= Subscriber content; or subscribe now to access all American Banker content.

The Future of Digital Identity Is Up to Banks

It's been more than 20 years since the first e-commerce site appeared, yet today we still use the same username, password and security question combinations to log in online.

Human resources departments are still filled with paper files of photocopied passports and Social Security cards. And, just like more than half a century ago, someone going to a bar still has to show a stranger a driver's license full of personally identifiable information (name, address, date of birth) to prove he's old enough to drink.

In many ways, managing identities in this digital age is antiquated. At best, it's inefficient, as consumers and businesses constantly re-enter the same information to access any number of services. At worst, it's dangerous, as the many high-profile data breaches of the past several years show.

What if that same customer didn't need to show the bartender a document containing his home address, but instead took out a mobile phone and displayed a one-time numerical or QR code? When scanned, this code, known as a cryptographic token, would confirm that the person is over the legal drinking age, perhaps flashing a photo of the person on the bartender's device.

What if a consumer could log on to any website not by giving a username and password or by answering personal questions, but by granting that site limited access to some data? This data could be stored in a personal cloud or with a trusted provider that securely holds the consumer's digital identity.

This vision may seem very far off, but many different parties are working – often together – to solve the tricky problem of identity in a digital world. Some of them are even banks.

"There's a lot more happening in this space than most people realize," said Gary McAlum, chief security officer at USAA in San Antonio. "The world of user IDs, passwords and security answers is a failed model. It's not a matter of if, but when, that changes."

For banks, a single, federated digital identity would bring several benefits. It would be much easier for banks to know who they were dealing with if they could get quick access to a token or digital certificate that established the person's identity. As it stands, regulators are increasingly requiring banks to do greater due diligence on their customers in an effort to screen for money laundering. The pressures of keeping up with these high expectations means increased cost to banks, both in terms of money spent and internal resources dedicated to this task.

Another benefit would be greater security. If personal information weren't passed around like a casserole plate, criminals would have fewer opportunities to hack into customers' accounts. Banks spend time and money investigating fraud cases, and usually reimburse customers who have been victimized.

USAA is one of several financial institutions worldwide exploring the concept of digital identity. It is partnering with a government agency on a project that would involve allowing USAA's 10.7 million members (mostly military personnel and their families) to authenticate themselves using the same username and password as for online banking. The $70 billion-asset company said it could not give the agency's name.

In Canada, a broader effort is underway with the SecureKey initiative launched in 2012. In this model, banks manage their customers' digital identities for government websites. Tangerine Bank, Bank of Montreal, TD Bank and Scotiabank are all part of the program. The U.K. government also launched an identity verification platform last year with Barclays as one of the partners.

These are just small steps toward the universal federated identity model that technologists and privacy advocates pine for. But executives at several banks said that such a model is going to be the norm eventually and that banks are well positioned to serve as the trusted digital identity provider.

That's because people generally trust banks to keep their private information secure.

"This has to be a mutual-trust model for it to work," McAlum said. "The consumer has to trust the institution that is managing the digital identity."

Chad Ballard, director of mobility and new digital business technologies at BBVA Compass, agreed.

"There's not really a ubiquitous solution out there today" on managing digital identity, he said. "To get there, you'd have to address consumers' concerns about fraud and security. Outside of perhaps a government agency, consumers are used to banks playing that role of secure, trusted adviser."

Like USAA, BBVA Compass in Birmingham, Ala., has been trying out some new tactics in this area. Last year the U.S. unit of the Spanish banking giant BBVA began offering a service with the startup Dwolla that allows bank customers to send and receive real-time payments. The partnership uses a jointly developed authentication and tokenization process called FiSync that spares BBVA account holders from having to provide sensitive bank account information or credentials to Dwolla or any other party.

The learning curve is short.


(3) Comments



Comments (3)
Thanks Marc.
The proof of existance process creates a digital signature of the document (hash then encrypt with user's private key) and lodges the cryptogram in the blockchain. A time stamp is also injected into the transaction, which is nice - it is essentially impossible to corrupt blockchain's timestamps.
Yet as a storage mechanism, the blockchain is not the only way to keep a record of the digital signature. You can copy any digital signature cryptogram as many times as you like and lodge the copies anywhere you like. They remain verifiable essentially for all time (through root public keys, using the same public key cryptography as blockchain does). I don't see that blockchain provides any infrastructure breakthrough to enable proof of existance that is lacking today. In particular, the integrity of the blockchain entries still rests on the integrity of the private keys that sign them, so end user key management is still the weakest link in the security chain. Blocckhain doesn't do anything to help with end user key management (except for indirectly reminding people how important it is in all cryptosystems).

You mention as an aside that blockchain's proof will last as long as people are still mining Bitcoin. There is a good argument that a great deal of mining might in fact stop next time the BTC reward is halved. BTC experts will argue back and forth about whether that will really happen; I don't profess to know for sure, but I do recognise the systemic risk of blockchain grinding to a halt some time. So I would have to advise any enterprise to keep their own backups of anything really important that they have recorded in the blockchain. Yet, if you have to keep a backup of the "proof of existance", then that becomes the proof of existance, and the blockchain is redundant.
Posted by Stephen Wilson Lockstep | Thursday, March 31 2016 at 10:13PM ET
Stephen: Thanks for you comment. One thing that blockchain can do is prove that a piece of data existed at a certain time. You can hash a document, and record the hash in the blockchain (e.g. there's a service called Proof of Existence, which will create a special bitcoin transaction where the output is unspendable and has the hash inserted) and now it's there forever, or at least as long as people keep mining bitcoins.
So say a child is born in the U.S. today and in 40 years runs for president. Her opponents claim she wasn't born here and isn't eligible for the office. So she produces a birth certificate. The birthers claim it's forged. But if her parents recorded the certificate in the blockchain when it was issued, she can at the very least prove that the certificate existed on a specific day at a specific time in 2016, since a hash of the certificate she produced will match the hash that was recorded back then. Not perfect, but it's something.
Posted by Marc Hochstein, Editor in Chief, American Banker | Thursday, March 31 2016 at 12:36PM ET
Chad Ballard says "It's possible the blockchain could end up being the single, secure token element to certify the authenticity of everything".
No, it can't. It just can't, not on its own, for that's not how blockchain works.
Understand this: there is nothing ON the blockchain. No thing at all. All the blockchain has on it is Bitcoin transactions. If you want to record other things using blockchain, they must be registered somehow; there must be a binding between each thing and a blockchain token (namely BTC related data). That binding requires trust in a process occurring OFF the blockchain (like a shopkeeper saying Steve bought this TV, or a diamond dealer saying stone no. 123456 goes with this owner and her token). But blockchain was expressly designed to not use trust; the blockchain accepts inputs from ANYONE. That is not a reality that sits nicely with registration of important physical items.
Once you add permissions and registration, you need external authorities, and the whole blockchain edifice becomes madly over engineered.
And let's be clear about what sort of verification blockchain actually provides. It hardly 'certifies' authenticity. ALL IT DOES is reach consensus on the order of Bitcoin movements. Blockchain cannot tell if (a) the right person was actually in charge of the wallet (private key) at the time an entry was made, nor (b) if the ledger entry itself is legitimate (i.e. did Steve really sell the diamond that is represented by the data in the token he just lodged?).
There is no magic in the blockchain. It simply doesn't do many of the things that people think it does.
Posted by Stephen Wilson Lockstep | Wednesday, March 30 2016 at 8:51PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.