twobee - Fotolia

Experian chooses UK authentication startup for Gov.UK Verify

To ensure that UK citizens using Gov.UK Verify have secure access to their online accounts, Experian is using distributed cryptography technology from MIRACL

Experian has chosen a UK startup’s identity technology to provide highly secure authentication to millions of UK citizens.

Experian is one of nine independent identity assurance providers supporting the government’s Gov.uk Verify identity assurance service, which is one of the government’s biggest digital projects.

Verify is run by the Government Digital Service (GDS) and is intended to be the standard way for people accessing online government services to prove who they are and to log in to complete transactions.

To ensure UK citizens using Verify have completely secure access to their online accounts, Experian is using distributed cryptography technology from MIRACL, formerly known as Certivox.

The MIRACL M-Pin Crypto application delivers two-factor authentication (2FA) to secure people’s identities using a patented authentication protocol.

This involves a user-selected five digit PIN in combination with a software token that automatically installs in their mobile or desktop browser when registering. 

Both factors must be present to create an encryption key that is recognized by the M-Pin server, which does not store passwords, PINs or any other authentication credentials.

Experian’s selection of the M-Pin technology greatly reduces the risk for Verify and its users, protecting UK citizens from identity fraud by cyber criminals stealing and abusing passwords.

“Protecting the person online and giving them a good user experience of the services is a key goal for us as a business. MIRACL is a pioneering company that will help us achieve that and we are looking forward to working with them,” said Nick Mothershaw, UK and Ireland director of identity and fraud at Experian.

MIRACL chief executive Brian Spector said: “Centralising log-ins across all government services is a significant move which requires strong yet simple security.”

“For this reason, leading-edge technologies such as M-Pin that embrace secure user-friendly authentication methods, but can also perform at mobile internet scale, are imperative,” he said.

According to Spector, using a “zero-knowledge proof protocol” that does not require passwords to be stored in a vulnerable database will make the password breach a thing of the past.

MIRACL is a pioneer in the development of pairing-based cryptography, and its open source and commercial cryptographic libraries are used in internet of things (IoT) devices and applications from technology leaders such as Google, Microsoft, Intel, Gemalto and ARM.

MIRACL’s Distributed Trust Authority service provides an alternative to commercial certificate authorities for privacy, authentication, non-repudiation and message integrity on the internet, guaranteeing that not one entity is a single point of compromise.

The technology was developed by a renowned academic in the field of cryptography, Michael Scott. In January 2015, the company was selected to accompany prime minister David Cameron on a trip to Washington, as part of a special UK cyber security delegation to the US.

Read more about two-factor authentication

Read more on Privacy and data protection

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

However nicely designed and implemented, physical tokens, cards and phones are easily left behind, lost, stolen and abused. Then the remembered password would be the last resort.

And, in a world where we live without remembered passwords, say, where our identity is established without our volitional participation, we would be able to have a safe sleep only when we are alone in a firmly locked room. It would be a Utopia for criminals but a Dystopia for most of us.

Incidentally, biometrics are dependent on passwords in the cyber space. So are multi-factor authentications and ID federations like password-managers and single-sign-on services. Passwords will stay with us for long.

It is too obvious, anyway, that the conventional alphanumeric password alone can no longer suffice and we urgently need a successor to it, which should be found from among the broader family of the passwords (= what we know and nobody else knows).
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close