Security and privacy go hand in hand and NoPassword privacy by design means going beyond compliance with privacy regulations. Privacy is considered throughout the development, implementation, and usage of NoPassword.
Privacy by Design
NoPassword does NOT store users’ credentials, such as passwords or biometrics, on a centralized database. The user’s biometric information remains on the user’s phone.
During the registration process, users’ biometrics are converted into mathematical models via an irreversible process. This means that the biometric raw data CANNOT be extracted from its mathematical model. The model is further encrypted and the encryption key is stored in a tamper-proof, secure element on the user’s phone.
Biometric authentication always occur locally on the user’s phone. The mathematical models of the user’s biometrics are encrypted using AES-256 encryption and securely stored on the user’s phone. These models do NOT leave the user’s phone.
Users are empowered by being in full control of their biometrics and other private information. The user is able to delete all their information from their device at any time, including the mathematical model of their biometrics.
NEITHER the NoPassword team NOR the enterprise system admins employing NoPassword solutions have access to or are able to view users’ credentials, their biometric raw data, or mathematical models.
Personally Identifiable Information (PII) stored on the NoPassword server is limited to first name, last name, username, email address, and phone number. There are no passwords or biometric information imported or stored on the server. All the PII stored on the NoPassword server are encrypted. This information is primarily used to manage user’s accessibility and to contact them to restore their accounts.
NoPassword does NOT share user’s information, such as PII, with third parties for advertisements nor for any other purpose. Only the system admins of each company have access to their users’ limited PII.
Location information of users is only used to improve the security of the user. Location information is used during authentication process and are checked against geo-fence security policies. Neither the NoPassword staff nor enterprise system admins have access to users’ raw location data or able to determine the location of the users.
Data minimization policy is implemented throughout NoPassword solution to reduce the user information required for further authentication purposes. Location information is an example of information that is subject to data minimization. NoPassword regularly deletes such information from its servers.
Throughout the design and development of NoPassword solution, different industries’ privacy compliances have been considered to ensure satisfaction. NoPassword complies with financial, healthcare, and insurance industry privacy regulatory compliances, including SEC Regulation S-P (17 CFR § 248.30(a)), New York Department of Financial Services (NYDFS), Regulatory Framework Proposal, Financial Industry Regulatory Authority (FINRA), Cybersecurity Practices, European Union General Data Protection Regulation (GDPR), European Network Information Security (NIS) Directive, PCI-DSS and PA-DSS, HIPAA Privacy Rule, and U.K. Data Protection Act.
Modernize enterprise workforce and consumer identity by substituting passwords with NoPassword Human and Hidden Multi-Factor Authentication (H²MFA™).