We live in what is increasingly a harrowing digital world, replete with ever-mounting cyberbreaches at seemingly every corner of commerce. For financial institutions, there’s reason to be concerned over digital identities. The challenge is authenticating a consumer across a landscape where that individual is actively opening accounts and performing transactions.
Who is really in the best position to issue, and authenticate, the digital identity assigned to a consumer?
In the latest installment of PYMNTS Topic TBD, Karen Webster spoke with Socure CEO Sunil Madhu to get a sense of just how and why firms should verify (and verify again) the online personae of users.
There have been a number of schools of thought over just who should take the lead in digital identity. As Madhu said, some think the government should lead the effort; other industry observers say the private sector should do it.
“Previous attempts to do these types of things have not really worked well,” he said. “The notion of one ID to buy into [all places] is a misnomer. Every private enterprise has their own sense of identification for employees,” he said, “and for their customers.” And a single identity is not really necessary, he said.
There have been some industry-wide initiatives and widespread technologies that draw from disparate sources to ascertain consumer identities. Security Assertion Markup Language was developed to share information and identities between parties and enterprises. More recently, he said, blockchain has been developed as a mechanism to share trust between parties involved in a transaction.
Webster noted that the digital identity debate became even deeper with the advent of APIs and the ability for third parties to call into banks and get customer information for their purposes. That is the case with some mandates, such as PSD2 in the U.K., and other certifications that need to be in place that focus on validating that consumers are who they say they are.
Madhu offered up the fact that, as long as 15 years ago, he was able to use his Bank of America account to pay his bills across vendors and “consolidate my entire financial portfolio through the bank.”
“The fact that you can aggregate different types of information from different sources … we’ve been doing that already,” he continued. “One can argue about the level of security and the older versus newer technologies. In the older technologies, people weren’t sharing databases, and the technologies often required you to enter your credentials of financial institutions, which you wanted to integrate into a common entity, which in itself is risky … Now, with blockchain, it is possible to have a shared replicated database that is far more secure because it can encrypt the data any one entity creates in the blockchain, as well as transactions between entities … As to whether [this system] will work long term is yet to be determined.”
He noted that, in Europe, there have been platforms tied to “transitive trust,” where identities must be authenticated by at least one financial institution, with meetings in-person and documents checked. “Only when that one bank accepts, can you open up an account at any other financial institutions taking part in ‘transitive trust.’”
Webster noted that there are so many different approaches to digital identity and authentication, perhaps dimming the clarity of the framework for banks to consider.
To get some sense of clarity, Madhu said that banks know their industry is changing, and “most of us carry our banks around in our pockets through our mobile phones.”
Millennials do not necessarily want to go into branches and do want feedback on the way they spend money. “This is a natural lead into mobile … and most banks are focusing on digital.” And with the movement toward mobile banking, the process has to be frictionless, and in terms of verification, mobile network data, mobile numbers and other information get factored in.
The form factor emergence will tilt toward wearables, said the executive. The market is catching up, realizing that online and social platforms are also worthy of being added to the mix of information for digital identity as “natural extensions of one’s offline presence in the world.”
There’s also the evolution of how “we re-verify the individual on an ongoing basis” to make sure that accounts have not been compromised, added Madhu. Multi-factor identification protocols on their own are not really as secure as they once were, said Madhu, and at Socure, biometrics come into play, too.
With other complex technologies, one standout is blockchain, which helps verify that the users are real and onboarded onto the networks and a network key is given to the individual. Then, “you can assume that all the transactions that are encrypted into that database in an immutable way are bound to that key.” A token that verified transactions entered in conjunction with that key would make complex and adjacent technologies unnecessary in terms of re-verification. “The blockchain exists for multi-party public transactions,” where knowledge is also shared globally.
As for the intersection between digital identity and biometrics, “biometrics is 20 years old and is still maturing rapidly,” said Mahdu, “and digital identity verification is absolutely important even in a biometric scenario. It is possible to bind a stolen identity to someone else’s biometric.” Therefore, biometrics must also deploy a system of enrollment. He noted that Apple Pay has had 6 percent fraud rates, despite touch pay being in existence — indicating that biometrics alone is not enough to ensure digital identities.