You wouldn’t want your bank to leave the key to the door under their welcome mat, would you? The ID/password you use to authenticate, to pay your bills or even access the ATM isn’t too far from that in terms of mitigating the risk of someone seeing something private, or taking something you value. And very soon they may not meet legal requirements (more on that later). Identity Proofing is here and it solves the security problem of authentication. Identity Proofing is proving you are who you say you are. Only biometrics – your face, your voice, your fingerprints – prove you are who you say you are.
Most of us are faced with an ID/password authentication screen that looks like this several times a day. We use them for everything from tracking our workouts to viewing health information and updating our financial information.
It’s familiar and we don’t think twice about it. But we should.
That’s because we use that ubiquitous ID/password authentication for things it was never designed to be used for, and as a consequence it is applied every day in ways where the “security” does not match with the risk.
The critical component – which is obvious when you think about it – ID/password authentication doesn’t have anything to do with checking to see if you are who you say you are – it’s simply a matter of whether you know an account name and a password. Like knowing the key is hidden under the mat.
Identity Proofing accomplishes everything ID/password authentication does, and it goes that next step of verifying the person is who they say they are. The value of that is pretty obvious when you say it that way.
ID/password level security is fine for something like your fitness tracking app (not private, but you don’t want someone else updating it), confirming the identity of the person is important any time what is being accessed is private (like health records or financial information) or of value (like money, or the car you are renting).
In person Identity Proofing has existed in some places like airport security for a long time, but only recently has it been possible to identity proof electronically, often faster than ID/password authentication. With a couple of simple steps to capture a government issued photo ID, and then a selfie, your photo can be matched to your ID almost instantly. Once it’s known you are who you say you are, different use cases can be mapped to the desired level of security. Sometimes you might just want the same fingerprint you use to unlock your phone to be used for security and in other cases you may want to do another selfie.
Today there is software that will do Identity Proofing for you, both at the point of enrollment where you need to establish that someone is who they say they are (AuthenticID’s CatfishAIR product is a great example of that) and when the person comes back – you want to do the identity proofing with as little hassle and friction as possible (TrustedKey is a great example of a product for that). These solutions produce transaction signing to authentication events. This signature includes the “when, where, and what device was used” of every transaction, and is stored on a secure server using block chain for compliance audits. This provides legal non-repudiation, which means no one can deny your claims, a critical security function for financial services firms that need to be PSD2 or GDPR compliant.
PSD2 (The Payment Services Directive – aimed at protecting both financial services organizations and their customers) and GPDR (General Data Protection Regulation) are now law in Europe. Because there are two factors of authentication and one is biometric, the transaction holds up in court (no-repudiation). If governments say it’s that strong we can too. The value of that is pretty obvious when you say it that way.
That’s what identity proofing is – the benefits are real, and measurable, and in most cases, obvious. What might be less obvious is where to start with it.
One key benefit, and place to start, is where your customers start with you, when they are getting your app for the first time. Everyone feels busy these days, and we are all getting used to things being fast and simple. So when people get a new app and they have to go from screen-to-screen-to-screen, they get frustrated and lose interest – and abandon the process. When people abandon – that means they don’t become a customer – and you run the risk that they will never come back. Because Identity Proofing is so fast (in addition to being legally compliant) it increases conversion rates and reduces the number of people who abandon the application/enrollment step. Less abandonment means more customers, and more customers means more revenue.
Soon our lists of IDs and “secret” passwords will seem as old fashioned as fax machines.