Identity 3.0 - An Industry Update for FinTechWeek 2015
Online identity is one of the most important issues in today’s global economy. This was the dominant theme at FinTechWeek this month where I gave an update to the industy on what is now being described as Identity 3.0. Whether the discussion was around cyber risk, fraud or blockchain, almost every conversation referenced identity.
Having been involved with the internet for a long time (300bps modems and writing my first bit of 'code' on a vic 20's is where I started) and with a focus over the last five years on identity through miiCard and initiatives such as Trust in Digital Life, the National Strategy for Cyberspace (NSTIC) and UK ID Assurance Program, we are at a pivotal point in the industry.
The Need for New Sources of Trust Online
The lack of trust has been a challenge with the Internet for over 20 years, from the time the saying 'On the Internet nobody knows you’re a dog' was coined until most recently when affairs site Ashley Madison was hacked resulting in over 30 million user records compromised, 60 gigs of data revealed and a 600 million dollar lawsuit. This is of course in addition to Sony, Target, Anthem Blue Cross etc, the list goes on.
Having grown up with the Internet and as someone who is very passionate about its effect on our lives, this is very important to me and the reason I started miiCard. Prior to miiCard I was working on the Personal Finance Management tool Money Dashboard. During my time there it became apparent that there was a fundamental disconnect between the 'physical you' and the 'virtual you.' I realised we would never realise the full potential of the Internet until we could really trust the identity of the person on the other end of the browser or email in our online transactions.
It was finding a source of trust that was the biggest challenge. I looked at personal information, but that didn't prove anything. Of the billions of dollars in fraud each year over half is online and the biggest proponent of this is your name, address and data of birth. Just because I tell you my name or even some information about me only proves I know that information. Any one of my friends, work colleagues or any of the 3000+ connections in my LinkedIn network could tell you this.
Document verification solutions were just starting to develop at the same time but came with their own challenges. While they can verify a document looks real they can't prove your identity - that you are that person presenting the document. With the rise of fraudulent documents these cannot always be relied on even with an in-person check. I was talking to a director of fraud in a bank the other day who was questioning the value of a physical document check. Take away the physical benefit of the check and it isn't as strong as the industry needs.
How the miiCard Digital Passport anticipated Identity 3.0
With the building issues in the market a different approach was needed. The solution was to build trust online by empowering consumers - the miiCard Digital Passport. Through miiCard we allow individuals and businesses to confirm an online identity to the same level as an offline photo ID check, without ever having to leave the digital relationship or transaction. The patented process is infinitely stronger than username and passwords, authentication or any other method of ID on the Internet today, and instantly enables an entire host of high value transactions across a range of services like consumer finance, healthcare, social media and online dating. It saves time and money and provides a better overall online experience for consumers.
There were a few immediate choices that we had to make in building miiCard. While they seemed obvious at the time, today they are reflected in the principles of Identity 3.0.
A consumer centric approach was key to miiCard, the consumer had to be in the middle of the equation, always.
It had to include strong authentication services. While miiCard has 2 factor authentication standard by default it must be made clear that this does not prove identity. Just because I have a mobile phone doesn't mean you really know it's me, especially when so many phones are pay as you go. Authentication does play a valuable role however in protecting accounts and when used in a layered security model, strong assurance on the assertion of a digital identity.
Consumers had to have real control over their data. Empowering them to choose what personal information they wanted to share with who, for how long and with a great amount of granularity and control was key. This included the ability to 'disconnect' easily access to your data. With the upcoming Data Protection Directive in Europe this is now being mandated and has been seen in the "right to delete" and "right to forget" cases with Google. It was also important to support a range of situations - from proving your real identity without sharing any personal information through to sharing all of your information without any verification in your identity.
One of the most important factors was convenience. This has an overriding theme in our products and the evolving market over the last four years. There is not much that really motivates consumers more than convenience. It's why the industry talks about a 'frictionless' user experience and how even milliseconds of delay in loading a webpage can have an immediate impact on conversions and performance.
A Source of Trust
Finally there needed to be trust, a way to connect the physical person with the digital one, to create the trust and traceability needed from a compliance, risk, fraud and regulatory perspective. A source of authority was needed and that's when the penny dropped. Banks know you really well. They know you better than anyone else. My bank knows that I live in Musselburgh, work in Edinburgh. From my financial transactions my banks knows that I was in London last week, where I stayed and where I went for dinner. They have also already done the Know your Customer and Anti-Money Laundering checks. All this trust, traceability and rich transaction data is wrapped up in our online bank accounts. As consumers all we needed was a way to use this to do more online. Today it is this source of trust - bank verified identities - that is so exciting. It has the potential to fundamentally change the way we engage online, creating a level of assurance and attestation that just doesn't exist today.
I asked this question while at a roundtable discussion on cyber risk and security the other week. "With the challenges of data, standardisation, security and insurance, is there any alternative but to put the consumer at the middle of the equation?" There was not one suggestion of an alternative. For me this reflects quite strongly where we are as an industry just now and why Identity 3.0 is such a hot topic.
"Having a Digital Passport will let us travel the Internet with the trust, confidence and convenience that we need today. In many ways, it's the last frontier in Cyberspace."