Verizon on Tuesday announced upgrades to its Universal Identity Services and expansion of the service to Europe. It's a step toward an ambitious goal: Verizon would like to be the steward of consumers' online identity, the gateway to every site with which a consumer engages.
"We want to be the world's largest identity provider," says Tracy Hulver, chief identity strategist at Verizon Enterprise Solutions. "We want to credential as much of the world's population as we can. That information associated with you needs to stay with you at all times."
The telecom company hopes to sell this idea first to large consumer-serving organizations, then begin approaching consumers to make them direct identity service customers.
The challenge of protecting consumers' online data and identities as they share a growing body of personal information on a plethora of websites and social media networks is being hotly debated lately as new revelations continue to emerge about the NSA's access to consumer phone calls, emails and internet activity. The Pew Research Center recently asked consumers if they think it is possible for someone to use the internet completely anonymously, so that none of their online activities can be easily traced back to them. A mere 37% said they thought this was possible; 59% said it was not possible.
At the same time, the user names and passwords people use to access websites and applications have become too hard for legitimate users to remember and too easy for fraudsters to game.
"Of the 621 data breaches we analyzed in our latest Verizon Data Breach Investigations Report, 76% were the result of weakened or stolen credentials, through malware, a keylogger, social engineering techniques or simply guessing a password," says Hulver. Multi-factor authentication was not used in any of the 621 cases, he says, implying that the breached sites were secured only with user names and passwords.
"User names and password are not only difficult to remember you have to maintain 40 to 50 different passwords in your life they're also easy to get around," he says.
Verizon's identity service, which was originally launched last fall, makes the task of authenticating users of an application or website proving that they are who they say they are Verizon's responsibility. The telecom company uses device ID (the knowledge that a particular smartphone or tablet is registered to a certain user) to verify a user.
In one scenario, before giving a customer access to an account, a Verizon corporate customer (a retailer or bank, for instance) renders a quick response code on its website. The customer scans the QR code from the mobile device he's already registered with that service to gain access to the site. (Android, iOS, Windows Phone and BlackBerry are all supported by the service.)
Instead of a QR code, a company could opt to send a one-time password to the user's mobile device. Either way, behind the scenes, Verizon verifies that the user opened his device using a password. The user never has to enter a password, yet according to Verizon the authentication is stronger than a password.
"The chances of [a thief] stealing your phone, you not detecting that it's been stolen, and [the fraudster] figuring out your bank site and figuring out what your PIN is for the phone, are very low," Hulver says.
If a user doesn't lock his phone, Verizon would detect that there was no PIN or password, and would require that person to enter a password.
The service is already hosted in two U.S. Terremark data centers in Culpepper, Va. and Miami. In July, Verizon added a third data center in Amsterdam to the service, to support European clients.
Verizon says its identity service is being used by healthcare companies to secure applications and VPNs.
In addition to user authentication, Verizon can provide transaction-level authentication for higher-risk transactions. A bank might not want to force a user to use multi-factor authentication just to see his account balance. But if the user wants to transfer a large percentage of funds from one account to another, the bank might want that transaction authenticated. In that case, the user would get an alert on his phone from his bank that would say activity is happening on your account, the user could then reject or accept the transaction.
Who handles customer support depends on the level of service a customer buys. If the bank chooses to maintain control over its own user names and passwords, then it would need to handle all changes and problems with them. If Verizon is managing credentials, the company could provide a profile manager that lets users change and update their own passwords. If a user has forgotten a password, Verizon can present a list of security questions to challenge that user before accepting changes. "The way to keep costs down is to make it as self-serving as possible," Hulver says. The company can also provide varying levels of help-desk support.
The cost of the service ranges depending on the NIST level of identity assurance and the service level agreement from around $3 to $10 per user per year. (NIST happens to be one of the government agencies currently shut down due to lack of funding.)
No U.S. banks are using this service to date, but Verizon is in discussions with several large financial institutions, Hulver says. A few have expressed interest in using the service to secure the high-value transactions of wealth management clients, he says.
"If you've got 20 million customers, they're probably not all going to need second-factor authentication," Hulver observes, realistically. "If they do, banks aren't going to pay $100 million a year to manage that."
The competition for this service is on premise (or the en vogue "on prem") software for managing authentication. Software companies including Digital Persona, Authentify and Bionym offer technology a bank can use in-house to authenticate employees and customers.
Many banks are experimenting with various forms of stronger authentication. Barclays Wealth & Investment Management is using voice biometric technology from Nuance Communications to authenticate customers through voice recognition.
ING Direct is piloting voice and facial recognition software from CSC.