It's been more than 20 years since the first e-commerce site appeared, yet today we still use the same username, password and security question combinations to log in online.
Human resources departments are still filled with paper files of photocopied passports and Social Security cards. And, just like more than half a century ago, someone going to a bar still has to show a stranger a driver's license full of personally identifiable information (name, address, date of birth) to prove he's old enough to drink.
In many ways, managing identities in this digital age is antiquated. At best, it's inefficient, as consumers and businesses constantly re-enter the same information to access any number of services. At worst, it's dangerous, as the many high-profile data breaches of the past several years show.
What if that same customer didn't need to show the bartender a document containing his home address, but instead took out a mobile phone and displayed a one-time numerical or QR code? When scanned, this code, known as a cryptographic token, would confirm that the person is over the legal drinking age, perhaps flashing a photo of the person on the bartender's device.
What if a consumer could log on to any website not by giving a username and password or by answering personal questions, but by granting that site limited access to some data? This data could be stored in a personal cloud or with a trusted provider that securely holds the consumer's digital identity.
This vision may seem very far off, but many different parties are working – often together – to solve the tricky problem of identity in a digital world. Some of them are even banks.
"There's a lot more happening in this space than most people realize," said Gary McAlum, chief security officer at USAA in San Antonio. "The world of user IDs, passwords and security answers is a failed model. It's not a matter of if, but when, that changes."
For banks, a single, federated digital identity would bring several benefits. It would be much easier for banks to know who they were dealing with if they could get quick access to a token or digital certificate that established the person's identity. As it stands, regulators are increasingly requiring banks to do greater due diligence on their customers in an effort to screen for money laundering. The pressures of keeping up with these high expectations means increased cost to banks, both in terms of money spent and internal resources dedicated to this task.
Another benefit would be greater security. If personal information weren't passed around like a casserole plate, criminals would have fewer opportunities to hack into customers' accounts. Banks spend time and money investigating fraud cases, and usually reimburse customers who have been victimized.
USAA is one of several financial institutions worldwide exploring the concept of digital identity. It is partnering with a government agency on a project that would involve allowing USAA's 10.7 million members (mostly military personnel and their families) to authenticate themselves using the same username and password as for online banking. The $70 billion-asset company said it could not give the agency's name.
In Canada, a broader effort is underway with the SecureKey initiative launched in 2012. In this model, banks manage their customers' digital identities for government websites. Tangerine Bank, Bank of Montreal, TD Bank and Scotiabank are all part of the program. The U.K. government also launched an identity verification platform last year with Barclays as one of the partners.
These are just small steps toward the universal federated identity model that technologists and privacy advocates pine for. But executives at several banks said that such a model is going to be the norm eventually and that banks are well positioned to serve as the trusted digital identity provider.
That's because people generally trust banks to keep their private information secure.
"This has to be a mutual-trust model for it to work," McAlum said. "The consumer has to trust the institution that is managing the digital identity."
Chad Ballard, director of mobility and new digital business technologies at BBVA Compass, agreed.
"There's not really a ubiquitous solution out there today" on managing digital identity, he said. "To get there, you'd have to address consumers' concerns about fraud and security. Outside of perhaps a government agency, consumers are used to banks playing that role of secure, trusted adviser."
Like USAA, BBVA Compass in Birmingham, Ala., has been trying out some new tactics in this area. Last year the U.S. unit of the Spanish banking giant BBVA began offering a service with the startup Dwolla that allows bank customers to send and receive real-time payments. The partnership uses a jointly developed authentication and tokenization process called FiSync that spares BBVA account holders from having to provide sensitive bank account information or credentials to Dwolla or any other party.
The learning curve is short.