This is the first of a three part series introducing the Identity Quadrants Model.
Fighting fraud is not new. Seeking revenue growth is also not new. What is new, that wasn’t possible until very recently, is how to do both much more effectively. The mass adoption of smartphone technology, using GPS, selfies, and a massive data base of government IDs has made it possible to quickly to verify that a person is who they say they are, both upon registration (so-called “First Mile” authentication), as well as on return authentication moments, to usher in a new era of security and trust, while removing much of the time and friction.
While there are many categories and segments of fraud and identity crimes, a commonly accepted number is that fraud costs organizations about 5% of top line revenue, which amounts to $928.5 billion against a US GDP of $18.57 trillion, and on a global scale that’s more than $4 trillion taken from global GDP numbers. While those are enormous numbers, the more surprising statistic is that spending on fraud detection and prevention is around $15 billion in the US, which is about one 66th the impact. A 66x gap is shocking, and now you can drastically lower the amount of identity related fraud in your organization, with a comparatively minor investment in the detection and prevention.
For the last 20 years, on both points of fraud and revenue growth, most organizations have relied on the ID/password model as a proxy for having confidence that the person with whom they are doing business, is who they say they are (known as “second mile” authentication – where the first mile is skipped). An ID and a password are nothing more than a lifetime key to access everything that a customer, employee, or partner is supposed to have access to – if they are who they say they are. It is a one size-fits-all model, and flawed.
But because not all interactions are created equal in terms of the value of the interaction (the possibility of someone stealing a $3 cup of coffee – a sunk cost, is very different from someone stealing a car, for example), that alone is reason enough to move away from any one-size-fits-all approach, flawed or otherwise. The amount of effort/rigor you go through to trust an individual enough to move forward with the transaction or interaction, is closely linked with the value of the interaction, and in many cases, the more you interact with someone, the more you build trust in the relationship such that you won’t always have to go through as much effort to trust that they are who they say they are over time.
It is now easy and obvious to say one-size-fit-all does not cut it anymore, and to help move beyond that – AuthenticID has created a quadrant model (Figure 1), using axes of Value and Trust to help organizations establish the right level of identity management for them, and for their customers. Every company has unique circumstances, and this quadrant approach is a helpful starting point to begin to map types of products, and services and the kinds of interactions and experiences that go on today, so that a clear roadmap for tomorrow and beyond can be developed. For the remainder of this post we will explore each of the quadrants, with examples and exceptions to make it all clear.
More About AuthenticID – First Mile, Second Mile, and Third Mile of Authentication
With over 15 years of experience in the identity management industry, AuthenticID has been able to make the relevant stages of identity management and verification very clear and simple.
First Mile – confirm the person is who they say they are. The first thing that needs to be done is verify that the person is who they say they are. Having people take a photo of a government issued ID, such as a driver’s license, ensuring it’s authentic, has not been tampered with – scanning an exhaustive data base of over 350 countries and thousands of ID formats, and is in the same location as the user, then having the user take a selfie and verify that the person in the selfie is the same person in the ID, and that they are in the same place, using GPS, allows the user to be verified in less than 10 seconds. There are many variants on how this model can be applied to shorten enrollment times to reduce abandonment, but those are the basics of first mile – which no one can claim to do as thoroughly, or as fast, as AuthenticID. Of course in the one-size-fits-all model of ID/password, with some regulation-driven exceptions in banking and healthcare, little or no effort is made to confirm that people are who they say they are – they skip this First Mile entirely.
Second Mile – verify it is the same person the next time they want to authenticate. Whether or not first mile authentication is used, second mile is what is used to -re-authenticate the user. ID/password have been used for years, and now biometrics (voice, palm, finger print, face, etc.) are increasingly common. Only if first mile is used, can second mile be used confidently that the person is who they say they are (with much less friction than the initial authentication).
Third Mile – optimize your interactions, based on the value of that person to your organization. The third mile is for organizations that want to segment their customers based on value so that they can respond to different types of events in a way that aligns with the value of the customer to the organization.
Quadrant #1 – The Top Right – Highest Trust for The Most Valuable Interactions
While many of the places where users authenticate today use the one-size-fits-all ID/password or card key, it is clear that some relationships and interactions don’t need as much rigor as others. The ones that need it the most are relatively obvious – because there is so much at stake for getting it wrong. Banks, healthcare organizations, and credit agencies are among the kinds of organizations that must have very rigorous models for identity verification and management. In addition to that – these are some of the only industries that have regulations to ensure the privacy of the individual, in the case of healthcare with regulations such as HIPAA in the US, as well as anti-criminal regulations in financial services including know-your-customer (KYC) laws as well as the anti-money-laundering (AML) rules. These are the interactions that we put in quadrant 1 (see Figure 3) for the interactions that are the highest value, that require the highest level of authentication to have the confidence and trust needed to move forward with that interaction.
Registration – higher trust, higher customer conversion rates
So it’s clear they need to have the most rigorous use of First Mile identity verification when the relationship is established. This requirement is not new, as KYC/AML regulations are not new. What is new is that with AuthenticID, customer onboarding, which used to require a person physically going into a bank branch to fill in forms and show their ID, now can be done anywhere with the use of a smart mobile device in just seconds – people can even do it from the comfort of their own homes. What this means is that not only can financial services organizations, meet, or exceed the KYC/AML requirements, which will help prevent fraud and other crimes, with such fast enrollment times – they will experience much lower customer abandonment, which means more new customers, and more revenue, or deposits. One thing that’s important to be aware of is customer expectations related to security. When anything changes in experiences – especially with technology, customers will expect a similar experience in other industries and experiences. Ten years ago – the notion of a five-star rating was familiar – now it is ubiquitous across many experiences. Security is fast becoming the same way – where if there is an absence of security – customers will balk or abandon the experience because they don’t feel their security is a priority for the organization. Seeing Figure 4, Experian reports that 27% of customer abandonment at registration is “due to a lack of visible security” – and with a clear causal relationship between revenue and customer conversions – that 27% is a lot of revenue lost.
Source: Experian, “The 2018 Global Fraud and Identity Report”
Return visits are even easier – that is why the Second Mile is so key
Staying with the banking example, but the same is true in healthcare and other industries where this is a fit, when customers want to pay a bill or use an ATM, because of the strong Second Mile authentication using biometrics, organizations can still trust the identity management tools of AuthenticID to enable a great customer experience. From a cost perspective – this is where it makes sense to view security as a subscription model versus a transactional security model – and those are among the kinds of discussions to have with AuthenticID when it comes to tailoring a model that’s best for an organization. Great experience paired with compliance and security make it possible for long and successful relationships with customers.
Where are the Exceptions?
While banks and healthcare organizations are the obvious industries for this particular quadrant, there will always be exceptions within those industries as well as in other industries. It really boils down to how much risk there is to the customer and the organization getting it wrong when it comes to authentication of an identity. When a student creates a new bank account and deposits $10 in the account, that’s a totally different fraud risk than when someone is trying to withdraw $10 million, so organizations will want to make exceptions for different types of authentication. Similarly – in real estate – when someone wants to buy a house valued at $1 million, they may put down 10%, or $100,000, meaning the lender has $900,00 of risk if the customer defaults on their loan. In that case, it makes sense to do full First Mile authentication as well as extensive credit checks on the buyer to first validate that they are who they say they are – and then with that established – evaluate the credit and work history of that person. On the other hand – if the person is making an all cash offer and writes a check for the full $1 million, while the value of the transaction is the same, there is no risk to the lender, so the need for them to pay for credit checks and other indicators of buyer risk is not there. AuthenticID allows a range of different use cases for organizations that allows them to model the risks and apply the appropriate identity management rigor to each class of use case. The same is true for an telecommunications carrier, while their initial interaction (like selling a $1,000 smart phone) is a higher value interaction, all subsequent interactions (monthly bill) are much lower value – with little or no incremental cost. So the organization needs to trust that the customer is who they say they are in the initial interaction – and once that has been established, they can leverage that for the ongoing lower value interactions and that helps us pivot to Quadrant #2, and we will get there in the follow up post to this one.
To be continued. . .