What’s left to say about digital identity that hasn’t already been said?
That’s how Friday’s Topic TBD, with Karl Kilb, CEO of Boloro, began.
Kilb told Topic TBD host Karen Webster that a little more than 20 years into the great digital transformation, consumers have every reason to feel both awed and scared by what the internet has brought into their lives through the magic of worldwide interconnectivity made possible by the mobile device.
“A mobile is no longer just a device that’s mainly about enabling communication,” Kilb said, noting that this newly emerging reality is most evident in the developing world, where phones are ushering in a never before seen set of capabilities for consumers: to pay bills, to transact commercially, to move money across borders and – most importantly – to develop a visible, traceable payment history that allows consumers to tap into credit markets for the first time.
That is a major step forward, particularly in heretofore cash-dominated economies where that kind of financial transparency hasn’t been possible in the past. These things, Kilb noted, are all very much to the good.
But consumers also have reason to feel terrified – because where there is an opportunity for consumers, there is also an opportunity for those who wish to enrich themselves by harming consumers. For the last several years, the constant drumbeat of hacks and data breaches has given line to that worry.
“It is so easy for hackers to find your information,” Kilb noted, because so often all they have to do is find and exploit a single point of failure to come away with vast troves of information. Some of which is easy to change – like, say, a card number – but lots of it can’t be changed, such as Social Security numbers.
Solving for that, Kilb noted – so that consumers can comfortably tap into the potential that the digitally connected future has on offer – comes back to building a trusted digital identity framework that can answer those most basic of questions: “Who are you?” and “how do I know it’s actually you?”
The Beauty – And Trouble – With Biometrics
The use of biometrics, Kilb noted, can be particularly useful in building out the answers to that first question: Who are you? This is the most “personal, private, and individual” information about the consumers: their face, their voice, their eyes, their fingerprint.
This data is important, and certainly has its uses. One good example is India’s Aadhaar system: The government has created a unique identity for citizens, even those who live in the most rural part of the country and for whom basic identifying documents, like birth certificates, might not even exist.
“Every government needs to find a way to identify people, because so much of their function depends on understanding who their citizens actually are: think services, benefits and taxes.” Biometrics, he noted, are an excellent tool by which to build the answer to “who are you?”
The problem, said Kilb, is that they are not a great tool for answering the second question – though they are becoming an increasingly common way to try. By using biometrics to establish consumer identity for every transaction, day in and day out, one is creating a new motive for cybercriminals to attack.
“That type of data is so personal, that we don’t think consumers should actually be using it for every time of commerce activity,” Kilb pointed out. “Once it is compromised, you can never use it again – and that can be actually catastrophic.”
Instead, for things like transactions, one needs to find a different way to answer that second question: How do I know it’s actually you?
A Little Healthy Friction
Instead of using a customer’s most personal data, Kilb told Webster, Boloro built its authentication system on a slightly different premise – which was to eliminate the “single point of failure” issue that makes most breaches possible. Once a hacker has the password, or has managed to clone a fingerprint, the system fails and the hacker gets it – they just have to get one “right door” open.
But when authentication is a multi-channel event where the transaction and authentication happen “along two separate lines,” Kilb said that it gets exponentially more difficult for the hacker to gain access.
So, he noted, for a simple eCommerce transaction, that can mean when the customer clicks “Buy Now,” they get a text asking them to enter their PIN. Once they send it back, the message self-destructs so the PIN doesn’t remain on the phone – and the transaction processes on the internet.
It’s a friction point, Kilb admitted – but one that a consumer will accept because it gives them greater control of their identity along the digital commerce highway. People are happy to endure a speed bump, he noted, if the net effect is that it prevents them from driving off the road entirely because they were going too fast.
And in this case, “driving off the road” is comparable to a cybercriminal lifting one’s data and taking it out for a ride. The process of fixing that – and undoing all the damage data can do when it’s in the wrong hands – is a lot more time-consuming than texting back a PIN.
What’s Next
What is becoming clear to governments all over the developed and developing world, Kilb told Webster, is that at a high level, it is good for everyone to see more digital payments – as opposed to cash payments – and to come up with frameworks that functionally make inclusion easier while locking out fraud.
“And it can be challenging to know what constitutes “a truly unique identifier that answers that first ‘who are you?’ question,” noted Kilb.
The next challenge is finding a way for customers to answer that second question – “how do I know it’s you?” – without forcing them to expose their most personal data. Mobile phone numbers – which consumers all over the world have in some form – have the potential to be the easy identifier, a means to reach out and ping the consumer to ensure that the person attempting the transaction is actually who they say they are.
That will mean a very different relationship with mobile carriers – particularly in the developing world – who will increasingly find themselves in the position of not just being the issuers of communication devices, but also the identity for customers.
“That’s really where we see it going,” said Kilb.
It will be a lot of work – and lot of cooperation and collaboration between public and private entities.
But, he noted, today there is a tremendous need – and one that will likely only get bigger as more consumers go online and hacking becomes an increasingly lucrative career choice.