Customer experience is the Holy Grail of commerce — especially for eCommerce.
But the ease and speed that consumers demand when transacting online comes with risk, as merchants need to establish identity — in other words, being certain that customers are who they say they are — in a world where buyers and sellers may be continents apart. The fallout hits everyone involved via a fraudulent transaction, and, as the data shows, account takeovers are on the rise.
Establishing identity in the digital world is proving to be a fluid process, as questions are multiplying around the collection, processing and ownership of data.
PSD2 is here, of course, changing the way consumers and companies access data. And recently, legal challenges centered on data collection have begun popping up. For example, the Illinois Supreme Court ruled earlier this year that companies can be sued for biometric data collected without users’ consent.
As Karen Webster noted in an interview with Acuant CEO Yossi Zekri, although technology (and even use cases) are still evolving when it comes to digital identity, some basic “best practices” can be identified and embraced.
“If you think about process overall, it’s all revolving around … [a] balance between risk and friction,” he said. Compliance impacts friction — likely increasing it. That’s especially true along the traditional and current methods of authentication, he said.
Nowadays, verification spans many conduits and data points — including something the consumer is (i.e., ascertained through biometrics), something the user knows (such as a password) and, more recently, something new, which is how one behaves.
But, said the executive, the creation of a “trust anchor” can be accomplished by establishing the authenticity of a government-issued identity document. From there, you can layer on biometrics, embracing what works and shunning what doesn’t.
Forget What You Know — Literally
As for what doesn’t work: You can toss the “something you know” aside. Passwords — and their easily forgotten nature — create friction and the irritation of repeated log-ins, on the best of days. As Webster noted, passwords are likely floating around somewhere on the dark web, pilfered as part of one of the innumerable data breaches seen in recent years — possibly up for sale.
Everybody knows what you know, it seems.
Zekri said the “trust anchor” can carry extra weight through a government-issued credential “that has in it, and encompasses, the complete verification process that went into that credential.” Government-issued documents, he continued, are created using forensics proof, may have chips embedded (for extra security) and have the benefit of “an automated element to establish the validity of that credential.”
Introducing Biometrics Into the Mix
Where biometrics comes into play, he said, is through interactions that link a face to a person and facilitate a sense on the part of the merchant that “you can interact with that identity in an easier way in the future.” In other words, the trust anchor is established at the beginning of the relationship or transaction and carries over into the future — reducing (and perhaps even eliminating) friction.
Heavy lifting is required to create a digital identity solution robust and flexible enough to be ubiquitous across consumers’ preferred channels.
“And it will take some time to get there,” said Zekri, because questions still surround “the philosophy of what is that digital identity, where is it going to be, where is it going to reside and how would it work?”
The User in Control
“I think where the future goes to is bringing that trusted identity, including a biometric layer with a digital ID as the delivery mechanism,” Zekri predicted.
But there’s a twist: “The user should be able to choose how and where the data is shared,” he said.
In this case, it’s the user who takes control of the verification process — deciding what parts of their identity, and data, a company can utilize to establish verification.
Consider the use case where a fingerprint is offered up to open one’s email account, but where a more extensive (and individual) combination of credentials must be established to access the sensitive information contained in, say, tax returns.
The flow of credentials is designed not to create friction, but to provide permission.
Zekri noted that once credentials have been established, it’s possible to have a “permission or scoring system” that allows a user to be approved “across different areas [and activities] up to a certain level, but you are also approved for all things below that.”
Then, he said, interactions truly do become frictionless. By sending a command or showing one’s face, an app can conceivably “know” an email or bank account is accessible because the consumer has already gone through the higher level of authorization built into their digital identity.
When asked what use cases are in urgent need of trusted anchors, Zekri said this: Involve “access management,” where identity is being used with healthcare and hospitality among as many as 15 markets (beyond financial services) that can benefit from digital identity and more robust credentialing methods. In those verticals, there is a continued and growing need to combat crime and terrorism and satisfy an environment zeroed in on anti-money laundering (AML) and Know Your Customer (KYC) regulations.
“As technologies evolve,” said Zekri, “you can layer all these additional elements to that trusted identity.” He offered a range of scenarios: authenticating a driver’s license at home, verifying geolocation that matches the address on the license, capturing and verifying a passport as a second ID and authenticating the chip in that passport (which matches the face). A user’s voice or iris can be layered on, too.
Regardless of the number of layers, “the core is still the same,” he said. There’s no personally identifiable information (PII) moving back and forth along traditional means, but there may be a token traveling between parties with limited information, accessible with a limited key offered up at a single point in time — “and then it all evaporates,” said Zekri.
To make it all ubiquitous, Zekri said Acuant is currently focused on the first piece of the puzzle, tied to enrollment, across all manner of devices and locations. In the end, the transaction is a process marked by frictionless behavior and individual control.
“We are working on something that ultimately we believe is a good methodology to both store and communicate that information” — and though different people will do different things across different digital identity constructs, the trend is to “merge into one” solution.
“Who’s going to provide that one thing?” he queried. “Like anything else, it’s an evolution. We are trying to facilitate the process” for providers that may, at the outset, be competing entities, “and create [a] trusted identity for them.”