1 October 2018
Banks can save us from the online identity meltdown
This article was originally published on the The Paypers
We are increasingly going digital, yet the way we manage our online identity nowadays is largely based on old technology: passwords, rigid authentication procedures, security questions such as stating your mother’s maiden name or sending an image of your passport via e-mail.
It is no surprise that hackers are having the time of their lives as these outdated safety measures are no challenge to them to breach. Besides that, users are frustrated with endless lists of PIN numbers and passwords and merchants see full carts being abandoned because of ghastly checkout procedures.
This creates serious problems, both economically and systematically. That’s why we urgently need to change to way we secure our online lives: managing our online identities must become safer and more convenient.
Rethink the existing online identification methods
Therefore, we need to rethink the existing online identification methods. If we want to move to a pervasive, modern, secure and useful digital world, we need to reliably identify not only people – which has always been the norm – but also things: software (robots), services (PSD2’s new Third Party Providers (TPPs) who have access to your bank account), and connected devices (Internet of Things). And we shouldn’t verify the entire person, because that is actually against legislations such as the GDPR and ePrivacy, but only the needed attribute(s) (only the age, for example, when you have to be over 18 years old to enter a website legally).
It’s now true that with modern technology (mobile, intelligent dynamic use of data, risk-dependent authentication, context-sensitive interactions, sensor fusion technology, biometrics) we can combine security and convenience.
Not only a matter of technology
But it is not only a matter of technology. We must also organise the topic better. Instead of creating yet more and more separate solutions to verify the identity of a user – nowadays every organisation or website has its own identity methods – a federated system is surely better. This means that electronic identity and its attributes are compiled across multiple identity management systems, which can then be linked together to verify certain aspects of both people and things.
So how do we, as mentioned before, identify people and things? By switching from a focus on identity to a focus on rights management. This means that in the future we verify the rights of not only people, but also the rights of things: does a certain piece of software have the right to initiate a payment, see the balance on my account, collect information about my transaction history? Does this device have the right to communicate with my bank card, open this door for me, to drive me to work? Does this individual have the right to enter this website to order that alcohol?
Banks have excellent assets against hackers
There might be a role here for the financial services industry. Banks currently see the erosion of their traditional business models: low interest rates reduce income, and reduced transaction fees and increased competition hit balance sheets. This means it is surely time to develop new business models and managing online identity could be one of them. After all, banks have excellent assets against hackers in the field of online identity: provably the most robust and preferred of any industry (see figure below).
The assets of banks contain a global network connecting all users and companies, whereby key attributes are identified, verified and controlled through the regulated and private KYC-principle. This means that banks verify whether customers are who they claim to be and assess their risk factors.
Banks are currently using these assets largely for their own purposes but could now unbundle these services for the benefit of other industries. This may sound rather revolutionary, but in Scandinavia, for example, banks are already showing the way: BankID allows merchants, governments and others to rely on the authentication provided by Nordic banks – subject to user consent, of course. This means that other industries get reliable identity and banks have a new source of income.
Strategic and commercial reasons
For banks to focus on this new revenue model makes sense for commercial and strategic reasons. First of all, strategically it helps preserve the bank as the centre of trust for users, also in the online world. It would be wise for banks to take a piece of the pie at the start of this online identity revolution, as it will be harder to compete against American and Chinese tech giants once they have established themselves in the online market with features like ‘Sign-on with Facebook’ or ‘Identify yourself with Alipay’.
Commercially, it is clear that identity is bigger than payments. People identify themselves many more times a day than they pay per day. But not only the number of transactions, also the value of each identity transaction (is a person really 18 years old, is that really her bank-verified shipping address) is much bigger than the price of a payment transaction, which is tending towards zero. Think about it, if a merchant can drastically reduce the risk of fines for selling alcohol to minors (through bank-verified ‘is-over-18’-attribute) or if a merchant can reduce fraud and returns of goods through a bank-verified shipping addresses, they are clearly willing to pay for this value-added service, provided by banks.
So, since banks are already holding great assets in identity and since there is such a need in the online space for a reliable trusted player, it sounds like the time is ripe to embrace a new business opportunity.