Deep Dive: Securing Digital Identities Without Relying On Passwords

Digital identification continues to make immense strides in implementation and uptake in the world’s economy, but it is not without vulnerabilities. More than 4.5 billion digital records were compromised in the first half of 2018 alone — a staggering figure that could not have been possible if digital IDs were not drawing so much attention. Tighter security and authentication methods for digital IDs are necessary to lessen the magnitude of these breaches, and hopefully stop them entirely. 

A recent PYMNTS study found that passwords are the most common authentication method used by financial services, eCommerce and healthcare companies. Such verification systems are extremely vulnerable to fraudsters, however. Approximately 59 percent of consumers use the same password for multiple accounts, allowing cybercriminals to run amok across several private accounts if one password is successfully cracked. Consumers tend to prefer passwords over more secure authentication methods due to their ease of use and convenience, and any security method looking to replace passwords needs to be seamless for it to see widespread adoption.

Several password alternatives are being used in the digital ID space, though each has its shortcomings. Steps will need to be taken to mitigate these weaknesses if the digital ID industry wants to expand without the looming shadow of fraud.

Selfies in the name of security

Fingerprint scanners have been on the market for years, but newer biometric authentication methods are currently on the rise, such as facial recognition. This tool has seen significant use since Apple added it to its latest generation of iPhones. Some facial recognition offerings allow users to upload selfies, which are then compared to 3D facial maps that are established when users create their accounts.

Fraudsters can still take advantage of such systems by using photos or videos of legitimate users. Developers need to implement liveness certification processes to counter these fakes and ensure that the user is authentic. Such processes could ask users to smile or wink during verification.

Certifying every login attempt is beyond the capabilities of human analysts, due to the incredibly high verification volume each hour. Identity verification company Jumio addressed this gap with an artificial intelligence (AI)-based liveness detection capable of seamlessly certifying a near infinite number of login attempts.

How AI systems can outsmart bad actors

 AI can also be leveraged for a variety of other security purposes, such as anomaly detection. Deep learning algorithms involved in this type of measure define baselines for typical customer behavior and flag transactions it finds unusual. The AI reviews these transactions, determines their likelihood of being fraudulent and sends them to human analysts for further review.

AI systems are also capable of verifying physical identification methods, such as driver’s licenses or passports. This is still a relatively nascent technology, however, and may reject legitimate IDs based on small variations it does not recognize, like wear and tear or manufacturing defects. Entire batches of government-issued IDs could be rejected due to different printing and lamination methods. AI can be taught to accept these changes, resulting in fewer false positives, but loosening standards could also cause more fake IDs to be accepted.

Can blockchain overcome its growing pains? 

Blockchain is also being explored for digital ID security. Blockchain-based systems store data in sequence, making it extremely difficult for bad actors to access information without leaving trails. Consumers also control their own data when it is on a blockchain system, which many privacy advocates see as a boon. 

One company working in the blockchain space is Fujitsu, which recently developed a blockchain-based digital ID exchange that converts individuals’ data into graph structures, and includes trustworthiness scores based on trusted users’ evaluations. Fujitsu states that this data is extremely hard to falsify.

“Even if a user colludes with a third party to improperly raise their evaluation, the graph-structured relationships will reveal information such as the weakness of their relationships with other users, giving the system the potential to identify misrepresentations,” the company said.

Blockchain still has many kinks to work out before it can become widespread. If bad actors successfully infiltrate the blockchain and steal identities, there would be no way to stop them from utilizing such information because verification occurs upstream. Blockchain also requires a high level of trust between all parties involved, with no central overseer to make executive decisions about ID verification.

All methods of digital ID security and authentication comes with benefits and drawbacks. They will all need to be as seamless as possible if they intend to supplant passwords as the general public’s security method of choice.



The How We Shop Report, a PYMNTS collaboration with PayPal, aims to understand how consumers of all ages and incomes are shifting to shopping and paying online in the midst of the COVID-19 pandemic. Our research builds on a series of studies conducted since March, surveying more than 16,000 consumers on how their shopping habits and payments preferences are changing as the crisis continues. This report focuses on our latest survey of 2,163 respondents and examines how their increased appetite for online commerce and digital touchless methods, such as QR codes, contactless cards and digital wallets, is poised to shape the post-pandemic economy.