Social Security numbers just aren’t enough. When it comes to security, digital identities are shaping up to be among the best lines of defense against fraud — and making sure someone is who she says she is. The question is: Who owns, and should help regulate, digital identities? Socure CEO and President Sunil Madhu, weighed in with PYMNTS’ Karen Webster on the way forward for digital IDs.
In your wallet is a driver’s license and possibly a Social Security card. Maybe a credit card or two. Perhaps you keep a passport in a side pocket. All told, bits of paper and plastic that help definitively state that you are who you say you are. Those tangible items can also be gateways to fraud.
In an age where bits and bytes are continually encroaching on the things we carry, the question becomes: How are our digital identities shaped, and just who (or what) should hold the key to managing those identities?
In an interview with PYMNTS’ Karen Webster, Sunil Madhu, CEO and president of digital identity firm Socure, jumped into the murky waters that govern the governance of digital IDs.
There are issuing authorities stretching from the Social Security Administration to the DMV, who, as Webster noted, may offer an analogue for the issuance of such attributes.
Madhu agreed that there is a trend towards a centralized overseer of digital identities. In China, he proffered by way of example, there is a multi-purpose score calculated for things like credit decision and risk management derived data from Tencent networks and through conduits such as Alibaba, Alipay and Ant Financial. And in the U.S., amid compliance initiatives, he continued, there is usually collaboration across the U.S. government and firms that are being regulated. So, he said, “there are government-level initiatives in trying to define various levels of categories, of attributes” for different concepts of risk.
But the advent of technologies such as blockchain may help streamline things. As Madhu stated, though banks want to, and can, share transaction data across multiple levels, “the challenge is that liability concerns are not well-demarcated,” as they extend across consumers and across the globe.
But if blockchain does indeed make inroads into the financial system, with transactions and inter-parties identified and contained within a closed loop, identified via keys, that model could be extended to other use cases. There could potentially be issuance of a wallet, said Madhu, with multiple keys, as citizens sign up with relevant authorities (and not necessarily a central one) for a fishing license, for example, or as they apply to the DMV for a driver’s license or interact with the IRS during tax season. The lure of blockchain, said Madhu, is that disparate types of information can be tracked and can be stored in an immutable way.
One overarching question, as posed by Webster: Will consumers think handing over the management of digital identities would be a good idea? “In Europe, more so,” posited Madhu, where government oversight is relatively more active and where such oversight is accepted by citizenry. But in the U.S., he said, there are differing views about privacy, and those views can be further divided between older and younger individuals.
All of this begs the question: Just what purpose do we want the digital identity to serve? “It’s the universality,” said Madhu, who noted that Social Security numbers are limited as populations grow. As the numbers are no longer randomized, there is the possibility of repeating former number combinations. And, he added, there are no guarantees that Social Security numbers have been issued (or are retained) by all individuals.
For optimal management of digital identity, Madhu said, the process “begins at the business endpoint, which represents the edge that the consumer interacts with. That could be a private or public business.”
A consumer could be challenged for credentials at one business and, across transactions, might not have to be challenged at subsequent interactions with other firms, as they intrinsically trust the credentials already presented and “accept you and can personalize content knowing who you are.” That has been established by XAML. But there are no hard and fast guidelines in the U.S. governing the attributes that a business should check for risk beyond typically confirming one’s name, date of birth or Social Security number.
Other avenues of technology tied to digital identity, said Webster, include biometrics. But, said Madhu, biometrics exist primarily to avoid using passwords, where there is nothing wrong with passwords per se in establishing identity. But, said Madhu, “humans are lazy … and we often use non-complex passwords,” adding that “if everybody used 20-character-long passwords with upper and lowercase and all punctuation … you wouldn’t be having a debate” over digital security. No biometric system is 100 percent accurate yet. Using the phone as a conduit to identity verification, said the executive, is easier than spending time typing in a username and password.
Ultimately, there are ways to establish digital presence that go beyond, or do not even need, concrete issuance of a single identity. Attributes that already exist online can be gathered together for authentication, for anything from entering a building to opening an app to sending money across mobile banking. It all happens, theoretically and magically, behind the scenes.
“That’s what [large banks] are building,” said Madhu, as they turn towards becoming service providers. “We’re moving into a world where [authentication and digital identity takes place] with a bunch of attribute authorities,” and referring to Socure, he stated that “we are trying to distill multiple attributes from multiple places,” spanning from emails to images to mobile networks, “bringing them together and then figuring out how to answer a specific question” for acceptance and for fraud management efforts.