May 2, 2019
Matt Collicoat, FIS VP Global Payments Innovation and Strategy
Identity and verification are interlinked concepts which have a critical role in the continued digital evolution of payments and banking. From showing photographic ID to completing a transaction in person, to demonstrating proof of address when applying for a financial product, confidently identifying the customer is central to the smooth running of the economy.
But traditional methods of identification and verification still largely rely on the presentation of a physical document or at least a long hard-to-remember password, practices which defy the nature of digital commerce, and conflicts with its main benefits like convenience, speed, frictionless transacting and remote access.
As consumers continue to abandon the branch and main-street store in favor of mobile apps, banks and stores are redefining how they identify customers. Consumers enjoy the ease of use of an online economy, with banks and retailers literally at their fingertips through mobile apps. In parallel, the banks and retailers have embraced the cost-benefits of a smaller physical presence achieving a broader online presence.
However, this has had a significant impact on customer identification, raising questions and demanding solutions. The fundamental question is that without direct interaction with bank or store staff, how can customers accurately and securely demonstrate that they are who they say they are?
The dominant form of identification currently used in digital commerce, the password, is no longer strong enough to provide strong user authentication. Passwords can be cumbersome for consumers, hard to remember, and are rarely modified once created. Because passwords are difficult to remember, consumers tend to use the same password for multiple sites increasing the impact of fraud if any one site is hacked. The weakness of passwords and the dangers of having multiple organizations storing customer passwords on their servers (along with email addresses and credit card details) are well documented. For many years, sites needing more security have employed crypto calculators and special keypads, but while more secure, they are somewhat cumbersome for everyday use.
In response, true electronic or digital identification is seen as the response. However, a digital ID is not simply an electronic file that acts as an online passport that gives access to all areas. It is a suite of potential security mechanisms that scale depending on the risk level; low-level transactions may require only minor security whereas a high-risk, high-value interaction may require multiple levels of security. Digital identity is not about what you know, it is more about what you are.
Secure identification works best when it is a mixture of factors. Something you know (a passcode), something you have (a mobile device, dongle or one-time password), something you are (a biometric characteristic or behavior pattern) working together ensure the greatest protection. This multi-factor identification is also critical in the battle against data breaches. If biometric information is compromised, for example, without the addition of password or PIN it would be useless to criminals.
Using a digital ID is about combining the multiple factors appropriately for the threat level. For example, simply logging onto a banking site with a password will happily return the account balance, but to transfer ten thousand dollars across borders will require a biometric or behavioral confirmation. Fingerprints and facial recognition certainly provide good confidence in confirming clients, but behavioral analysis is increasingly being used to confirm identity. Such analysis includes checking data on the customer’s device; the geolocation is normal, the phone’s software is expected, the login channel is regular, the typing style is consistent, the accelerator information matches normal use – several layered and interlaced checks that all impact the confidence that service providers can have that the end customer is who they purport to be.
Implementing sophisticated multi-layered authentication is unfeasible for every bank and retailer, but the good news is that they do not have to do it. Instead, they can sign-up to services that offer digital identification on demand in real time while they focus on their core business of providing services to their consumers. When a customer logs in and a transaction is made, a dedicated digital ID service will return a yes or no decision, or a confidence rating, based on multi-factor checks that match the risk of the transaction and what they want to do. These services also provide early warning on fraudulent activity by flagging potentially suspicious behavior. As soon as fraud is suspected in one channel, that digital ID can be instantly blocked for other services; a community of security.
To operate, customers must sign-up to the digital ID service that can make real-world and virtual checks on an individual’s identity for complete KYC; driving license, passport, credit history, facial-reconciliation software matching a selfie to photo ID, iris and fingerprint scans, etc. Once the digital ID is setup, behavioral learning can then step in to improve customer recognition based on their normal digital online behavior. The digital ID just gets better, smarter and more secure as it is used.
Many vendors operate nationally, regionally and globally to provide these services. It is important to combine the initial setup checks with the background service to maintain and grow the digital identity scheme with ongoing checks, approvals, and learning every time customers log on. When evaluating digital ID services, start with a trusted party that holds all the information, is compliant with national and international compliance standards (PCI, ISO 27001, etc.), and that operates across multiple sectors.
Digital IDs give banks and retailers the opportunity to get the balance right. Simple, low-friction security for low-risk transactions, higher and more diligent security for higher risks. It’s a tradeoff and customers fully understand and appreciate more friction for something big, they just hate unwarranted hassle for a 20-dollar P2P transaction. The humble password is not dead in the same way that electronic transactions have not totally removed cash from the economy. It is a slow process and passwords still have an important role to play.
Digital identity is truly established as one of the most significant technology trends on the planet. Indeed, for a growing number of public stakeholders and citizens, it’s already a day-to-day reality. As a result, a revolution in the way that individuals interact with private and public institutions is underway, one in which millennials and Gen-Z are completely onboard with and welcome.
FIS VP Global Payments Innovation and Strategy
Responsible for identifying and developing strategic business relationships for FIS Payments Globally (outside of North America) as well as for the market planning for developing long-term strategic objectives for the FIS GFS Payments Group.