As driver licenses, passports and bank cards enable the virtual, is secure identity within reach?
Combining strands with layered identity
Systems like those from MorphTrust and SecureKey are taking early steps to bridge physical credentials with virtual users, but these are just two of the efforts underway to assure an identity online. There are other technologies and approaches that can be used in the background to validate an identity and move beyond self-asserted credentials and standalone KBA.
Setting up an identity for an individual online should be a process rather than a single action at a single point in time, says CA’s Vaidhyanathan. “Collect basic information from people at the start – for example a small amount of knowledge-based authentication to on-board a user – but don’t start them off with the high level of authentication,” he explains.
Using KBA as one ingredient of an identity recipe is what Idology recommends, says John Dancu, president and CEO at the company. Idology’s products work in the background to help figure out whether or not an identity is legitimate. “We have to assume that data has a high-probability of being breached and the idea of taking data and matching it to public records isn’t sufficient,” he explains.
Idology look at the data someone is presenting, examines the devices and looks for malware, geo-location and other attributes, Dancu says. A lot can be determined by looking at location and activity-based attributes. “If the same customers are all coming in from the same location within a matter of minutes it raises fraud flags,” he says.
All of these attributes can be checked in the background and as long as no flags are raised the transaction can take place with a high level of assurance, Dancu says. If some of the flags are raised you add additional layers, such as KBA, to raise the bar. “When you pull together all the other attributes you can validate a legitimate customer pretty quickly,” he explains. “You have to look at the other factors and then only go to KBA when you have to.”
Idology works with retail, financial services and health care companies. One of its latest focuses involves the mobile device and being able to identify people even if they switch handsets or carriers. “More fraud is coming from mobile and we want to establish persistence on these devices,” Dancu adds.
This is an area that Payfone focuses on as well. Payfone works with all four of the major mobile networks to identify device owners, regardless of whether they switched handsets or carriers, says Mike Bijelich, director of strategic deployments at the company.
For example, if a customer is using a financial institution’s app on a new mobile device, the institution sees an IP address, cookie and some other details. With Payfone the institution will also see what mobile operator the phone is on, whether it’s a new device and if there have been any changes with the customer. “We tie the mobile network identity to the login event and then tokenize it and add it to our intelligence,” Bijelich explains. “With our technology in the background, fewer authentication challenges are required.”
As the mobile device number is increasingly becoming one of the more valued identity attributes, it’s important to know something about who owns that device, Bijelich says. In essence, the mobile, its device ID and the individual’s phone number are comparable to a modern day driver license.
But mobile has the added benefit of already crossing the physical and virtual realms. Companies like Idology and Payfone are breaking new ground, exploring how the mobile and the vetting done by carriers can be leveraged for identity purposes.
Mapping the wallet’s DNA
Mobile phones, passports, driver li¬censes and bank cards hold the DNA to link the physical world with the digital. Enabling attributes from these documents and devices to be used for digital identification can solve two of the biggest problems out there: getting new credentials into the hands of consumers and making sure they have been thoroughly vetted prior to issuance.