Not all Digital IDs can provide secure product authentication

Digital IDs and Digital Product Passports do not automatically convey a product with the ability to be securely authenticated, and can even leave brands exposed to significant and often unseen risks.

In this article, we will outline what it takes to deliver secure Digital ID implementations and reveal the hazards of underestimating security and the consequences that the wrong approach to authentication can cause.

Highlights:

• Why not all Digital IDs can be securely authenticated?

• How counterfeiters can ‘hack’ the most secure of Digital IDs.

• The fundamental features of a secure authentication implementation.
  
  

Not all digital IDs are secure

There is a widespread misconception that digital product IDs are inherently secure and can guarantee a product's authenticity. The assumption is that by controlling the issuance of unique IDs for each product, in a way that ensures that only authorised products receive an official ID, a product’s marker can be cross-checked and verified against a database of authentic product IDs to prove its authenticity.

However, merely recognising an authentic ID does not mean it can be accurately authenticated, as this approach ignores the fact that counterfeit products can and will inevitably circulate.

While randomising the generation of product IDs will make it difficult for counterfeiters to guess and mass-produce a large series of product identities, they can easily clone authentic product IDs. In fact, this is a common occurrence and brands should expect a single duplicate product ID to be applied to many thousands of products without proper security measures in place. Without adequate security measures all forms of digital markers, including RFID and NFC, are vulnerable to cloning.

Think like a counterfeiter

Efforts to make Digital IDs harder to clone provide no real challenge to the counterfeiters, when you understand that they often don’t try to replicate the authentic marker with the goal of gaining access to the brand’s official digital services. Instead, they adopt an alternative approach, whereby counterfeiters create their own markers and tags that merely resemble a brand's authentic versions. These markers lead consumers to believe that the product is genuine by simply linking to the brand's website or a simulated authentication experience, that completely circumvents the brand's IDs and authentication platform.

As digital IDs have become increasingly popular for certifying authentication, they have become a symbol of trust in the mind of consumers. Many consumers perceive a digital marker as they would a hologram on a banknote and assume that the marker establishes the product as being authentic. Consumers expect a digital marker to connect them to a digital journey, but they are not experienced enough to be able to distinguish an authentic journey from a fake, in a similar way that they fall victim to email and SMS phishing scams. These weaknesses are exploited by the counterfeiters.

The extent to which Digital IDs are considered synonymous with authenticity is illustrated by the fact that counterfeiters apply digital markers to fake products of brands that are yet to adopt them on genuine garments.

Passports and border control

Let’s take traditional travel passports as an example to highlight this issue. Even if the passport issuing system is totally secure and nobody can leverage it to issue a false passport, this does not mean that false passports are not going to circulate. You can expect criminals to produce forged passports and try to use them, no matter how secure your issuing system is. It is the combination of a secure issuing system and passport control that protects the system from unwanted intruders.

If passport control is not designed to detect cloned or false passports, the authorities will go un-notified and remain unaware of their prevalence, and intruders will inevitably gain undetected access. The more sophisticated the production technology, the more sophisticated the counterfeiting techniques, and very often the risk of a false sense of security by the governing authority.

In the case of Digital Product Passports and product authentication, it is the consumer that becomes the ‘border control’. If the consumer is provided with a product authentication system that cannot recognise and manage cloned or fake IDs, the IDs are insecure, and illicit products will inevitably enter the system, resulting in contamination of the brand's ecosystem and circularity, just as they do today in the new product market.

What makes a Digital Product ID secure?

Brands can avoid exposure to such risks, by adopting secure Digital Product IDs. Secure Digital IDs are those that employ a controlled issuance of the ID, and are able to intercept, recognise and manage use cases of cloned and faked products.

It is vital to design secure authentication systems to prevent brand contamination and ensure customer and market trust. Therefore, it is essential to verify the security of your Digital ID implementation to mitigate potential risks.