When you go through security at the airport, you prove your identity by showing a document such as a driver’s license or passport, along with your face, to the security agent. This is known as two-factor authentication — something you have (the document), and something you are (your face). But online, you are more often asked to produce one factor, something you know — your username and password.
But something else we know is how careless the large technology companies are with storing these credentials, unencrypted, accessible to thousands or millions of people. As a consequence, it’s becoming common to opt into two-factor authentication online, which typically involves use of the mobile phone. But two-factor authentication is not universally used, and is an imperfect solution.
The problem of proving that we are who we say we are online is as old as the Mosaic browser, and indeed, anonymity is often a virtue of online behavior, for good and bad reasons. A great deal of software has been developed to allow users to privately view content and avoid surveillance, but users also face friction in authenticating themselves in order to use needed services, from their bank’s website to the online portal of their health insurance provider. Flashing a driver’s license doesn’t cut it. Nor do biometrics, which are siloed on various devices and not universally accessible.
Users end up with fragmented identities and means to authenticate proliferate confusingly. The average smartphone user has 80 apps installed on his phone, and each may have a unique username and password, at least according to best practices, and each has a store of data about that user that is being shared or sold to other services. User data is leaking all over the internet, and the originators of that data, the consumers themselves, have ceded control of their personal information to a large number of self-interested organizations.
Two financial services companies, Mastercard and PayPal, have taken steps forward to help consumers get a handle on the situation. PayPal joined a Series A investment round in Cambridge Blockchain, a company whose stated mission is to help users control their online identities:
“As part of the investment, PayPal’s first in blockchain, the company is exploring how it might use Cambridge Blockchain’s platform to let its users prove who they are while still preventing personal information from being unnecessarily shared. Think Facebook login, but where the users have control over who gets to see the information used to prove who they are.”
Cambridge Blockchain is beginning its work with the 600,000 citizens of Luxembourg. The company recently completed a course in an accelerator sponsored by PayPal in Luxembourg, and PayPal maintains an office there.
Vinny Lingham, CEO of the identity management firm Civic, elaborated on how blockchain can be used to protect user data:
“Blockchain technology introduces new ways to manage and simplify that personal data. A consumer’s verified identity can live on their mobile device. That verified identity could be used to anonymously authenticate consumers, meaning no username or password is needed to create or login into an account. That verified identity could also be shared on-demand to prove identity at a bar or gain access to an office building. It is unlikely you leave that house without your smartphone, and blockchain lets us turn your device into a secure access mechanism, both in-person and online….
“The first step in creating mobile identity solutions is making who you are about ownership, not information. If you apply for a credit card online, you do not have the opportunity to actually prove who you are. You enter your name, address, social security number and with that information, the company runs a credit check to access your creditworthiness. Yet, you never have to prove ownership over the information you shared. Ownership is assumed. Combining biometrics and identity introduces the idea of ownership. You cannot share data if your biometrics do not show ownership of that data.”
Mastercard has partnered with Microsoft to provide something similar, also using blockchain or distributed ledger technology, and sees banks as trusted gatekeepers:
“Mastercard envisions a platform in which consumers have control of their identity information and it is stored locally on their devices, rather than in a centralized system that Mastercard would need to defend. The ID would be set up through a bank or other participating institution that already holds identity information about the individual. And people would manage their enrollment and interact with their universal ID through that institution’s secure mobile app.
“‘It’s a consumer-centric model for digital identity that gives consumers control,’ says Ajay Bhalla, president of cyber and intelligence solutions at Mastercard. ‘It will securely bind a person’s identity to their smartphone or any other device, and the idea is that this will unlock new and enhanced experiences for people as they interact with businesses and service providers.'”
Europe is leading the way in data protection with GDPR, but the U.S. may not be far behind. California has enacted a data privacy law that experts believe will provide a minimum standard for other jurisdictions, notably New York, to follow and expand upon.
But the regulatory landscape so far lacks coherence on this issue. Courtney Stout, chief privacy officer for S&P Global, said yesterday at the Empire Startups Fintech Conference in New York, “Every regulator is involved in privacy. There is no cohesive message.” This means consumers and the institutions serving them are likely to be presented with a patchwork of guidance from multiple regulatory bodies rather than a simple standard.
Financial institutions need to be alert to the advances being made in their own space, particularly when Mastercard has said explicitly it expects banks to take part in such a system. And following the technological advances, as always, will come the regulation. Those already in place in Europe and parts of the U.S. are likely to be replicated, affecting bank customers everywhere.
Reliance on edge security such as smartphone manufacturers is an additional risk that will need to be confronted. Phone number porting is a disturbingly common attack that the telecommunication companies have done an inadequate job addressing. Until a better solution appears, consumers need to be vigilant in controlling their mobile phones and other factors commonly used in authentication, such as email addresses.