Two years ago, journalist Walter Isaacson wrote about the “two original sins of the internet.” One was about journalism in particular, and the idea that content should be free for users and paid for by ads.
An error, he noted, for which the media industry has been paying dearly over the last several years.
The second – an obsession with the idea that the web should be, for all intents and purposes, an anonymous place – has been more widely impactful. As the CEO of Averon, Wendell Brown, noted, it has also introduced over two decades’ worth of friction into the system by making it extremely difficult, in many cases, to know where things are coming from.
“The internet was built for delivering packets to the right destination – and it is very good at sending, too,” said Brown. “But it did not get good at defining the ‘from address’ for data. That wasn’t part of the original consideration – and that has led to many, many challenges.”
Challenges that started with spam, and have recurred in a variety of forms – transactional fraud, “fake news, fake emails, phishing campaigns – all of which are symptoms of a common disease called ‘no return address present,’” he noted.
And while several decades of trying to medicate the symptoms – by creating increasingly complicated security protocols for customers to log in – have made some progress, Brown said that Averon is trying to build something that looks a bit more like a cure. Because, as Brown told Webster, the open world of the internet is anonymous – mostly because it is free.
But accessing the internet via a mobile device is not free. In fact, he noted, it requires signing into a closed network with a verified identity – a network that will then keep close track of its users through billing.
Brown knows something about those billing systems – before he was an entrepreneur in the digital authentication space, he spent about 30 years “building them for carriers.” That is why, he told Webster, he saw something when he looked at them that no one else had so far: “a chance to take advantage of a worldwide existing infrastructure and repurpose it to be used broadly for identity across a wide variety of digital use cases.”
Because the carriers, he noted, have spent about 30 years doing something without realizing precisely what it was they were doing: creating an absolutely ideal place to start building those digital “from addresses” that the web so sorely needs.
The Identity Network That Everyone Overlooks
When people think of what telecom companies have built over the last few years, Brown noted, the obvious go-to answers are things like “data network” or “the internet without the wires.”
But the mobile carriers are doing a lot more than moving information, Brown told Webster.
“The carriers carry the data, but they are also wireless identity networks – and shockingly robust ones,” he said. “They are ubiquitous, there are billions of people with SIM card-embedded devices in their pockets. And whenever you use the device – to place a call, or text, or use data – the carrier knows who you are because it is a paid system.”
A carrier that bills is a carrier that keeps track of identity end-to-end, according to Brown – and that starts with a KYC process.
“As of 2016, there were about 800 wireless carriers in the world – and collectively, they bill a trillion dollars in total. Almost all of that is reliant on these billing mechanisms that they have spent 30 years developing.”
Billing mechanisms, Brown noted, are by nature identifiers, because “you have to know who someone is before you can send them a bill.”
Which got Brown to thinking: What if you didn’t actually want to send someone a bill? What if instead, a company just wanted to using the identify parts of billing and leverage them against a different set of problems?
A Better Way Than 2FA
Two-factor authentication, he noted, works because it matches something a consumer knows – their password – with something they have – their smartphone. Usually, it does that by texting the consumer a code and asking them to verify it by entering it at checkout, or after entering a digital banking command.
Doing it once, Brown noted, isn’t a big deal – but having to do it lots of times is annoying. “There are days when you might be dealing with 2FA multiple times, and that just becomes a hassle,” he said.
And it’s an unnecessary hassle, because the customer is already doing the transaction on their phone.
Averon’s role is to know that on behalf of the service provider. Through deals and partnerships with the carriers, he noted, Averon sits within the carrier’s data stream on behalf of their financial services or retail partners.
When the customer goes to move some money into their banking app – or pay for their Uber ride – Averon is able to provide that “second authentication factor” on behalf of the customer through their carrier data. It tells the merchant or bank that “yes, the source of this transaction is the phone that is registered to this account.” It’s the same outcome as a 2FA that asks the consumer, but one that sits invisibly in the experience.
“We call it Direct Autonomous Authentication – or DAA - and we think it is a direct drop-in replacement for legacy 2FA systems,” said Brown. “There is no user effort here, no apps to install – and we can verify the same information as 2FA, but way more in the background.”
The customer, for all intents and purposes, never knows Averon exists. The firm contracts with (and is paid by) the firms for which it provides DAA – the consumer gets the same benefit that two-factor had offered, without having to continually send six-digit codes back to their bank or merchant of choice.
And, not only is it quicker and easier for the consumer, Brown said it is also likely more secure.
“The SMS messaging backbone of 2FA wasn’t designed for security – it was designed to move text messages. It is not as secure and it has been hacked in the past. The billed carrier system attached to the SIM card was very much built to be secure and accurate.”
Moreover, Webster noted that it offers the carriers something they’ve long wanted, but have struggled in the past to find: A way to be a relevant and important part of the transactional flow on the mobile web, instead of being a “dumb pipe” for mobile web service.
Brown concurred, noting that as ubiquitous identity networks, the carriers have a real chance to add value to the process, and in a way the web has been lacking for nearly two decades.
Building Better Layers
“Layered solutions” for digital security has been a buzzy term for some years – and for good reason, Brown noted. Layers can make sense, and Averon benefits from that in many regards.
Smartphones, particularly the higher-end models, have gotten much harder for the “wrong user” to actually use. Advances in encryption location and biometrics have made it so that if someone is successfully using a phone, you can trust that it is the right user, because phones are hard to get into. Just ask the FBI.
But layers that add complexity without any real security advancement need to go, and Averon is here to kill them with a more efficient and more easily accessible identity authentication scheme. There are limits to what one can ask customers to do – at some point, baking in a lot of complexity trying to verify that the right user is showing up to make a purchase becomes “obviously counterproductive.”
Averon wants to compress those layers by offering something that mobile technology has been able to provide for a long time: a return address one can believe in.
Today, Brown noted, that foundation can be used to replace 2FA technology. Tomorrow, it will be central to all kinds of other products that the firm plans to roll out later this year.
“We can make a lot of marketplaces run better just by knowing where the data comes from. And, as it turns out, in a lot of cases we do know – we just have to get better about knowing that we know.”