Identity verification methods in constant evolution
As society changes security and identity verification methods need to change too, Patrick Harding believes.
Mr. Harding has spent the past 12 years as chief technology officer for Ping Identity, an identity access management vendor. He is a featured speaker at the Cloud Identity Summit, which takes place in Chicago June 19-22. He will join HSBC’s head of digital identity Dan Johnson, Fidelity Investments architect director Carolyn Sorenson, and Capital One lead architect Adam Mingus to discuss how they employ identity to reduce fraud and improve operations, compliance, revenue and user experience.
Financial services companies contend with interesting challenges as they protect consumer identity, Mr. Harding said. With mergers, acquisitions and even company silos to contend with, they often have to work across multiple web properties and a mishmash of different systems to create one consumer identity within a brand. One major player once required 12 different sign-ins on its website, for example.
The consumer demands such facility and they expect it across a growing number of devices and environments. And in the perpetually competitive world of financial services, if you can’t provide it and someone else can, you risk losing them. The challenge grows as banks lean toward stronger authentication methods, Mr.Harding added.
Some initial efforts such as the transmission of one-time passwords via SMS proved insecure, Mr. Harding said. While the American fiserv industry was working through these early efforts, developments elsewhere will help accelerate the process.
“We’re starting to see increased regulation in Europe, the United Kingdom and Australia,” Mr. Harding said. “With Open Banking in the UK and PSD2 in Europe, banks are exposing and opening up their APIs to third parties to allow for account balances to be shared and payments to be easily shared.”
The sharing of what was often proprietary technology with verified third-party businesses and competitors represented a considerable shift from the traditional protectionist mindset and it not surprisingly the industry had to be compelled, Mr. Harding said.
“The technology was there to do this but it took regulation to force them to act.”
The move is designed to accelerate innovation and improve the customer experience, and mimics a societal shift towards open source collaboration using the power of the crowd. In the United Kingdom nine major banks are being regulated, but challenger banks are also following suit as they see it as an opportunity to streamline their ability togged access to customer data, Mr. Harding said.
Expect that collaborative flavor to extend into optimal security methods with behavioral biometrics playing a key role, Mr. Harding explained. Mobile devices are increasingly able to learn how users interact with them and can record the owner’s keyboard motions and speed to develop a recognizable pattern which differentiates the rightful owner from a fraudulent user.
The next level of biometrics includes facial recognition and iris scanning, two instances where banks might be ahead of consumer comfort levels, Mr.Harding suggested. Both techniques are in the early adopter phase and consumers will need time to acclimatize themselves with the practices. That should not take long as most consumers are comfortable with phone cameras and more phones are employing fingerprint technology.
Those solutions will likely play second fiddle to one which Mr. Harding believes will play an increasingly prominent security role in the years ahead.
“Most of the way we interact in the future is coming to voice. With Alexa and Google Home people are growing comfortable talking to their home devices.”
Convenient tools, but ones with authentication challenges, Mr. Harding said. You can ask Alexa for your bank account balance but you cannot give it your password.
The acceptance of EMV technology has increased the incidence of card-not-present fraud, Mr. Harding said. Fraudsters are creating new accounts by stealing personal data and mimicking the user. The industry can combat this by using social media to confirm identities, Mr. Harding said. Our online identities are searchable, trackable, and hard to replicate.
“It is not the social media persona that is a good indicator, it is the network that surrounds me, the reports of 100 friends, who confirm my identity,” he explained.
As effective as it may be, social media data is only one signal, Mr. Harding cautioned. The more signals you can incorporate from different places, the stronger your protection will be.
“It must be transparent to the user, and the user experience must be seamless,” Mr. Harding advised.