DNA for future identity is in your wallet
As driver licenses, passports and bank cards enable the virtual, is secure identity within reach?
01 February, 2016
category: Biometrics, Corporate, Digital ID, Financial, Government
Could banks be key to online ID?
While the driver license may be the standard identity document in the U.S., there are also payment cards. While individuals aren’t normally asked to present a payment card as proof of identification, financial institutions must perform “know your customer” verification before enabling a customer to open a bank account.
Onboarding: What not to do
When enabling a customer to create a new identity, it’s important that there are checks involved from the start, says Doc Vaidhyanathan, vice president of product management for CA Advanced Authentication.
In some cases it’s fine to enable a self-asserted identity for browsing or simple tasks, but when it comes to payments or a high-assurance identity there are steps required before granting privileges or access. Making sure addresses and other data elements match up can be checked by a financial institution’s fraud alert system. But what’s trickier is if someone steals a payment card and starts using it in the real world.
When Apple rolled out Apple Pay on its iPhone 6 and 6 Plus it was touted as a secure, biometric payment tool. Enrolling a new card was easy too, just use the camera to snap a picture and you were ready to go.
This proved to be too easy as fraudsters were taking cards, enrolling them on phones and making purchases. At one point it was estimated that 6% of Apple Pay transactions were fraudulent. “The minute I put that card on my phone it’s as legitimate as anything else,” Vaidhyanathan explains.
When enrolling a new card on a device an important step was left out, says Vaidhyanathan. A second factor should have been put in place before that card could be used. Something as simple as an email with a link would have prevented much of that early fraud.
Apple was trying to make enrollment as simple as possible with the new system, Vaidhyanathan says. “If you had to take another step some people would have abandoned it,” he adds. “It’s the age-old problem that happens with security, we don’t want friction in our experiences.”
In Canada, banks have been enabling customers to use that login for access to government sites. This gives the government a high assurance of whom they are dealing with without having to vet and issue identities.
The system has been running for three years with three separate financial institutions, says Charles Walton, CEO at SecureKey. One of the main applications is enabling citizens to use the bank login for access to the Canadian IRS, but other applications are rolling out in the provinces. “In the first six months of the year – peak times – we generally see about 2 million transactions per month,” Walton explains.
This basically takes the idea of a social login – that normally relies on a self-asserted Google, Facebook or LinkedIn user name and password combination – and adds a high level of assurance thanks to the vetting the bank has previously performed.
“This is social login with privacy and trust,” says Stuart Vaeth, senior vice president of business development at SecureKey.
The company is extending the service beyond Canada, launching SecureKey Concierge with US Bank in the U.S. This will enable US Bank customers to use the login information for their financial accounts to access other services in a secure and privacy enhancing way, Vaeth says. “It solves two issues: password proliferation and how a service provider verifies who the user is online,” he adds.
SecureKey is in talks with other financial institutions about using the system in the U.S. and the company is focusing on health care for initial use cases, Vaeth says. Instead of relying on knowledge-based authentication for access to a health care provider or insurer, the Concierge service would use the bank credential to verify identity.
When accessing the site the user would be given the option of using a banking credential for access, Vaeth says. Instead of answering the knowledge-based quiz or undergoing another verification step, the user would enter the banking credential, consent to share the information and then US Bank would pass along an anonymous identifier. “This leverages the identity proofing that the banks have already done,” he explains.