By David Poole
Two closely linked concepts like identity and verification (ID&V) have taken on an increasingly critical role in consumers’ day-to-day lives. Identification systems use a trusted ledger, process or token to identify a person or entity; whereas verification aims to answer the question “is this person who they say they are?”
Both are familiar to all of us in our personal lives. From showing our passports when entering a country to showing proof of address and identity when applying for a financial product, it’s something we all do.
All of these methods of identification and verification rely on the presentation of a physical document. And, of course, up until the digital commerce revolution, when the vast majority of transactions were carried out face to face, it was a tried and tested method that worked.
The challenge within the digital economy
The internet has transformed the way we shop in ways we couldn’t have foreseen 15 years ago and it is bound to continue changing in years to come.
With an estimated 1.61 billion online shoppers globally, and £52.25 billion spent via e-commerce in the UK in 2015, the last decade and a half has seen e-commerce grow into a well-established, dominant method for business and commerce.
Mobile (i.e. unsecured touchscreen devices such as smartphones and tablets) is rapidly winning the race to become the dominant platform. The ability to shop and carry out transactions on the go is now something we almost take for granted. Yet, all this convenience has come at a cost, and that cost is the challenge of security and managing ID&V online.
Digital transactions all require ID&V to a greater or lesser extent. Online shopping often requires a password and email address; while financial products, bound by a need to comply with know-your-customer and anti-money laundering legislation, require much greater levels of ID&V. The problem is that ID&V is more challenging for remote transactions due to a lack of face-to-face interaction.
ID&V in the digital age
It is true that remote ID&V is nothing new. Consumers have carried out transactions by mail or telephone (MOTO) for decades; however, these all relied on forms of ID&V such as address and date of birth. As such information is now readily available online, they can no longer be considered sufficiently robust to keep personal data (and money) safe. This has driven a need to develop and accept new methods of ID&V with both customers and businesses having to adapt to the new business realities.
The most obvious of these is the password, which comes with its own drawbacks. Having to come up with a secure, eight-character password which includes a capital, a symbol and a number can be a challenge, especially if you can’t use the last five variations.
This can contribute to fundamental problem with digital ID&V—if it is time consuming and challenging then it significantly detracts from the very convenience digital commerce is supposed to bring.
Looking into the future
There are a number of possibilities for future ID&V, all being currently trialled in some form or other. One of the biggest talking points is biometrics.
Biometrics are, quite simply, using one or more human characteristics for ID&V. They are nothing really new in principle. After all, for over 100 years, police forces have been using fingerprint ID to solve crimes. DNA profiling for crime fighting and other purposes is around 30 years old.
Yet, biometrics are increasingly entering into the world of ID&V for everyday life. Anyone who owns an iPhone, for example, will be used to using a fingerprint to unlock it. And visitors to the U.S. will be familiar with providing fingerprint ID before being allowed to enter the country.
A variety of methods of biometric-based authentication are currently being developed and tested although each has its own drawbacks as well as benefits:
Voice recognition: Voice recognition can verify someone in around 15 seconds, quicker than passwords. Yet questions remain about the accuracy of this method. What if someone is in a crowded room or restaurant? Could the technology cancel out the background noise?
Facial recognition: Also known as “selfie” authentication. For this to work, the lighting of the photograph will need to be of sufficient quality which isn’t always guaranteed.
Fingerprint recognition: It’s widely used, it’s trusted, it’s easy but it is not perfect. Fingerprints can be copied by fraudsters using easily obtained chemicals. If a fraudster has your phone and wants access to it, they can.
One of the principal barriers to biometric adoption is trust. From dystopian science fiction to contemporary privacy concerns, willingly handing over biometric information to a company or government is not something that individuals will do lightly.
There was positive news around this recently, though, when a survey showed that far more UK consumers (60 per cent) would trust a bank with their biometric data than the government (33 per cent). So, perhaps, this obstacle can be overcome.
This still leaves the critical issue that biometrics are not, alone, enough for a completely secure ID&V process. Even returning to the experiences of travellers at U.S. Immigration—they still have to produce their passport along with their fingerprints.
Machine learning is a branch of artificial intelligence study that concentrates on induction algorithms and on other algorithms that can be said to “learn.”
As a discipline with a wide variety of applications in the digital world, it has considerable possibilities in the world of authentication.
Taking the use of mobile as an example, each of us have our own individual quirks in how we use a mobile device. We will hold it in a certain way, we will enter key strokes in a particular way, we will have certain and unique ways in which we interact with specific apps. All of these can be “learned” by a mobile device which can then tell if the person using the device is the same person who should be using it.
Of course, machine learning, like biometrics, is not enough on its own. A password or PIN code still has to be entered for the device to know if it has been entered in the way it has come to recognize.
Passwords and PIN—a collaborative strategy
Security works best when it is a combination of something you are (e.g. biometrics or machine learning), something you know (e.g. PIN or password) and something you have (e.g. your mobile device).
Despite the undoubted progress being made with machine learning and biometrics they are still insufficient on their own and are unlikely to be in the foreseeable future.
This means that there is still a critical role to be played by the password or PIN.
The future won’t cease to amaze us. It will undoubtedly bring further possibilities and new developments that will shake the landscape for years to come. Nonetheless, fundamentally, the entry of something that only the user knows will remain at the heart of ID&V until a huge leap forward is seen, either in biometrics, machine learning or new technologies.
David Poole is head of growth at MYPINPAD, a technology provider of multi-factor authentication solutions for unsecured touchscreen devices such as mobile phones and tablets. Visit MYPINPAD.com to learn more. This article first appeared in Financial Operations magazine, which is now part of Canadian Treasurer.