Mobile devices, biometrics and identity tokenization are helping to make passwordless identity authentication a reality, Rodger Desai, chief executive officer of Prove Identity, told PYMNTS’ Karen Webster.
The payoffs are huge for consumers, Desai pointed out, since they won’t have to wrack their brains to remember passwords or write them down only to lose the post-it. Companies that leverage passwordless authentication technology won’t have their call centers and support staff besieged by frustrated customers having trouble logging in. Security teams will find it easier to guard against hackers. And for merchants and banks, consumer loyalty increases as they’re able to personalize transactions and interactions with consumer-permissioned data.
Consumer behavior is indeed changing. Desai explained that individuals navigating the digital shift have found it easy and appealing to apply for a credit card or deposit account with just their phone number (Prove, he said, has been a key part of that innovation). No doubt you’ve been sent a one-time password (OTP) SMS to get the go-ahead with a transaction or to log into a site. But that’s just the beginning, said Desai. Forward-looking companies are already taking advantage of more advanced identity authentication tech that solves for some of the security vulnerabilities, cost and experience issues of OTPs.
“I just don’t think that banks or merchants can take their over-reliance on SMS OTP for much longer,” Desai told Webster.
Among its other business lines, Prove secures a significant amount of OTPs for big banks and even bought a company, Authentify, from Early Warning, that provides layered digital multi-factor authentication.
“We secure them,” he said of the OTPs, “but they’re very expensive.”
They can also be socially engineered with ease, which leaves the entities and individuals who use them vulnerable. And the traditional risk-based authentication models at banks and merchants tend to be hit and miss since they use transaction history and large swaths of data to try to determine customer identities.
On the consumer side of the equation, Webster noted that there’s a continuing comfort with using thumbprints/face IDs to unlock devices to transact in an increasingly contactless world.
That confluence of factors, of using technology to prove the person showing up at a site is authorized to use that site, has underpinned Prove’s newest effort to essentially embed authentication passively into digital experiences via the cryptographic key in every mobile device.
“The key here is to get to something more deterministic, because that’s the most accurate way,” he said of authentication — and it’s an improvement over “guessing” based on patterns of behavior.
Prove Identity last month announced the debut of Prove Auth, which leverages something that pretty much everyone has: the phone and more specifically, the phone’s cryptographic key (that’s the SIM card). Prove’s Phone Identity Network creates and issues consumer-level identity tokens that are tied to those SIM cards.
These encrypted identity tokens, he said, are already being used for KYC purposes or to pre-fill an application (with explicit consent from the user). Desai predicted that this year the company would complete more than 60 million pre-fills in the U.S. The tokens themselves can be issued in real time as consumers get new phones or change numbers, which ensures a continuum of data protection and privacy. A consumer can use their phone to create an account with just a couple of clicks and then be prompted to decide whether they’d like to go passwordless.
File Cabinet of Financial Information Moves With Consumers
According to Desai, merchants and financial institutions are going to get on board with cryptographic, mobile-device-centered authentication in a big way.
The day is not far off where one’s face launches an account and gives the (literal) nod for permissioned data to be across a broad range of use cases. In that case, if a user’s phone alerted the consumer that, hypothetically, Carvana wanted the would-be car buyer’s identity, income, credit score (all without friction), and that permission were granted, the best, personalized deal could be offered on the spot.
“It’s like a privacy-enhanced file cabinet of your financial information,” Desai said. That filing cabinet moves with the individual across daily life with their permission, in ways that can generate “real value for everyone — for the merchant, for the bank and for the consumer.”
The passwordless future may have been a long time coming. But, as Desai said, now’s the time.