Are you really sure I am not a dog? Maybe I am a really smart dog with an AI implant pretending to be a human. Disclosure, Daily Fintech is written by a stealth mode AI venture as a proof of concept.
Seriously folks, you cannot know my Identity. To read a free post you don’t care. If you are going to send me money, you do care. You do not want to send money to my dog.
This week on Daily Fintech is all about Digital Identity (KYC as seen by the bank). This is part of a series where we look at the impact of different disruptive technologies on Finance. In the past we have covered Blockchain, Artificial Intelligence, Regtech, Chatbots, XBRL, Wearables and Open API.
Digital Identity touches on almost everything Fintech. It is the foundation of trust and trust is the foundation of value exchange. In it’s KYC guise, it is core to RegTech.
Do you hate the trade-off between security and productivity involved in passwords? You can do it properly (long complex passwords that are different for each service and that you change regularly). which gives you security but is too much of a time suck for most humans. Or you can leave your digital door wide open to hackers.
Do CAPTCHAs annoy you? Ever wonder how secure they really are?
Do you find the easy way out of entrusting your identity to some big social media service that becomes your gateway to the Internet and knows your most intimate secrets a bit disturbing?
If so, you are not alone. Welcome to the world of Digital Identity, which is trying to find a solution for you.
Today is the briefing about Digital Identity. Then we resume normal programming by focusing each day on use cases within different customer segments:
Tuesday = Wealth Management and Capital Markets
Wednesday = Small Business Finance
Thursday = Insurance
Friday = Consumer Banking & Finance.
Government Issued Identity Artefacts
In the West we are used to proving our identity with simple artifacts such as driver’s license, passport or social security number. In the Rest (Of the World), verifiable identity is the on ramp to financial inclusion. This was brought vividly home to me when waiting in line at a Post Office in NYC and witnessing the desperation of a homeless person being refused a PO Box because she had no physical address. Without that PO Box she would be refused the job she had applied for. She would be an unperson without any official identity.
What if you are a refugee or live in a failed state? What if a Government Issued Identity Artefact is simply not an option?
In India they are tackling this through the Unique Identification Authority of India also known as Aadhaar. This an example of “first the Rest then the West” (leapfrogging old technology). The Indian Aadhaar system does two key things:
- first, enrolls people by taking 13 biometrics (10 fingers, 2 iris scans and a photo).
- then, issues a unique 12-digit random identifier (11 random numbers and one check digit to be precise)
When a person uses their Ardhaar Number (for example to access a bank account), they present their 12-digit number and then the entity they are interacting with does an authentication step (to prove they are indeed the person the number they are presenting points to). This authentication step then replies back yes/ no (the presented biometric either matches the one on file or it doesn’t).
This is far more secure than something like a Social Security Number in America which is easily hacked by identity thieves.
Biometrics – “what part of your anatomy does Sir/Madam wish to use?”
Biometric security, which aims to replace passwords and CAPTCHA, comes down to a simple question. Which body part do you want to use to identify you?
– Finger. This one scares me. It is hackable, by simply recording somebody’s fingerprint and putting that on thin film. I can change my password if I am hacked, but I cannot change my finger.
– Voice. This has a nice old-fashioned ring to it. Voice recognition is like the banker who recognized your voice. The tech has been brewing for a while and seems ready for prime time. VoiceVault and Nuance are the two leading contenders. Voice is probably better for high value transactions than getting a coffee or paying for a subscription. Talking to my phone in the line for my coffee seems too much like the movie Her.
– Typing rhythm. I never understood why BioPassword did not do better, it seemed so simple and elegant. Maybe mobile changed typing rhythm and created new rhythms around swipe.
There may be something new that emerges out of smart watches, such as pulse recognition, but that hits the universality problem ie not many people have smart watches.
That is why the Indian Ardhaar system takes 13 biometrics. It also uses low cost, robust/proven technology. This is not a laboratory experiment. It is a mass market deployment where every fraction of a penny counts.
FIDO – authentication with low friction
No, this is not your faithful dog.
The FIDO Alliance is an Identity Management consortium with 250+ members that are famous names in banking, insurance, e-commerce, authentication technology, payments, cellphone SIM suppliers and consumer electronics. The FIDO Alliance develops protocols and standards to authenticate users via their personal devices, so that users can get rid of passwords.
FIDO uses a hardware cryptographic device called Universal Second Factor (U2F), which generates a new key pair for every service that you connect to.
U2F does not rely only on biometrics. That is why it can claim the title Universal.
FIDO is designed to get the balance right between security and friction/ease of use. So FIDO allows for any of the factors of authentication to be used, such as:
– cryptographic tokens (think of this as something your device does for you to help authenticate you)
– somewhere you are (based on a geo-location service)
– something you know – a one-time password that is cryptographically created (and as any cold war espionage buff will tell you, one time passwords work very well).
The U2F protocol does not identify a user, it merely proves that someone has the device with control over a registered key.
Device based authentication from the past has major issues:
- Magnetic strip card. This is your conventional credit card. These are fading out because they is so open to fraud. It only costs about $50 to buy a mag strip writer, and it’s easy to get your hands on cards to copy them.
- Proximity card or RFID. These cards transmit stored information via RF (Radio Frequency). It is used more for identifying products (for example in a supply chain) than for people. For people there are privacy issues. For example, a Passport with RFID tags could be used by governments to remotely identify citizens of a given country by physical location (and in the wrong authoritarian hands that is dangerous).
- Chip Cards. These are sometimes called Smart Cards or more technically Challenge/Response cards and Cryptographic Calculators. They perform a cryptographic calculation. Sometimes the card will have memory, and sometimes it will have an associated PIN (“Chip & PIN”) and sometimes not (“CHIP and Signature”). They are not fully secure on their own – being vulnerable to power-analysis attacks. The mobile money revolution can be seen as chip cards moving from plastic to just another service on your phone (which of course has a chip).
Authentication is not the same as Identification. You still need to identify yourself – for example, key in a 12-digit number if you are Indian. That is a pain point for new services that want to entice you in. You won’t key in a long identifier for a service you don’t know much about. That is why we need Identity Portability.
OpenID Connect – Identity Portability
OpenID Connect is about being able to use a common identifier across multiple sites (identity portability). As Open ID originated pre FIDO, they also did some authentication, but it now we can see FIDO as the solution to authentication and the two should be seen as complementary.
You have come across the idea of identifier portability when you log into a website using a service such as Facebook, LinkedIn, Twitter or Google (referred to as an Identity Provider service in this context). This approach lets users leverage one account across a multitude of sites across the web and gives people control over which attributes of their identity are asserted and to whom in a secure and privacy-controlled fashion.
OIDC doesn’t authenticate the user but rather conveys that authentication across the network. This is where FIDO plus OIDC is so powerful. The user can protect their primary identity using FIDO and use it all over the web using OIDC.
Something You Are and the privacy challenge
Digital Identity is such a thorny problem, fraught with technical, legal, societal and political issues, because your Personally Identifiable Information (PII) aka your digital exhaust (the trails you leave on the Internet) will define how you live your life (whether you get financing, get a job, get citizenship and so on).
This is what can change society and business at a fundamental level. There is a reason why Microsoft worked so hard to get Passport established – the upside is massive. There is also a reason why any company that gets close to this prize – whether it is Facebook or Apple or Microsoft – eventually gets consumer pushback.
“10 years from now it may be harder to change identity providers than it is to change countries”
PII is so critical because this data determines your access to:
- capital (how credit-worthy you are).
- a job or customers (what you have done)
- friends (who you know)
- Your access to healthcare (your medical records).
The problem with your PII stored in centralized data centers is that data can be hacked and your identity can be discovered through data science technology. For example, one service provider may store your medical records and another your financial records and in both cases your identity may be masked from the service provider, but it is technically possible to identify an individual person from this data.
Maybe that data should be stored somewhere safer such as the Blockchain.
Sovereign Woman on the Blockchain
Blockchain technology can meet two fundamental needs:
- Trustless and decentralized. Your Identity is not under the control of any institution (either Government or commercial).
- Immutable. Nobody can change a record; they can only append a new record.
In this vision of the future, the human is sovereign and is in charge.
Consumer control over Identity enables granularity – you can have my driver’s license but not my passport or medical records and you can only have it for this one transaction. This could enable the Doc Searls vision of Vendor Relationship Management (VRM). I have been fascinated by VRM since I wrote about it for ReadWrite back in 2007. Some tech disruptions have to wait for a trigger to turn inevitable into imminent. The blockchain based identity systems may be that trigger. A similar vision is articulated in the book called Pull by David Siegel. This is a fundamental reordering of commerce. For all the talk of “customer first” a world where customers are really in charge will be a wrenching transformation for most companies.
This will challenge all the business models driven by big data. Translation of big data:
“We will assemble data about you so that we (or our customers) can sell to you in a way that suits us and maximizes our profit”.
The reordering of commerce enabled by consumer control over PII changes that to:
“I will buy from you when and how it suits me”.
It is also a fundamental change in our relationship with government. We are used to a world where our identity is granted to us by government. If humans control their own ID our relationship with government also changes.
This fundamental reordering could be made possible by Blockchain technology.
Finally, my thanks to Kaliya Hamlin aka Identity Woman, who helped me come up the learning curve on this subject (but any mistakes and misconception are entirely mine). If you want to really learn about Digital Identity, her site is a gold mine of intelligence.