“Who are you?”
It’s a philosophical question with a million different answers depending on who’s asking. In payments, it is a practical question with just as many answers depending on the use case. Identity verification and user authentication are hot spaces right now, and only getting hotter as merchants, financial institutions (FIs) and consumers demand more foolproof protection against fraudsters.
Biometrics, device fingerprinting, single-use codes: These are just a few of the myriad ways players in the payments world are trying to ensure that the person conducting a transaction is truly who he or she is claiming to be — and not a fraudster using someone else’s identity.
The players offering these identity services are proliferating as well. Five years ago, it was enough to know who a customer was online. Today, though, visit any industry trade show and the halls are packed with identity verification products. It seems every company wants to get in on the action.
Why now? The public has become very aware of security incidents that have compromised their data and that of others, and it’s making them ask the tough questions: What does identity mean to them? Who are they, who has their documents and data and how are those things being stored and secured?
The industry has responded by spawning countless solutions, and there is eventually going to have to be regulation covering all these different products. Moreover, there must be some sort of gold standard for identity truth and how to confirm it.
The Social Security number won’t help. Too many have been compromised, and many people are saying this old-fashioned static identifier isn’t enough anymore. While it’s too soon to say what will replace it, there does seem to be a growing consensus that Social Security numbers have got to go — and experts say that one day, inevitably, they will.
Jumio vice president of products Philipp Pointner is among those experts. Better yet, he has a few suggestions, many of which he shared in a recent discussion with PYMNTS’ Karen Webster.
Can I See Some ID?
Perhaps counterintuitively, the key to the future may lie in the past, Pointner said. Customers are comfortable being asked to present their government-issued IDs in brick-and-mortar settings. Why not have them do the same with online businesses?
“That takes it back to the root of identity,” Pointner said. “It’s something that has authority because the government is behind it, so it can tell us for sure who the person is.”
But wait — don’t people make fake IDs all the time?
Sure, said Pointner, and some can be convincing. Many, however, are low-energy spoof jobs — someone trying to get into his brother’s gaming account and such. These would not hold up to heavy scrutiny.
Pointner said that others admittedly do an impressive job using official-looking holograms and other security features that make them seem more legitimate. In those cases, it takes expert eyes like the ones at Jumio to pick out the real IDs from the fakes.
Jumio can recognize various types of ID from 250 different countries, Pointner explained, including multiple generations of IDs from all 50 U.S. states. The company knows exactly what these government-issued identity documents should look like, from security characteristics to items encoded in the document to how the photo should be held in place.
So, if a Romanian guest tried to stay at an American hotel, it wouldn’t have to be up to the receptionist to know how the foreign ID should be laid out and which security features are supposed to be present — there would be a tool on hand to help.
Where Device Verification Falls Short
The static username and password combination is hardly worth mentioning when there are so many newer, stronger forms of security available.
But, even the new forms have their limits, said Pointner. In some cases, it’s important to verify the identity of the person using a device to conduct a transaction, in addition to the identity of the device itself, and that’s where device fingerprinting and location services fall short.
Device fingerprinting determines whether the device making a transaction is the same one that the user was on when he created the account, but it cannot account for a device that has been stolen or for fraudsters who are able to make remote web traffic appear to come from a local point of origin.
Similarly, location services can be used to show whether a purchase is being made from within a reasonable radius of the customer’s usual activity, but it runs into the same roadblock if fraudsters are spoofing IP addresses.
Biometrics have made huge leaps forward in recent years, Pointner noted, and they can confirm that a certain human characteristic — such as a fingerprint, eye print, voice print or other identifiers — is present, thus verifying that the same person is conducting the activity.
However, he argues that biometrics fall short at the point of origin: Who is enrolling the fingerprint? Is this person who he or she is claiming to be? Whether it’s the same fingerprint this time and next time becomes irrelevant if the person who enrolled it in the first place is a fraudster. In that case, Pointner said, a real-world identity check does offer some advantage because a merchant or bank teller can hold up a photo ID next to a customer’s face and compare the two.
“The photo is what ties it to the real-world person,” Pointner said. “Jumio does the same thing online, making it a ‘person-present’ transaction.”
Another downside of the above methods, he added, is that customer information must be stored for it to be effective — and storing information makes it vulnerable.
Conversely, comparing a photo ID to a face captured by an on-device camera can be done during the brief moment of the transaction, and no data need be stored for next time. If there’s nothing to steal, Pointner said, then there’s no risk, because what would fraudsters take?
From Plastic to Digital Identity
The big question is whether customers would willingly use a method like this, especially since security researchers have cast doubt on the integrity of Apple’s new Face ID authentication method by fooling it with masks. Pointner still thinks the answer is yes — if not today, then tomorrow.
People have grown used to recording videos of themselves, he said, especially younger generations that are taking a hundred selfies a day. Why not leverage what they’re already doing on Snapchat, Instagram, Facebook and elsewhere to keep their data safer?
Pointner believes physical ID cards will one day give way to digital IDs. Many governments are already experimenting with this approach, he explained, and others are using distributed ledger and blockchain technology to create identity systems, an application that makes sense if innovators can make it work.
As digital natives grow up, it seems likely these methods will also make a lot of sense to them — certainly more sense than the paper, plastic and static identifiers that their parents once used.
But, don’t trash that nice leather wallet just yet.
“Digital identities are definitely going to come,” Pointner said, “but the plastic will stay in our wallets for a while longer.”