Tue, 09 Apr 2019
Being media partner, The Banking Scene attended the KNOW conference in Las Vegas, hosted by One World Identity. Central theme of this couple of days was identity in all its characters, and how to deal with this in a digital world. Not being an expert in the field myself, I try to formulate my takeaways and lessons from the sessions I attended and share them with you.
“On the internet, no one knows you’re a dog”
Identity is something each and every one of us has, and is unique to either one of us. Recent trends are accelerating the need for a digital identity. This leads up to the fact that the lack of a digital identity causes commercial issues, but also is a societal problem, for instance in the case of human trafficking.
To govern individuals and their identity, business and their legal identity, self-sovereign identity (SSI) is posed as the ideal set-up for managing identity. It enables only to disclose that what is needed in order to be serviced; when you need to proof that you’re over 18 years old, showing a driver’s licence does the trick, but reveals a lot of other information as well. SSI is related to context: the right information on the right time in the right place. But why would an organization care to invest in this technology if up till now the existing tools still work?
First of all, SSI allows cross-silo identification while eliminating friction. Fraud can be controlled as well, and GDPR can be respected. The most important consequence however is that a business can create an entirely new relationship with their customers; e.g. when a credit union issues credentials to a person, it’s a new digital relationship. A new authentications for both parties, mutual authentication can be the end of phishing, replaces e-mails, …
However, you can’t boil the ocean at once.
The mission is to organize, redefine and map digital identity. One thing is the integration with SSI API’s, the other one is the business process challenge.
Getting in that SSI state requires quite a lot of investments and prerequisites. One quite important one is the question on who should own that data, where it should be registered, verified and stored. Especially for regions such as the Anglo Saxon countries where an ID card per individual does not exist, this is extremely difficult for two reasons:
· There is no central administration having all ID’s, so just starting digitizing that data is not an option. This is what Belgium has done with Belgium mobile ID (itsme).
· On the other hand the notion of liberty is considered key in the society and is deeply anchored in the culture. Unfortunately, the management of identity and the fact that central administration should register identification data collides with this and is difficult to reconcile.
Shortly put, an identification infrastructure is not globally put in place, at all.
“Kill the all the passwords!”
To authenticate yourself online, an ID it not absolutely necessary, we’ve been authenticating online without that for years and have been using passwords instead. One could say that passwords rule the process of authentication. But as you all can agree there are a couple of issues with passwords: for one, you need so many of them! They are hard to remember and easy to steal: hacker hackers exploit passwords, more than 551 000 000 passwords are for sale on the dark web.
Facebook takes this friction away with Facebook Connect, knowing that in return you give all your data to Facebook for them to monetize it.
Another answer to these password weaknesses could be Multi-Factor Authentication, where you connect something you are, something you have and something that you know, and that provides more trust in who the user is. Something you know can be replaced easily, something you are is natural to use, and something you have cannot be stolen remotely, but again, this is a heavy process. To make this more low threshold for the user but as least as secure, biometrics could be added as a differentiating factor. The goal is anyway to delegate the risk and to have stronger proofing.
“Building better trust scores without becoming black mirror”
Very much so is identity and authentication about trust. The notion of trust in a world of digital identity and SSI is split out to different parties. When an identity provider issues an identity, it is up to the relying party to trust this provider and the issued identity or not.
Trust in digital identity is built by individuals validating each other’s identity, and on the amount of data that one can proof, and this is not only related to identification data but social data as well. Trust comes from people you know — and there are people you don’t know but are like the people you know, but that you don’t necessary trust. Therefore, trust is not built on big data, it only creates affiliation. It’s only small data that creates mutual trust.
“To friction or not to friction”
A digital identity simplifies digital interaction and who you are online. Unfortunately in a lot of cases it’s a frictional and painful process.
However, some might state that some friction is needed in order to get the user aware of the fact that he is sharing personal data and giving consent. For instance, the European cookie policy makes sure that the user knows what cookies are kept, but accepting cookies every time you visit a site also causes a lot of friction. The answer lies somewhere in between: the user should be made aware of the consent, but this should then be done in the most user friendly way. Just above what the user expects and just enough to make him secure — the appropriate level of friction given the level of risk.
Compliance is a big drive when it comes to friction, big banks have a large legacy and heavy systems that are hard to change. A problem that fintechs do not have. They are looking to get market share and they look at compliance differently. You can look at it this way: do you prefer to log in to your bank with your Google ID, or to log in to Google with your bank ID? We have to be careful what we ask for — a frictionless digital identity is also a frictionless fraud.
“Saner onboarding means safer onboarding?”
Fraud will not disappear when we reach an ideal state of digital identity. Fraudsters will find another way and this needs to be anticipated, a “wait-and-see” approach is not an option here. Together with regulators, the field needs to shape that thinking.
“Digital identity empowers excluded societies”
Digital identity is an opportunity for financial inclusion, but it’s bigger than that: when a society has a large percentage of financial inclusiveness, the revenues increase for SME’s, and the GDP increases.
Many people are not able to prove things about themselves, missing out on education, support or opening a bank account. Furthermore, digital identity is a means of transparency, anti-corruption, respecting human rights.
Challenges of implementing digital ID in an underdeveloped country are for instance the mobile connectivity, and the kind of technology that merchants are equipped with. Using biometrics as a means of identification and authentication are not the right way to go in a world where fingerprints are worn out from hard labor, and merchants are not equipped with state-of-the-art POS.
What is deployed in such societies should be interoperable. Wide scale adoptions will only happen when day-to-day problems (e.g. getting food) are actually solved. I feel another responsibility for the UN coming up …
To conclude …
The discussions held at KNOW were very much regarding prerequisites for an identity infrastructure rather than concrete target solutions to get to a world where all individuals have a digitized ID. Therefore the topics were touching more the ethical core than if the conference would have been held in Europe. The upside of this is that it gives insights in the reasoning and the build-up of the existing digitized and digital identity, which is way more mature in the EU. In EU, the consumer is much more protected, having consumer unions and a government that looks after your identity and you.
The idea that a government or a central institution would touch on something personal and “knows” you, is a hard nut to crack for an American. In the U.S., there is freedom to speak your mind and spend money without revealing who you are, except on the web …