Is your digital identity really you? As Philip Andreae, Vice President, Field Marketing North America at Oberthur Technologies, discussed with MPD CEO Karen Webster on a recent podcast, it is you — but only from the perspective of the merchant or other party who needs to authenticate it is who they think you are. To another party authenticating another digital identity, you have a different persona.
That seems like a complicated situation in a world where the digital realm is increasingly overlapping with the physical world. Andreae and Webster dug deep to find some potential solutions to simplify the matter.
KW: There’s so much to talk about one's digital identity given all of the things that are happening in cyberspace.
Let’s start out with the basics. When we use the term “digital identity,” I think we assume that everyone understands what it means. I’d like to get your perspective on that, as an expert in the space. What does it mean, and how has that phrase evolved in the last 5 to 10 years?
PA: It’s interesting how when we talk about “digital identity” we must recognize that most of the market doesn’t comprehend that concept. Years ago, when I was beginning to think about this concept, we started by looking at the dictionary to understand what Webster’s and others purported digital identity to be.
What’s clear is that [digital identity] is a way that we, as consumers, employees and citizens, identify ourselves in cyberspace.
I think back to that lovely cartoon in The New Yorker that depicted two dogs sitting at a computer and pondering the subject, “Does anybody know that I’m a dog?” Our digital identity is how we represent ourselves in this anonymous domain called cyberspace.
We actually already have multiple identities in the physical world, as well. Random numbers such as the personal account number (PAN) on our credit card; it’s there in our International Bank Account Number (IBAN) and our Social Security number. All of these were originally simply unique numbers that we used to identify ourselves to a computer which used this digital identity to link to bank accounts, data stored on a database or to rights of access it provides — for example, the ability to use a line of credit or withdraw funds from a bank account.
What’s intriguing is that those things should never have become secrets, but they did, because we allowed them to become something that not only identified us but that was used to authenticate the fact that we were the rightful owner of that identity.
KW: Let’s take off our payments hats and put on our consumer hats. When we think about how we identify ourselves online, we probably think of multiple identities — and perhaps none of them are connected. There’s an identify we use on social networks, another one we use to log in to our bank accounts, yet another for corporate email accounts, and so on.
How can we approach the concept of digital identity when an individual consumer has so many?
PA: That is the challenge. In thinking about this subject, I reflect back to the physical world and then forward into the virtual world, and I think about the identity I use for old-fashioned snail mail. It’s my name, and it’s my address that identifies who I am to somebody who wants to mail me something.
To move that mail analogy into the digital world, we have email addresses that follows a particular structure that is defined by an international standard. I create a moniker to identify myself — maybe I call myself “balloon123” or “PAndreae” or “KWebster” — and I tie it with an “@” to a domain computer that hosts my email account.
On social websites, maybe I’m going to call myself by my first initial-last name; maybe I’m going to use a jumble of letters and digits. It’s some string of data a computer is going to use to recognize me and then offer me an array of services.
Where we get in trouble is when the relying party needs to start putting names to parties in this ecosystem. There is you and I, the individual, there is maybe an identifying party, and there is the relying party. The relying party may be a bank, Facebook, or Google, the government, Instagram or any number of concerns that I as the individual want to connect to for the services they offer.
The challenge occurs when my moniker, say on Twitter, is a moniker that service relies on to identify me — becomes stolen by somebody else who maybe also found my password, that person, for all intents and purposes, becomes me. They can do nefarious things; they can start tweeting in my name and that may create interesting challenges. Or maybe they get my credit card PAN, my password, my expiry date, my CVV and other data they can gather about me and go off and use those identifiers to do things that I don’t want them to do.
That is the obstacle we face in the realm of digital identity: How do we authenticate that you are the rightful user of an identity and not some criminal or that dog in The New Yorker cartoon?
KW: Authentication is very much the point where the rubber meets the road, and all of these “relying parties” need to be able to perform it with certainty, and be able to detect when the bad guys have taken my digital identity and are using it improperly.
How are you at Oberthur looking at this and trying to help these relying parties do that better?
PA: On the physical-world side of things, we are helping banks to issue EMV cards, which are a means of providing a digital identity while also assuring the various parties that the instrument, "the card," is authentic. We’re also working with the U.S. government, providing the PIV cards that provide and verify digital identity in their world.
In the social space, we are, as a board member of the FIDO Alliance, looking at creating an authenticator: a set of standards that can be used by various parties to create mechanisms "the authenticator" that can be used to authenticate that the person holding a secure element is the rightful user of it. We look at three things, basically, in doing that: How do I identify myself (username), how do i authenticate myself by employing the device I am in possession of (something physical, such as a token or phone), and how do I verify that I own it? This act of verification is where you get into using a PIN, biometrics, or several passwords.
We’re working on an international scale to define these standards. In the case of the U.S. government, it’s the PIV standard; in the case of payments, it’s the EMV standard; in the case of almost everything else, it could be based on the FIDO standard.
KW: The EMV standard makes sense in the physical world. But the world is becoming more and more digital, and we’re seeing a proliferation of opportunities for digital engagement: things like Amazon Dash Buttons on washing machines becoming points of sale and cars that initiate transactions. Identities can be everywhere.
How do you think about that? And is it possible to imagine an environment where there is one digital identity that we use, that can be secured and protected, and that follows us wherever we happen to go in the digital world?
PA: I’m not sure we can look at digital identity as that one thing. For example, my employer is going to define my digital identity for their purposes and they’re going to call me “PhilAndr.” My email provider is going to define my digital identity in terms of my email address. The government is going to define my digital identity as my Social Security number.
What we need to do is produce something that authenticates me to whatever identifier a relying party wants to use. That’s where the FIDO authenticator comes in.
It’s a device, a thing. It builds on what Apple Pay has done, by putting a secure element inside a device, to which an identity — the PAN, the DAN — can be attached and used to identify what the payment mechanism is. Let’s remember that the PAN was and still is a publicly available number, a random set of digits.
In the physical world we’re using the EMV standard to authenticate the card — and in the virtual world we can combine the EMV standard with 3D Secure as Apple did with what they call “in-app.” The same cryptographic capabilities of a Chip card are embedded into the secure element within the iPhone. Within this secure element the dynamic value, "the cryptogram” that proves that the physical element tied to the payment credentials, the digital identity, is unique. The relying party now can accept the result of the work of authenticator — the cryptogram — as evidence that I am in possession of that which you gave me: a card, a phone, an ID card.
KW: Is it your position that the EMV standard is the foundation for the enablement of digital identity — specifically with reference to payments and commerce — when transactions across the many channels are made via tokenization?
PA: In the credit card/debit card world — yes. EMV will become the mechanism that defines the cryptographic, dynamic token that will allow the authentication of a unique device or card, be it in the physical world or in the virtual world.
When we move into the world of ACH — the world that the faster payments activity is working to enhance, the foundation won’t be EMV, unless of course they all agree that debit cards achieve the desired result. What is clear [is that] the mechanism used to secure these faster payments will be some form of cryptography.
If we look at government and enterprise, the government has defined the PIV standard — which has a very high level of identity proofing. That same technology that sits inside the PIV card also sits inside a secure element in a mobile phone, and can be used in another format, called “CIV” — Civilian Identity Verification — which has a different "lighter" level of proofing defined by the various relying parties. I can use that same technology and same standard implemented by a different party to identify an individual — an employee, a contractor — to an enterprise or a corporation.
We could take ICAO — the international passport standard — and make the electronic passport an identifier. We could use the international driver’s license standard to create a unique authentication of the driver’s ID and make the license number another digital identifier.
KW: Interesting to note that, in Massachusetts, until recently, you could opt to have your Social Security number be your driver’s license number. Seems crazy to think of that now.
I’m curious to get your thoughts on how consumers process all of this. On the one hand, you can talk to them about a secure element in-phone and how it will store their identity securely, but to a consumer that can sound scary, when they think about possibly losing their phone.
How are you and other players in the ecosystem planning to talk to consumers about this so that, one, they’re aware of the need to keep their digital identity secure and, two, they become convinced that what we’re doing is in their best interests?
PA: I think you’ve hit upon the biggest challenge we’re facing.
We’ve talked about personal account numbers, driver’s license numbers, Social Security numbers…and now you’ve got people saying, “we’ve taken this unique number and we’ve turned it into a secret because we wanted to make it easy for the consumer to understand. Enter your Social Security number and your mother’s maiden name, and we know who you are.”
That’s not a secure story and we need to work with people like yourselves and other media agencies to create simple analogies that the consumer can understand. The fact is that, in the end, security is not inherently convenient. We have to find some way of creating something that is secure and also convenient.
We think what Apple Pay and Samsung have done by using biometrics and the physical device is created something that it is inherently understandable. “Dip it” vs. “Tap it” — that is pretty easy; consumers don’t have to understand what’s happening between the card or phone and merchant terminal or website.
What we’ve got to do is make it easy for consumers to appreciate the technology that we’re deploying provides the appropriate level of security, and give them the comfort that we — as technologists, as trusted parties — are looking after their best interests.
KW: I think it’s going to be a bit of a struggle, for the following reason: There is friction when you’re interacting in the mobile banking environment. And you want that friction; you want to be able to have the one-time password PIN texted to you before you transfer a large amount of money because it makes you aware of a layer of protection.
But on the payments side, consumers have been trained to expect things to happen instantly; nothing slows them down or creates a barrier to getting them in and out of the store in a timely fashion. I think it’s going to be different, and I think it will take a while for consumers to adapt.
PA: This is where we start talking about how to make payments frictionless. How do we take that technical process and put it under the covers.
Amazon made a big leap forward when they introduced one-click. Yes, a password was still involved, but consumer payment credentials were securely stored on the Amazon server. That, though, opens up another question: “How secure is the server?” From there arises concern about data breaches.
This is where enterprises have to enter into the conversation. [An] enterprise has to say to an HVAC contractor, “You can’t let them use their mother’s maiden name as their password. You must force them to change it, or use a smart card, or implement something along the lines of CIV.”
We have to look at what we’re trying to secure. If we’re trying to secure enterprise-level systems, then enterprises need to understand the necessity for building things that are better than simple passwords.
KW: I want to talk about what you guys are doing with Samsung Pay, specifically its launch in Europe. Help us to understand Oberthur’s role in enabling that.
PA: Samsung views us a valuable partner with very strategic relationships with financial institutions throughout Europe. The company also saw what we had built the Trusted Service Manager (TSM) to support solutions like SoftCard in mobile ecosystem, and successfully deployed it around the globe for organizations like Visa.
What they recognized was that they needed a partner the financial institutions trusted — Oberthur — who could establish the relationship, from a technical perspective, between the secure element — which is an Oberthur product called Pearl, embedded inside the Samsung phone — and the financial institution.
How it works mechanically is, when a consumer decides, “I want to put this card in that phone,” we will receive a request from Samsung. We, then, will request permission from the issuing party to install, on their behalf, credentials based on EMV into that Samsung phone so it can be used at the point of sale through a contactless interface or through an in-app implementation on the Web. We become the enabler; what we’re doing in Europe in that regard stands up to what Visa and MasterCard have similarly done in the United States.
We’re not using tokens; instead, we’re using what Europeans call a companion account number. It’s just another PAN associated with the same account. In Europe, it is common for family members to all have different card numbers attached to the same account number. All we do is assign a PAN to the Samsung phone. Thinking into the future we can also assign another series of Companion Account Numbers to each of your payment-enabled wearables.
KW: This is something that makes provisioning more efficient in Europe. Because of the prevalence of EMV cards, is that what this solves for Samsung Pay?
PA: Yes. And frankly, we will use in the Samsung phone the exact same mechanism that Apple Pay does to enable the credentials. They’re all basically EMV credentials.
For more on trends and updates in creating, securing and transmitting a digital identity, please click the button below.
To download the full version of the podcast, click here.