solutions have access to or are able to view users’ credentials, their biometric raw data, or mathematical models.

Limited Personally Identifiable Information (PII)

Personally Identifiable Information (PII) stored on the NoPassword server is limited to first name, last name, username, email address, and phone number. There are no passwords or biometric information imported or stored on the server. All the PII stored on the NoPassword server are encrypted. This information is primarily used to manage user’s accessibility and to contact them to restore their accounts.

User PII is Treated like our Own Private Information

NoPassword does NOT share user’s information, such as PII, with third parties for advertisements nor for any other purpose. Only the system admins of each company have access to their users’ limited PII.

Limited User Location Information

Location information of users is only used to improve the security of the user. Location information is used during authentication process and are checked against geo-fence security policies. Neither the NoPassword staff nor enterprise system admins have access to users’ raw location data or able to determine the location of the users.

Data Minimization Policy

Data minimization policy is implemented throughout NoPassword solution to reduce the user information required for further authentication purposes. Location information is an example of information that is subject to data minimization. NoPassword regularly deletes such information from its servers.

Privacy Compliance

Throughout the design and development of NoPassword solution, different industries’ privacy compliances have been considered to ensure satisfaction. NoPassword complies with financial, healthcare, and insurance industry privacy regulatory compliances, including  SEC Regulation S-P (17 CFR § 248.30(a)), New York Department of Financial Services (NYDFS), Regulatory Framework Proposal, Financial Industry Regulatory Authority (FINRA), Cybersecurity Practices, European Union General Data Protection Regulation (GDPR), European Network Information Security (NIS) Directive, PCI-DSS and PA-DSS, HIPAA Privacy Rule, and U.K. Data Protection Act.

© 2019 NoPassword Inc. All Rights Reserved. Powered by NoPassword Inc.

Modernize enterprise workforce and consumer identity by substituting passwords with NoPassword Human and Hidden Multi-Factor Authentication (H²MFA™).