Time to Read: 9 minutes
The problem of knowing who to trust on an insecure, anonymous network has concerned me since I founded an ISP in 1995. With thousands of subscribers, it was the first time I confronted bad online behavior.
As a payments geek, I’ve seen plenty of these online bad behaviors emerge across channels and systems. Among the latest is the category of push-based fraud schemes that have taken off as fast payment systems gain traction across the globe. As Glenbrook’s Bryan Derman puts it, “what could be better for fraudsters than a new system that pushes money in real time?” Synthetic identities compound the problem.
This rapid emergence of push-payment fraud underscores the need for strong counter-party identification. And the difficulty to achieve it. Addressing this concern is the Identity Industry, the subject of this post.
The Internet’s Founding Tragedy
The founding tragedy of the Internet is its lack of a security layer. Designed with the naive assumption of good behavior by all, we now confront the result in the form of malware, spam, scams, and more because it’s still true that on the Internet no one knows if you’re a legitimate user, a fraudster or a dog.
The lack of a security layer makes answering simple risk assessment questions difficult:
- Who are the counterparties?
- What is the relationship between those parties? Long term? First time?
- What is the risk appetite of each party?
- What payment system is being used?
- What is being paid for?
- What channel is being used? In person, online, BNPL, P2P?
- What device is being used? What is known about the device?
These questions, and more, tend to be rolled up under the catch-all of “identity”. (A label that, in another blog, I’ll take to task as misleading and ultimately inaccurate.)
Addressing “identity” we have tech giants like Google, Meta, Apple, and Microsoft managing our individual online “identities” as we use their services. While convenient, these firms also know a lot about each of us. Some individuals are fine with this, and some are not. That results in confusing and difficult to implement regulations that, honestly, most people don’t understand. (Just try to figure out what the “I agree” button means from one site to the next.)
We also have the Identity Industry, composed of vendors and service providers selling to anyone concerned with online security. Many of the tools on offer are focused on security procedures such as access control, logon, account provisioning, account lifecycle management, “identity proofing”, password vaults, multi-factor authentication, and so forth. These are all about giving the right access to legitimate users and keeping bad actors out.
Another set of industry capabilities has to do with data collection, aggregation, and resale. Anomaly detection, for example, is only possible with historical data as the feedstock to rules engines and machine learning algorithms. While this data may be powerfully predictive to prevent bad online behavior, it also helps to serve up those ads of vaguely familiar products that appear in our browsers based on our search activity. As Glenbrook’s Yvette Bohanan puts it, there’s a fine line between cool and creepy.
The fraud management vendors use the combination of tooling and data to secure ecommerce sales, strengthen bank authentication, and other transaction contexts. If you are an enterprise or a payments business, essentially any entity that needs to manage online risk, this industry is ready to stock you with tools and techniques.
The Industry We Have
If you want to “run fast and break things” – the Silicon Valley ethos of the last decade -the Identity Industry is not for you. Regulation is an enormous influencer. Standards and standards development are required to securely connect counterparties and supply chains. There are legitimate constraints on what is possible. These add cost and time. This is not the Wild West.
To better understand the Identity Industry’s structure and composition, I attended Identiverse, an Identity Industry conference. Typical of all conferences, there were scores of vendors demonstrating their wares, designed to serve today’s problems through a combination of legacy and innovative approaches, but nothing so radical as to upset the incumbent economic model.
The economics of the Identity Industry are modest by comparison to the payments industry. It’s been said that “identity is the new money” but there’s no evidence of that given the difference in business models and perceived value between the two industries. To be blunt, there’s bigger money to be made in actually moving money. Securing those transactions is a cost.
Signs of Progress
I view securing online transactions as a data problem. We need trusted data and the right data for each transaction context delivered at the right time. What I saw at Identiverse suggests that this industry is coming to a similar conclusion. Positive developments of note include:
FIDO and Passwordless Authentication
User authentication has long relied on passwords. Between data breaches, social engineering, and brute force attacks, their weakness and inconvenience are obvious.
The FIDO Alliance and the World Wide Web Consortium has brought together tech providers and enterprises around a set of standards leveraging mobile devices and biometrics. Now, users can release credentials, known as a passkey, resistant to replay and hacking. It is a robust solution that prevents man-in-the-middle attacks.
Adoption of FIDO has been steady but slow. The great news, affirmed and applauded at Identiverse, is that tech giants Apple, Google, and Microsoft have all agreed to employ FIDO authentication within their online services. Hopefully that will spur systemic adoption.
FIDO’s success as a standard and a force is due to its history of getting “everyone in the room.” Not just tech providers. Not just a limited community of interest. Everybody. Kudos.
Mobile Drivers Licenses (mDLs) State-by-State
For mobile wallet users, the driver’s license is the last piece of plastic we need to carry when we leave our homes. U.S. states are showing varying levels of interest in putting driver’s license credentials into the mobile wallets of iOS and Android devices.
This intriguing development puts data from a verified issuer, the state motor vehicle department, into our mobile devices. Strong data of this kind could be very useful beyond traffic law enforcement. Relying parties, those entities taking the risk on a transaction, may be attracted to the KYC work and convenience mDLs may provide.
Important questions going forward include:
- The speed of adoption across all 50 states. Many haven’t gotten started.
- What’s being issued? Are the credentials issued by the state for the sole purpose of demonstrating a valid license to operate a vehicle? Or, as the state of Florida intends, are these credentials to be used for multiple use cases with the state a source of truth?
- What’s being shared? A law enforcement officer may need access to all of the data but a bartender only needs to know if the holder is over 21 and nothing more. There is opportunity, and obligation, for data minimization here.
This is About Good Data – Verified Credentials
In real life, when I say who I am, you might take that declaration at face value, but self-asserted data isn’t useful to a risk-taking relying party online. That entity wants access to the data assigned to you, or certified about you, by a party it trusts.
For example, a driver’s license is issued based on credentials such as a birth certificates (issued by the city of birth) and a home address (verified by a copy of a utility’s monthly bill). These, and other, credentials are issued by known entities trusted by the Department of Motor Vehicles. Other desirable verified credentials may include vaccination records, social security numbers, Medicare numbers, professional accreditations, education degrees, and more.
Verified, these credentials offer high quality data for identification purposes. To ensure privacy and individual control over the release of personal data, services such as India’s Data Empowerment and Protection Architecture is necessary. The result is stronger identification, harder impersonation, and fewer ways for synthetic identity creation.
The Identity Industry is coming to realize that the work ahead is the delivery of verified data at the right time for the specific transaction context. This will require coordination among regulators, tech companies, standards groups, and the Identity Industry itself.
It’s going to take a lot of time.
For Payments, It’s Partnerships
Financial institutions and payment providers are both enterprises that need to know their customers as well as stakeholders in increasingly complex payment value chains. These entities need tools tuned to their specific business need, be it first and third-party fraud detection, new customer onboarding, or employee authentication. Some develop in-house technology. All generate data for input to third-party tools.
Beyond demonstrable performance and cost metrics, payments companies should evaluate other supplier characteristics. The ownership and handling of money is regulated by multiple government agencies. The ownership and handling of personally identifiable information is catnip for other regulators. Understanding exposure to regulation is another factor in vendor selection.
- Regulatory compliance and exposure. Regulatory changes move markets. The EU’s Digital Markets Act (DMA) will go into effect early in 2023. It explicitly disallows secondary uses of previously gathered consumer data. How will that affect data suppliers in use or under consideration?
- Data governance. Machine learning and AI are powerful tools but their effectiveness and fairness require crisp understanding of the specific use case and the technology’s limitations as well as careful data curation. Regulators take a dim view of an AI’s “black box” inability to explain its decisioning. Security requirements, fairness, and privacy are all concerns.
The Role of the Payments Industry
The payments industry is a critical consumer of the data that identifies us. Therefore, it is in the industry’s interest to influence if not steer the development of a data sharing ecosystem. Phixius, FDX and Financial Grade API (FAPI) are a start but other initiatives are in the offing that will need intellectual and financial contributions. Partnering with data providers, those proposing open wallet standards, and schemes built to access and share verified credentials should be on the payment industry’s agenda.
It’s clear to me that it is time to think of the identity industry as the key partner in the search for better data, rather than a set of services that continue to muddle about with some abstract notion of “identity”.
About the Author. As an advisor to Glenbrook, George brings over 15 years in payments technology and 30 years in IT-based entrepreneurship and product management to help clients with payments strategy and market development. He consults across a range of business and technology areas with emphasis on mobile and POS payments acceptance, online and offline data security, and digital identity. George is also the founder and co-host of Glenbrook’s podcast series, Payments on Fire®.