DNA for future identity is in your wallet
As driver licenses, passports and bank cards enable the virtual, is secure identity within reach?
01 February, 2016
category: Biometrics, Corporate, Digital ID, Financial, Government
Combining strands with layered identity
Systems like those from MorphTrust and SecureKey are taking early steps to bridge physical credentials with virtual users, but these are just two of the efforts underway to assure an identity online. There are other technologies and approaches that can be used in the background to validate an identity and move beyond self-asserted credentials and standalone KBA.
Setting up an identity for an individual online should be a process rather than a single action at a single point in time, says CA’s Vaidhyanathan. “Collect basic information from people at the start – for example a small amount of knowledge-based authentication to on-board a user – but don’t start them off with the high level of authentication,” he explains.
Using KBA as one ingredient of an identity recipe is what Idology recommends, says John Dancu, president and CEO at the company. Idology’s products work in the background to help figure out whether or not an identity is legitimate. “We have to assume that data has a high-probability of being breached and the idea of taking data and matching it to public records isn’t sufficient,” he explains.
Idology look at the data someone is presenting, examines the devices and looks for malware, geo-location and other attributes, Dancu says. A lot can be determined by looking at location and activity-based attributes. “If the same customers are all coming in from the same location within a matter of minutes it raises fraud flags,” he says.
All of these attributes can be checked in the background and as long as no flags are raised the transaction can take place with a high level of assurance, Dancu says. If some of the flags are raised you add additional layers, such as KBA, to raise the bar. “When you pull together all the other attributes you can validate a legitimate customer pretty quickly,” he explains. “You have to look at the other factors and then only go to KBA when you have to.”
Idology works with retail, financial services and health care companies. One of its latest focuses involves the mobile device and being able to identify people even if they switch handsets or carriers. “More fraud is coming from mobile and we want to establish persistence on these devices,” Dancu adds.
This is an area that Payfone focuses on as well. Payfone works with all four of the major mobile networks to identify device owners, regardless of whether they switched handsets or carriers, says Mike Bijelich, director of strategic deployments at the company.
For example, if a customer is using a financial institution’s app on a new mobile device, the institution sees an IP address, cookie and some other details. With Payfone the institution will also see what mobile operator the phone is on, whether it’s a new device and if there have been any changes with the customer. “We tie the mobile network identity to the login event and then tokenize it and add it to our intelligence,” Bijelich explains. “With our technology in the background, fewer authentication challenges are required.”
Porn drives online ID
The adult entertainment industry is credited with bringing many technology advancements, but now it may also be responsible for bringing validated online identities to the masses in the UK.
It’s not that users will have to have a completely vetted identity, but they will have to go through age verification before accessing adult content, says Emma Lindley, founder of Innovate Identity, a UK-based consultancy. “All adult sites will be regulated and have to confirm age,” she adds. “A lot of personal ID providers are playing in this space and are looking to federate age verification.”
There are several initiatives to bring such a system online but it’s also possible that Verify, the UK’s online identity initiative, may be used. Verify could provide the attribute that the individual is old enough to access content without divulging other personal information not required for the transactions.
As the mobile device number is increasingly becoming one of the more valued identity attributes, it’s important to know something about who owns that device, Bijelich says. In essence, the mobile, its device ID and the individual’s phone number are comparable to a modern day driver license.
But mobile has the added benefit of already crossing the physical and virtual realms. Companies like Idology and Payfone are breaking new ground, exploring how the mobile and the vetting done by carriers can be leveraged for identity purposes.
Mapping the wallet’s DNA
Mobile phones, passports, driver li¬censes and bank cards hold the DNA to link the physical world with the digital. Enabling attributes from these documents and devices to be used for digital identification can solve two of the biggest problems out there: getting new credentials into the hands of consumers and making sure they have been thoroughly vetted prior to issuance.
