NoPassword – Privacy By Design hajysr
NoPassword Privacy by Design
Privacy is one of the three pillars of NoPassword. Security and privacy go hand in hand, therefore privacy by design means beyond complying with privacy regulations. Privacy is considered throughout the development, implementation, and usage of NoPassword.
No Centralized Credential Database
NoPassword does NOT store users’ credentials, such as passwords or biometrics, on a centralized database. The user’s biometric information stays on the user’s phone.
Eliminating Biometric Raw Data
During the registration process, users’ biometrics are converted to mathematical models via an irreversible process. This means that the biometric raw data CANNOT be extracted from its mathematical model. The model is further encrypted and the encryption key is stored in a tamper-proof and secure element on the user’s phone.
Local Biometric Authentication
The mathematical models of the user’s biometrics are encrypted using AES-256 encryption and securely stored on the user’s phone. These models do NOT leave the user’s phone. Biometric authentication always happens locally on the user’s phone.
User in Control of their Privacy
Users are empowered by being in full control of their biometrics and other private information. The user is able to delete all their information from their device, which includes the mathematical model of their biometrics.
Biometrics are not Exposed
NEITHER the NoPassword team, NOR enterprise system admins employing NoPassword solutions have access to or are able to see users’ credentials, their biometric raw data, or mathematical models of biometrics.
Limited Personally Identifiable Information (PII)
Personally Identifiable Information (PII) stored on the NoPassword server is limited to first name, last name, username, email address, and phone number; no password or biometric information are imported or stored on the server. All the PII stored on the NoPassword server are encrypted. This information is primarily used to manage user’s access and contact them to restore their accounts when necessary.
User PII is Treated like our Own Private Information
NoPassword does NOT share user’s information, such as PII, with third parties for advertisements nor for any other purpose. Only the system admins of each company have access to their users’ limited PII.
Limited User Location Information
Location information of users is only used to improve the security of the user. Location information is used during authentication process and are checked against geo-fence security policies. Neither the NoPassword staff nor enterprise system admins have access to users’ raw location data or are able to determine the location of the users.
Data Minimization Policy
Data minimization policy is implemented throughout NoPassword to reduce the user information needed for further authentication purposes. Location information is an example of information that is subject to data minimization. NoPassword regularly deletes such information from its servers.
NoPassword complies with financial, healthcare, and insurance industry privacy regulatory compliances, such as SEC Regulation S-P (17 CFR § 248.30(a)), New York Department of Financial Services (NYDFS), Regulatory Framework Proposal, Financial Industry Regulatory Authority (FINRA), Cybersecurity Practices, European Union General Data Protection Regulation (GDPR), European Network Information Security (NIS) Directive, PCI-DSS and PA-DSS, HIPAA Privacy Rule, and U.K. Data Protection Act.
Protect user privacy, reduce your liability, and gain your users’ trust with NoPassword Identity and Access and Human and Hidden Multi-Factor Authentication (H2MFA)