Here’s a payments conundrum for you: We now have more ways to authenticate access to an online account or app than ever before. And yet, account takeover (ATO) – basically unauthorized access to an account – is at record levels.

In this episode, Glenbrook’s Yvette Bohanan and Chris Uriarte are joined by Rocky Scales, CEO of IDgo, to explore this multifaceted problem.

Tune in as they discuss the vulnerabilities in authentication techniques, the need for better consumer education, and how financial institutions and businesses can implement more secure and user-friendly authentication systems to counteract evolving threats from sophisticated fraud methods.

 

Yvette Bohanan: Hello, I’m Yvette Bohanan, a partner at Glenbrook, and your host for this episode of Payments on Fire. Here’s a payments conundrum for you. We now have more ways to authenticate access to an online account or app than ever before and yet account takeover, basically unauthorized access to an account is at record levels.

Consider this. According to a Sift 2024 Digital Trust Index, ATO attack rates rose 24% year over year in 2024, fueled by a relentless wave of data breaches and increasingly sophisticated attack methods. The scope of the problem is broad. Abnormal Security’s 2024 State of Cloud account takeovers stated that 83% of organizations experienced at least one a TO incident in the past year, making it one of the top four cyber threats globally.

The financial impact is staggering. A Javelin 2024 identity fraud study calculated global losses from account takeover fraud at $13 billion in 2023, up from 11 billion the previous year. Unsurprisingly, bank accounts saw the most significant surge in fraud activity.

The payment sector with its high transaction volumes and valuable stored credentials remains a prime target. Fraudsters are leveraging stolen credentials from massive breaches, such as the 2.9 billion records compromised in a single incident in 2024, and exploiting widespread password reuse. That’s right. Password reuse. 74% of the people exposed in multiple breaches were reusing the same password. And attackers are increasingly adept at using technology and social engineering to bypass traditional security checks like texting a basic one-time passcode to someone’s phone.

According to CyberSource’s most recent fraud report, nearly all major e-commerce and payments merchants experienced ATO or related fraud in 2024. For merchants and their payment providers, the stakes are high. Four out of five consumers say they would stop shopping on a site where they’ve been a victim of ATO. It’s more than immediate financial losses. It’s the reputational risk with its long tail of revenue erosion as well.

The payments industry is responding with increased investment in prevention. A recent Arizton report states that the global market for ATO prevention in banking alone was valued at nearly $954 million in 2024. The need for realtime transaction monitoring, advanced authentication, and new technologies to counteract evolving threats is driving major providers to take action.

So today’s topic is a discussion on how the industry is working to solve this conundrum. Joining me for this episode is our Glenbrook partner, Chris Uriarte. Chris, thank you for joining me for this conversation. It’s not going to be an easy one today, but it’s an important one.

Chris Uriarte: Good to be back. It’s definitely an important one, and it’s one that we like to talk about. A lot at Glenbrook Partners and also we’ve hit on it a few times on the podcast here, so I’m really excited to dig a little deeper.

Yvette Bohanan: Well, you and I are kind of living and breathing this on different project work. You’re doing a lot of speaking about this. I’m doing a lot of speaking about this. And our guest today, like other guests that we’ve had on, on this topic is living and breathing it even more. We are delighted to welcome our guest, Rocky Scales, CEO of IDgo.

Rocky, it is wonderful to have you on Payments on Fire.

Rocky Scales: Absolutely Yvette, thanks so much for having me on the program. It’s great to be here. It is great to be here with both you and Chris. We’ve known each other a long time and I’m looking forward to this discussion.

Yvette Bohanan: Yeah, we’ve been hammering on this topic together for a while at different angles, but it is interesting to see where we are. But I always like to make sure our audience, our listeners, knows a little bit about the guests that we’re bringing on. So, you know the drill.

We like to ask you how you landed as CEO of IDgo. What’s your journey? What’s your story?

Rocky Scales: I tend to want to keep it more focused on something other than me, but just briefly, I’ve got about 20 years experience in fintech. As you know, we worked in payment fraud mitigation together. I worked for a company called Ondot Systems, which had the first generation of card controls, which is now table stakes for payment devices.

Also SheerID, identity proofing, and that was all a very good fit for the role I started about two years ago. The founder of the business wanted to move on to something else and he and some of the investors reached out to me about the role. And since being here, we’ve changed the name of the company. We elevated the product name to the company name. That’s IDgo, it’s done really well. We made some changes to the product and the capability to focus very specifically on that authentication lane. There’s identity proofing and then there’s user or member authentication and they’re very different.

By focusing on that authentication lane, we’ve been able to make some really encouraging progress.

Yvette Bohanan: Yeah. And people don’t graduate, clearly, or roll out of bed one day and just say, Oh, I’m going to go fight fraud. What gets you up in the morning? What drives you for doing this? Why did you say yes to that offer to come in and be CEO?

Rocky Scales: Yeah, I mean, it’s difficult to describe what ambition is. But there’s an element of just being driven, being competitive, being interested in solving problems, that are kind of the components of getting out of bed and wanting to go into battle each day. Right.

Yvette Bohanan: Yeah. And it is a battle. We’re going to dive in right now on the state of fraud and, these first few things that I want to talk about harken back to the data, in the intro for this podcast, but. It really goes back to the state of fraud and we’ve had a lot of folks on these podcasts over the last year or so, really trying to articulate clearly what we’re up against.

One of the things we talk about, just to kick us off, an experience that we’re all as consumers pretty familiar with, and even it’s getting into business applications now too for B2B, but this sort of OTP one time passcode token kind of thing that, has worked in the past, but now it’s fundamentally broken.

You’re out there talking with people all the time. What does the conversation sound like when you’re talking with prospective customers or customers about OTP? What’s happening to them?

Rocky Scales: What’s happening is fraud. It’s account takeover, one-time passcodes. They’re vulnerable. Security questions, the answer to KBA, knowledge based authentication questions, they’re vulnerable to fraudsters. And part of this kind of backs up into, which I think you mentioned in some of the opening dialogue, is that there are no more secrets anymore.

Our personal information is out there on the dark web, sadly, and you can’t get it back. And just last year in 2024, there were more than 10,000 data breaches in the US. That’s just one year. So you’re naive to think that your personal information is not available to the fraudsters. It is. Right. And the social engineering that occurs around a one-time passcode, the simple description is, I go on the dark web. I’m a fraudster. I buy your username and password. I know where you do your online banking, so I start logging into your account, but the fraudster knows this. I’m on a new device, right?

I know that a one time passcode’s going to be sent to the holder of that account. So instead of hitting return and sending that one time passcode, I also have your phone number, so I call you, right? And maybe I disguise the call so it looks like it’s coming in from the bank that I do banking with, or the credit union.

And I pick up the phone and I’m talking to the fraudster and they simply convey, Hey, this is Rocky from the fraud department over here at ABC credit union. We’ve seen suspicious activity on your account. I need to send you a one-time passcode. I’ll need you to share that with me so I can lock down your account and protect you.

That’s like a 15 second description of what is a 10 to 15 minute conversation where there’s trust and there’s rapport that’s built, and the customer, the member is sitting back saying, Ugh, this is somebody from the credit union I love, I trust, sounds knowledgeable. He’s reached out to me to help me.

So I give him the one time passcode, and then they log in, they lock you out. They transfer money, lift the information on your payment devices. They go shopping. That’s classic kind of account takeover activity.

Yvette Bohanan: And then sell all the information about your everything out on the web and it takes a few months for that to happen. David Maimon has data on that piece of it that we talked with him about. He’s at SentiLink, but he is also a professor in Georgia.

When we talk about all of this, it is so a thoughtful on the social engineering side and you see banks, you see companies saying, This is a scam. We will never ask you for this code. If you’re about to tell somebody this code, stop. They’re texting it to you. They’re emailing alerts to you about the scam. But the social engineering is so-

Rocky Scales: Good.

Yvette Bohanan: High quality, and they’re getting through to people, right? Yeah. You saw the caller ID, you can call me back at this number, big tip off and red flag. Right? Or I’ll give you a number to call even worse, right? Instead of people looking it up on something they know is truthful. And they’re getting around it.

The thing that makes me crazy is people said, Oh well, a four digit is getting compromised.

Rocky Scales: Yeah.

Chris Uriarte: Let’s make it a six.

Yvette Bohanan: You’re not understanding what they’re doing. Right. You’re just not getting it. Taking the technology that’s broken and making it artificially…

Rocky Scales: Attempting to make it better. Yeah.

Chris Uriarte: I think a couple things here that are really interesting is, first of all, Rocky, you’re describing something that Yvette and I have heard from our banking customers many, many times is this concept of bank impersonation fraud is just out of control. It’s really, really out of control these days, and it’s sort of a number one concern. I remember, Yvette, we were talking to a credit union maybe four or five months ago, this was a number one concern to them. It’s just rampant in how targeted their customers are. So this is a real, real problem in the industry.

The other thing, and maybe this is just a little bit foundational for our conversation moving forward today, is I think what we see is consumers have just become so complacent with OTP and doing it every day, so many different times that they generally do not scrutinize it probably to the level that they should. Right? Where if you get a weird email or a text message from somebody that’s not an OTP related thing, you’ve been educated enough to really look at it. Each type of messaging is unique. Everything that everybody’s trying to ask you for is maybe a little unique, so you might scrutinize that a little bit more.

But I feel like consumers are almost on autopilot where they get a text. It’s an OTP. They know they’re supposed to take that number and do something with it, and they’ve just been overwhelmed by this barrage of SMS OTPs over the course of the years that there’s often not a lot of thought put into what their actions actually are.

Rocky Scales: And the lack of thought is they’re not reading the copy that’s in the text message. They’re just grabbing the OTP, right? They’re bypassing the warning and they’ve already digested the warning for the other 100 OTPs that they get. It’s interesting coming out of tax time, right? As we get our tax materials ready, we’re doing four or five OTPs a day.

Yvette Bohanan: Exactly. Yeah. And I was going to bring that up. It is banks, right? The credit union that we were briefing, the head of risk management like jumped out of their chair and said, This is what I’ve been trying to tell you is going on. It was really fascinating to see like her emotion, visceral reaction to validating what she knew was happening.

But apparently the rest of the leadership team wasn’t really taking it seriously. I think we see that a lot too, which is interesting. We’ll talk about that later maybe. But the other piece too is the customer is asleep at the wheel.

Rocky Scales: Yes. That’s a good way to say it. Yeah.

Yvette Bohanan: And all of the wake up call investments that some folks are doing is kind of falling. I think it’s really interesting that you say we don’t even read the message. It’s like muscle memory. You don’t even think about it before we hand it over and all of a sudden they’re in.

And it’s not just banks. I think that’s really important to call out. We see this with merchant sites, we see this, you said government tax, right? We see a lot of tax fraud, fraudulent tax returns hitting people right now, doing all kinds of stuff with accounts, online accounts for tax payments and everything to get into that.

Rocky Scales: It’s utilized as well with healthcare providers. It’s utilized with utility providers. Our friends in the wireless world use it, right? And you could look at healthcare, you could look at utility and go, Well, the instance of fraud is not as great. I think what the fraudsters are trying to do is just get access to the data.

In the wireless world, however, if somebody took over my account and shipped five iPhones on my account to a different location, that’s certainly possible, right?

Yvette Bohanan: Yep. So that’s broke. Now we go to KBA and you mentioned 10,000 breaches last year. That was just US, right?

Rocky Scales: Yeah, that was just US. 10,000. Yeah.

Yvette Bohanan: There is just massive data on out there, right? So, KBA, knowledge-based authentication, is usually what people consider a step up authentication practice like when they talk about risk-based management and tiered KYC and all of these, people are often using data to step it up and validate you, which puts friction into the process. All the data’s out there, so it’s pretty ineffective. What’s the state? Does KBA still have a place? I’d really like both your opinions on this. Should people just be giving up on KBA because all the data’s out there and it’s kind of useless at this point, or is there a place for it?

Rocky Scales: There has to be the continuation of KBA and security questions. From our perspective, and this gets back to your point about the three different descriptions of authentication, right? Something I know, something I am, something I have. The something I am could be something like voice authentication, which has challenges with deep fakes in AI.

Something I have is my device. I can do a device based authentication approach. All three need to coexist. Part of what we tell our customers is you wouldn’t buy a car that didn’t have both a seatbelt and an airbag. Having more secure authentication solutions is a good thing.

The KBA piece is likely to be a backup because there could be resistance to members or customers wanting to do voice authentication. I don’t want my voice print out there. There could be resistance to device-based, right? People don’t trust big tech and/or I’m not using a mobile device. I’m using a landline or I’m using an age old flip phone.

So we look at KBA as kind of the fallback position. And you’re right, Yvette. There’s just so much data out there, whether it’s full social security number that you need to put in, or the last four, and date of birth and mother’s maiden name. That’s readily available to the fraudsters.

Some out of wallet questions can be a little bit more complicated. What was the address that you lived at between these two years and just pick the street name. Thankfully you don’t have to pick the number on the street.

But even that, I the friction that we hear is that members, customers forget the information, right? And the live agent and the member or the customer don’t have a good experience together. It’s a poor consumer experience.

And the other thing that we tell our customers is you did not hire your live agents to be fraud specialists. You didn’t hire them to try to detect what goes on in that conversation and make a conclusion, Alright, this person failed three of the out of wallet questions, but got one right. Let them in. No. That’s a big burden to put on somebody.

Yvette Bohanan: Customer service folks tend to have a lot of empathy, You even see fraudsters going through customer service protocols, hop, skip, jump to get through stuff too. Right?

They’re sort of preying on the empathy that customer service has or is trained to have for the situation the customer might be in, like save the customer, try to help them, right? All of that kind of stuff.

And maybe they’re even graded on it. Or worse, they’re graded on their handle time and they’re like, Oh, okay, I’m not going to keep going with this. They got one right. I’m just going to get it through because I have to get to the next call.

Rocky Scales: Yeah. And we see authentication KBA security questions, it can take a minute and a half, it can take two minutes. We’ve heard stories where it takes five to seven minutes. And it can be very time consuming. So your point about handle time is real. And that’s real money.

Yvette Bohanan: It’s definitely real money. That’s why they measure it. So, Chris, what do you think?

Chris Uriarte: I think the thing that to keep in mind is that the call center environment, contact center environment introduces a tremendous amount of variables, some of which you guys have talked about, right? You have instances where there’s SLAs, you have instances where individuals are being graded on or bonused in some cases even for their performance.

And then on top of that, once you get into a voice to voice scenario versus someone being purely online, this essentially opens the window, right? This is the best scenario for a fraudster who wants to execute some type of social engineering.

You can’t really social engineer a checkout page. It’s difficult to do that. You can exploit vulnerabilities, no doubt, in the processes or the datas, but it’s tough to social engineer a web browser. Very different, of course, when you have somebody on the other end that you’re speaking to that you could develop a rapport with. You can listen and feel and hear the type of individual that you’re speaking to on the other end.

That just opens things up for opportunity. So, the challenge has always been is, how do you take the types of authentication or other types of fraud prevention, validation opportunities that we have available to us in the pure online world and transplant that into this scenario here. And that has proven to be a problem for decades really.

Rocky Scales: Mm-hmm.

Yvette Bohanan: The question too is if there’s all of this data out there and it’s being married up, there’s sort of this fraud as a service and they’re taking different data sets and they’re combining them and using all the tech that you would use to rationalize data sets for AI or ML or whatever.

Rocky Scales: Mm-hmm.

Yvette Bohanan: Is there also a pattern that you’ve picked up on where people are, they’re not social engineering it, but they’re just testing and trying different answers to these KBA questions in the online environment? I don’t want anyone to think that the online environment is just the way to go here for KBA if it’s not.

Rocky Scales: Yeah, I don’t think it is. And obviously the one time passcode comes into play too. But when you think about fraudsters, it’s kind of like a sales team that has a list of opportunities. At any given time, a fraudster might have 100 different avenues that they’re pursuing. And if they close five, that’s great.

The other thing on the other 95, they take away learnings and they make adjustments to their approach and their strategy. And, you got to believe with the availability of the different AI tools that are out there, that they’re utilizing them, they’re trying to make their sales process their close process more efficient, more effective, and they’re going to use readily available tools to help them along the way.

Yvette Bohanan: That’s a great lead in. I was going to ask, one of the things that we keep telling folks is Gen AI has fundamentally changed the landscape here. If you’re thinking that things that worked even six, twelve months ago in your organization are going to work, are working today, or are going to work in the future, you don’t understand the impact of Gen AI and its use by the fraud groups.

Even lone wolves, this stuff is so readily available. If someone can come up with an app that does something incredible in two, three weeks and have it out there that’s a Gen AI whatever enabled thing to disrupt whatever’s been going on, you got to believe all the fraudsters are using this too.

And we see that all the time if you’re watching this. How is multifactor authentication, something you know, something you have, something you are, I like to add where you are to the mix.

Rocky Scales: Yeah, that’s a good point. Mm-hmm.

Yvette Bohanan: But how’s it holding up with the Gen AI tools that the fraudsters are creating. Is it still the right framework to be considering?

Rocky Scales: Yeah, for me, it kind of starts at when you get a phone call and you don’t know the number that’s calling you, it’s danger, right? When you pick that phone up and you say Hi, hello, maybe add a couple of other comments like, is anybody there? That’s it. That’s all they needed, right? Three seconds of your voice. And then they can use Gen AI to create a voice clone, and a fully conversational voice clone. And Joanna Stern from the Wall Street Journal did this article literally two years ago where she created a voice clone of herself and it got into her Chase account. That was two years ago, right? It’s only gotten better.

I think there’s things like that, the deep fakes that we’re seeing coming out, is scary, no doubt about it. And then I think utilization of the tool of AI to more efficiently get better results on their own data sets. I mean, let’s not kid ourselves. They download so much information off the dark web about consumers that they want to attack. AI helps, it helps the attack in a variety of different ways.

Chris Uriarte: Yvette, I’ll go back to a lot of the research that we’ve published in the last year, some of the white papers, some of the other podcasts we’ve done with Generative AI driven fraud. The two key points that we always stress on it is, is there’s two things that are really different.

Number one, the level of scale that is often able to achieve by these fraudsters through Generative AI, it’s scale at a level we haven’t seen before. And two, really speaking to Rocky’s point, is the efficiency and the effectiveness of these attacks, right? They tend to be significantly more effective than historical methods that we’ve seen.

So, this certainly tracks to a lot of behaviors that we’ve been tracking out there in the market over the past year or so.

Yvette Bohanan: Okay. Where should people be directing their thoughts? Imagine you’re the Chief Risk Officer, the CEO of a company, or you’re at a bank and you’re an executive at a bank, and you’re trying to figure out, Okay, I’ve probably invested hundreds of thousands, if not millions at this point in trying to stop this stuff. What am I supposed to do? I’ve done all the things I was told to do, and now you’re telling me they’re broke. What do I do next?

Rocky Scales: Well, like any project like that, you got to start with a set of objectives. What’s the purpose, what’s the goal you’re trying to achieve? I think part of that description is we need to move away from one-time passcodes. We need to move away from KBA security questions. Maybe not entirely, but largely.

Yvette Bohanan: Let’s just make sure people understand, and passwords.

Rocky Scales: And passwords. Yeah, passwords. Again, there are no more secrets. I think that’s where they got to start is to say, Okay, we need something else other than these proven vulnerable solutions that we’ve been using. So what are the alternatives that are out there? That’s the place to start.

Certainly, when you go back to the three different pillars, or four, because you mentioned location, of authentication, that’s the journey I think they need to go on. Okay, so, one time passcodes, answers to security questions clearly fall into something I know, right? What about something I am, what are the solutions there? What about something I have, device-based solutions. And device-based solutions can kind of combine the location attributes that you mentioned as well.

That’s what I would advise the leaders of those risk departments to do, is to start down that journey and have a process of discovery about the different technologies and the different vendors that can deliver solutions that can help.

Yvette Bohanan: Yeah. Chris, from your point of view, you talk a lot about the stuff with the networks, the card networks. Are they doing anything interesting to try to help their customers?

Chris Uriarte: So the networks have caught onto this, but it is a challenge, of course, implementing anything at scale, right? So the networks we have seen introduce some frameworks, both Mastercard and Visa ,that are meant to help enable sort of wide scale implementation of biometric authentication at checkout and doing it in a way that is meant to be a little less, or I’ll say it a different way, a little bit more friction free for customers. What I mean by that is, they’re trying to do it in such a way whereby a customer can enroll and authenticate once within the network and then all other merchants who are participating in these services, which are mostly passkey driven, FIDO based, passkey driven, through these services that have just recently been introduced in the last year. The consumer would only have to enroll once, and then you can reutilize that biometric authentication again and again and again.

But again, adoption of this sort of at scale has been challenging mostly because merchants themselves have not necessarily been convinced of the value proposition here when they look at things around customer support and challenges at checkout, potential drop off and abandonment during the checkout process, et cetera. So that’s kind of challenge number one.

And challenge number two, which we’ve touched on and we’ll speak a little bit more I think in a second, is there’s still a big issue in educating consumers as to how to use these technologies. So, you can put the rails in place, you could put the foundation in place there, but it’s much, much more than that. Much, much more than just having the technology to get these types of new authentication methods adopted at scale.

Yvette Bohanan: It’s more than just checkout and merchants and commerce. This is, as Rocky was bringing up tax payments, this is B2B, it’s authenticating to get into your treasury management system for your business or to dual authenticate a wire initiation, or, we could go on and on with all the examples. And timing is everything in this, and when you time the interaction to try to move someone from what they’ve been doing to something new matters a lot here. What do you advise customers?

Rocky Scales: Kind of expanding a little bit on what Chris mentioned, and you mentioned it too, there’s well established enterprise authentication solutions that require a third party app and those do have biometrics or passkey FIDO solutions built into them.

The problem is the consumer doesn’t want that. And frankly, the banks and the credit unions don’t require another app for my customer or my member to complete that authentication. That’s too much friction. Right? And we know that from experience, we started with an app based authentication and certainly as the FIDO specs improved, we were able to deliver it in an alternative manner.

The other thing about biometrics, and it’s really important that people understand this, when I open up an app and I do a biometric to complete opening that application on my phone, the biometrics, the real purpose of that was for convenience. It’s an alternative to not entering your username and password. So if I’m a fraudster, once I get your one time passcode, I can set up biometrics and it’ll work for me. It’s almost like a false sense of security.

It really needs, for effective authentication to happen with the utilization of something I have, it needs to be built into the contact center, the operational software of the bank or credit union. It needs to be built into the online banking capability. And it needs to be delivered to the consumer where it doesn’t require a third party app. Those are some of the recipes for success, right?

Yvette Bohanan: I think that’s great advice and things to think about. We haven’t had that communicated quite that way, but I think it’s a good point.

Rocky Scales: Yeah.

Yvette Bohanan: So you have things built in and then you have to get the customer kind of on board.

Rocky Scales: Yeah. For sure.

Yvette Bohanan: What does education look like here as you move people away from what they’re familiar with to a new place?

Rocky Scales: And there needs to be an enrollment process and that’s kind of what you’re talking about is, how do I encourage customers to try this new authentication process that provides me, the bank, the credit union, the benefits in terms of average handle time and security and great user experience.

And the good news is that the current authentication methods are lousy enough that the presentation of an alternative itself is usually warmly received. That, for our customers happens when typically a live agent completes the existing authentication process, which could be a one-time passcode or it could be security questions. And then they inform the member, Hey, we’ve got this new authentication solution. It utilizes your device to complete the authentication.

It’s very simple, it’s very secure. Can I send you a text message to have you enrolling? And here’s the kicker, they can say, I’ll never have to ask you these questions again. People are like, please. Right? And then they go through the enrollment process, which is about three clicks, and then they’re in. And then the next time they come back they can authenticate with IDgo, which could be a passkey or it could be a registered device approach.

Effectively, the registered device approach is an authentication cookie on the device. And the reason we put that there, I’m giving you a lot, but I just want you to understand the backdrop. The reason we built an authentication cookie is people do fumble around with passkeys.

Here’s what we tell our customers. You’re going to have people that still use a landline. You’re going to have people that use a flip phone. You’re definitely going to have customers, members that don’t trust big tech, are using a smartphone, but they’re not using Face ID on it. They’re not even having a screen passcode. And trying to enroll that customer in a passkey is really difficult. To do an auth cookie response, a registered device is very simple.

So that’s the good news is that it’s not just the banks and the credit unions that want to have a difference. Consumers want to have a difference. This is a time consuming quiz show process that they don’t have time. They called their bank, they called their credit union to get one or two questions asked and to quickly, not spend two or three minutes trying to get into my account.

We certainly have had credit unions that take a gentler approach, kind of like what I described. We’ve had other credit unions that have taken a bit more of a, This is our new authentication process. I just sent you a notice so that you can enroll in it. And so it really depends on the credit union and how they want to manage their team. We’ve seen both be very effective.

Yvette Bohanan: Now, the trick is that engagement, that interaction has to be controlled by the customer in order for this to be valid or it’s going to get compromised again. So we have to make sure people understand, this has to happen when you are in control. And I think that’s what the key message is to educate people is, you have to be in control. You have to know what you’re doing.

Rocky Scales: And some of the good news about that is with IDgo, the authentication happens within the context of your engagement with the banker, the credit union. Nothing shows up randomly at 11 o’clock at night. And because the authentication experience is really driven by the financial institution, that’s the only place it can start.

The fraudster is not going to get a hold of the bank initiated IDgo solution. That’s just not going to happen. That’s one of the things that we say is, absolutely, control comes in the form of, the banking, the credit union, they need to be careful about the enrollment process. They need to make sure they understand who they’re enrolling and then they need to convey to the consumer, this is only going to show up when you reach out to us.

Yvette Bohanan: Yeah, so there’s definitely education points here. Anything to add there around education? And because passkeys, they’ve been out there now in the wild for quite some time, and they’re not getting the uptake, you know?

Chris Uriarte: I do feel like that the FIDO Alliance and everybody that is involved, and the FIDO Alliance is sort of an umbrella that manages these standards, but underneath the FIDO Alliance is many, many, many major tech companies and banking companies, et cetera, that are members of that alliance.

I feel like everybody needs to get together and hire a good PR firm for passkeys because I think there’s a bit of a branding issue there. There’s just an industry education issue in general, and while the Alliance has taken really superb steps in creating an amazing technical standard, these are great technologies that have been implemented at scale. I think people don’t necessarily realize how many FIDO compliant devices are out there, and the ones that you interact with every day are probably FIDO compliant these days here in 2025.

But they haven’t really taken it to the next step in regards to figuring out, to use a very sort of sales and marketing term, what’s the go-to market strategy of this? Right? What’s the go-to market strategy of this? So we are struggling a little bit from the everyday consumer perspective to get adoption. And it’s mostly the folks who are more of the tech nerds, if you will, that have to go out and almost seek out these types of authentication technologies and want to do it.

And that’s not how you’re going to get success at wide scale with technologies like this, right? It’s got to work in the other direction where you have to get the stakeholders in the ecosystem to be able to just implement this in another way, similar to how it’s done with onetime passwords or just with passwords, usernames, and passwords in general, where there’s a lot more control there, right?

If you’re waiting for the consumer to opt in and take an extra step to enroll and to manage this, and to learn about it as the first step, that’s going to be challenging.

Yvette Bohanan: You know what I like about what Rocky was saying is this sort of embedding it into the operations of the bank or whoever, right? The company, the bank, the credit union. Yeah. And that creates a level of trust. It also creates some simplicity. And I’m going back to when you said checkout design and stuff earlier. One of the cardinal rules of checkout design was you want the person to complete the purchase, right? So you don’t give them too many choices.

One of the things that I hear people saying, consumers, not our customers, but consumers, is that, Well, I have a password manager and it’s asking me if I want to create a passkey, and then I go online and I log into this company and they’re telling me to create a passkey. And then when I’m on my iPad, it pops up and says, do I want to save this password? I don’t know if I should save a password or create a passkey with the company or create a passkey through the password manager. What should I do?

Chris Uriarte: There does need to be a level of enhanced messaging around either how this works or what the benefit is to the consumer versus, just a merchant or somebody online that says. Oh, would you like to enroll in passkeys? It’s like, well, what does that mean? I don’t know what that means.

Yvette Bohanan: Maybe part of this go to market strategy is how do we get more elegant about what, when, and how we’re offering these things to people, right? Because they’re getting overwhelmed almost with something they don’t understand. Maybe we need public service announcements.

Rocky Scales: You’re right. I’ve got kids that are at university and they show up and they get an auth app for everything for their university. And because they’re my kids, they have a password manager, right. I ingrained that in them effectively all you have to do is remember one password and, yeah, you can use a passkey.

But, Chris, back to the point that you mentioned, I don’t know if there’s analogies here, but it took Bluetooth, an industry standard, a bit of time to really catch on and a lot of adoption. A five year overnight success kind of thing. Right. And maybe that’s not an excuse, but an explanation on why we haven’t really got there yet. We need more and more merchants, financial institutions, healthcare providers, utility providers, to embrace it broadly, so that commonplace, right?

Chris Uriarte: Agreed.

Yvette Bohanan: All right. Well it’s that special time where we have to wrap up. I think we could keep going here for another few hours, but we’re going to close and say, food for thought for everyone out there. Listen, spread the word, think harder about what’s going on and examining. I really like the framework you gave, Rocky, of think about this multifactor authentication, the four dimensions, and think about it from your customer journey experience and your ops perspective and-

Rocky Scales: Absolutely.

Yvette Bohanan: Think about what’s right for you and then explore. Few good morsels here, hopefully, that people can chew on and figure this out. So thank you both for joining me.

Rocky Scales: Great to see you both again.

Chris Uriarte: Great to see you, Rocky. Take care.

Yvette Bohanan: To all of you listening, thank you for joining us and until next time, keep up the good work. Bye for now.