How do you protect against data leaks? Don’t store user information

by Thomas Hull | August 22, 2022
A shadowed figure in blue light in front of a computer.

With high-profile data leaks becoming commonplace, no business is completely safe from cyberattacks. So how do you prepare for the risks and damage to your brand if a bad actor breaches your platform? By not storing sensitive data.

The amount of data breaches – and the average cost incurred by them – is at an all-time high, as malicious actors are constantly finding new ways to access business data even with security policies such as Zero Trust in place. In the latest such scandal, nearly 2000 users’ mobile phone numbers were exposed.

The human element is the easiest to exploit. Compromised credentials are not only the most common attack vector, but have a devastating effect on user trust and brand reputation. 65% of data breach victims lose trust in an organisation as a result, and even more will tell others about their negative experience.

Of course, it’s vital to have strong security in place for your users, and nowadays it’s well-recognised that MFA (multi-factor authentication) has gone from optimal to essential.

However, every business is vulnerable, as malicious actors constantly develop new techniques. Approaching the problem from another angle provides a potential solution: what if there was no sensitive data in storage?

 

 

How much PII do you really need?

 

The importance of securing personally-identifying information (PII) is widely acknowledged and enforced through policies such as the EU’s GDPR. Rigorously anonymising and encrypting user data is an expensive and complex process, and disastrous when it goes wrong and data is leaked.

A much simpler alternative, though, is not to require this data from users in the first place. For most organisations, the only reason to profile users in such detail is to authenticate their identity thoroughly. But not only does this add gravity to the risk of data leaks, it also causes user frustration and accessibility issues.

From a security perspective, a digital identity is only useful if it can be authenticated reliably with a trusted credential – without causing too much friction to the user. This can be resolved with a much simpler security factor that isn’t based on shareable knowledge.

Zero-Knowledge Security

SIM-based authentication with IDlayr is a possession factor solution that makes a real-time check of a user’s phone number – without persisting this information. By working with the technology of global mobile networks, it proves real possession of a unique digital identity, without demanding user effort.

The result is both a seamless, tamper-proof check and greater user privacy. IDlayr is a Zero-Knowledge platform, with no stored personal data to be breached. Save time, money, and peace of mind by only storing what you really need to know about your users.

Ready to learn more about next-gen authentication?

SIM authentication is cryptographically secure, easy to implement and effortless to use. Unlike insecure SMS OTPs and passwords, SIM authentication combines phishing-resistant security with usability, providing an ideal, cost-efficient solution to protect all your users.

To find out how to implement high-security, low-friction authentication for your users, talk to Sales.