Ralph Waldo Emerson never made the famous statement attributed to him that if you build a better mousetrap, the world will beat a path to your door. He did say, "If a man... can make better chairs or knives, crucibles or church organs, than anybody else, you will find a broad hard-beaten road to his house, though it be in the woods."
The same is true of whoever can solve the riddle of digital identity. The company that comes up with a foolproof, easy to use, yet super-secure way of verifying customers' identities as they try to log into apps and websites on mobile devices and PCs a method that businesses and consumers can all rally around will find the business world beating a path to its door.
For one thing, most of the security breaches that occur in banking today use compromised credentials. More than 900 million consumer records have been stolen this year alone, according to Risk Based Security; 66.3% included passwords and 56.9% included usernames. According to Verizon's latest Data Breach Investigations Report, weak or stolen login credentials were a factor in more than 76% of the breaches analyzed.
A new identity management service being launched Tuesday by an oddly named company called Payfone offers banks a service that would authenticate their mobile banking customers without requiring anything besides a username and password. Behind the scenes, Payfone would check the customer's identity against a digital signature based on the user's SIM card and mobile device account activity. Payfone's key strength is its relationships with all the major telecom operations, which lets it track users' device "events," such as phones being lost, stolen or upgraded.
The service debuts at a time when large players like Google, Verizon and PayPal have been striving for years to be the gatekeepers (and toll collectors) for customers' digital identities, and banks have begun piloting biometric solutions to authentication, such as voice recognition and fingerprint reading. All have shown promise, but none have achieved critical mass.
Verizon, which already manages the mobile phone accounts of more than 100 million people, came out over a year ago with an ambitious plan to become the world's largest identity provider and the gateway to every website a consumer accesses.
In Canada, banks manage their customers' digital identities for government websites. Tangerine Bank, Bank of Montreal, TD Bank and ScotiaBank are all part of the SecureKey Concierge program, which handles more than a million logins per month.
In a similar vein, the U.S. is setting up Connect.gov (formerly known as the Federal Cloud Credential Exchange), through which partners Google, ID.me, PayPal and Verizon will manage credentials for visitors to government sites. Several federal organizations including the U.S. Department of State, Department of Veterans Affairs, Department of Agriculture, General Services Administration and National Institute of Standards and Technology have committed to integrate with Connect.Gov to accept commercially issued credentials, and others are expected to join.
Connect.Gov is intended as the government side of a larger public/private single sign-on ecosystem, according to Rick Parrish, senior analyst at Forrester Research.
"If federal agencies can all get on the same page with their security requirements for personally identifiable information and agree to a Connect.Gov framework that satisfies tough requirements, then all major federal agencies will eventually become part of the Connect.Gov ecosystem," he said. "That would provide a huge impetus for more and more companies to also join, which could lead to a snowball effect that leaves the Connect.Gov ecosystem as the biggest kid on the block. Government is such a powerhouse in the economy that if the entire government goes in one direction, the private sector will follow."
However, that's a big "if." Some agencies are concerned that security isn't strong enough for transactions that use personally identifiable information, Parrish observes. "Federal agencies are rightfully obsessed with the security of people's PII, so they are hesitant to get involved with new technologies that could compromise it," he said. "The second issue is the self-fulfilling prophecy problem. Few agencies want to be early adopters because the whole thing might not pan out, and these agencies will have wasted resources on it. So they don't adopt it, so it doesn't pan out."
Another broad initiative is the FIDO Alliance, which Tuesday published the final specifications of a universal standard for accessing sites and online services more securely, using public key cryptography protocols. FIDO is led by current and former executives from Google, PayPal and eBay. It supports an array of authentication methods, including fingerprint, voice and facial recognition. Google offers a hardware security dongle and Samsung offers a fingerprint reader that both use the FIDO standard. The iPhone's TouchID sensor will also work with the new spec.
And many tech vendors and software startups, including Anchor ID, Nymi and Nuance, have their own answers to the problem of authentication. Anchor ID has a registry for consumers' digital identities and is working to expand the list of websites that work with its service. Nuance offers voice recognition technology that several banks, including U.S. Bank, are piloting. Nymi offers authentication using a unique identifier the user's heartbeat.
Payfone's new identity service is called Identity Certainty. Payfone has relationships with all four major U.S. telecom providers and already maintains records on 300 million mobile device owners in the U.S. And it monitors 400 event types, such as phones being upgraded, lost or stolen. This gives it a decent window into mobile phone users' account information, which at least in theory gives it the authority to corroborate that a user is who he says he is. Verizon uses Payfone's technology in its User Identity Services. (Verizon also offers authentication for PC users; Payfone secures only mobile users.)
"If you look at our experience as consumers on the Web, it's a friction-filled process," said Rodger Desai, Payfone's CEO, in a recent interview. "We always have to register for things. Even then, the counterparty, the merchant or the bank, doesn't always trust that we are who we say we are, so there's always additional friction."
Desai says banks began telling Payfone two years ago that they wanted to move their branches to the phone and that traditional methods of authenticating online banking users would not work on mobile devices.
"On a PC, we look at someone's IP address and we make sure it's the same home router they normally log in from," Desai said. "On a phone you can't do that; the telecom provider changes the IP address every time you log in." And, of course, phones are frequently lost or stolen, requiring owners to get new hardware and IP addresses.
Using Identity Certainty, a bank customer logs in normally from her phone or tablet. Behind the scenes, Payfone tracks the user's IP address to her Payfone "signature," which is a combination of information about the user's activity related to that SIM card.
One of the 400 "event types" Payfone monitors is the kill switch. "If you look at the fine print of a lot of mobile apps, they ask the customer to call when they lose their phone, so the bank can disable that phone," Desai noted. "Less than 10% of people call the bank." But every time someone loses their phone, they get a new phone. To protect the customer, the phone company will kill the SIM of the old phone. Payfone can detect that, Desai said, and let the bank know to blacklist the old device.
"What's magical about Payfone's approach is we're leveraging something [telecom] operators already do today," Desai said. "Identity Certainty doesn't require the human to do anything. It happens behind the scenes. There are no knowledge-based questions to answer or [text messages] to respond to."
Payfone calls this a "silent second factor."
Payfone is partnering with Early Warning, a fraud mitigation service provider, to offer its service. Three tier-one banks are already using Identity Certainty through Early Warning, Desai said.
"Ultimately we think if we don't get this right as an industry, consumer confidence will be questioned," Desai said.