AI + Digital Identity: Why You Still Need Humans

Today’s data driven world has ushered in an era of constant tracking, monitoring, listening and learning. Customers expect businesses to automate their processes for efficient and positive experiences. Products are created to be tailored to individual’s needs and interests. In response, companies are leveraging data – and Artificial Intelligence (AI) capabilities in particular – to improve customer experiences and make processes more efficient.

AI has quickly transformed every major industry, bringing automation and speed to tasks that normally require human intelligence. A quick scan of headlines shows its reach – from solving a Rubik’s Cube in 1.2 seconds, to advancements that could control a smartphone or computer with just your thoughts.

The Rise of AI in Identity Verification

With identity theft on the rise, businesses are fighting to prevent and deter online frauds and scams. Machine learning and AI are ushering in a new era where identity authentication delivers a smooth experience that doesn’t require users to trade convenience for security. These technologies are increasingly being leveraged for online identity verification to protect consumers and businesses against fraud and account takeover.

AI creates a more efficient and accurate process than relying on a human to examine and verify an ID.  Computer software that is constantly learning and correcting itself can process millions of transactions at a rate unachievable by human experts.

Human Assisted AI: Don’t Extract the Experts

However, IDs are physical documents that endure wear and tear, and may feature manufacturing discrepancies. There are many factors that, if left unobserved, could result in even the strongest algorithms being tested and a genuine ID being flagged as fraudulent. For example, the quality of the camera might not provide high resolution results. Or the image on the ID may be too worn to pass automated inspection. Maybe the lighting is too dim/has shadows, or the image is too blurry and therefore the image cannot be properly identified.

The benefits of AI are best realized alongside a trained professional who can step in if the software rejects a legitimate ID,  apply their expert eye, determine what error occurred and teach the computer how to spot the issue in the future. This allows the learning model to improve through constant input and refinement of data with the oversight of a trusted identity expert.

Acuant has amassed the world’s largest document library of government issued identity documents from over 190 countries. The company combines its deep industry knowledge of country specific ID characteristics and the application of AI to scale and expedite the verification process. This has created the most comprehensive Identity Platform available.

Companies with high risk can rest assured with the Acuant Review which provides human expert manual inspection of identity documents in minutes. Forensic experts manually review and determine document authenticity in real time to ensure the legitimacy of documents flagged by Acuant AssureID suspicious (with the option to review any document or result a company wishes). This marriage of AI and human assisted machine learning results in passing more good IDs/customers (while catching sophisticated fakes) and providing a seamless, low friction customer experience.

 

To learn more about Acuant’s identity solutions, schedule a demo now:


A Worldwide Approach to Global IDs: Why Setting the Standard is No Easy Feat

Organizations and government entities are struggling on a global scale to determine the best methods for approaching identity management. The conversation around national digital IDs is not new. Governments around the world have expressed both interest and concern, in roughly equal amounts, about adopting these in their countries. However, some citizens of more developed countries such as Australia, Canada, New Zealand, the UK and the US are opposed to the idea of biometric based national ID schemes, mainly on the grounds of privacy.

Setting standards for the global ID verification process is no small task. Beyond the obvious – the need to standardize all identity cards or processes – there is the differences in comfort from country to country with technology advancements like biometrics and other measures.

The UK government introduced the GOV.UK Verify scheme in 2016 as a way for people to prove their identity for online government services, targeting 25 million users by 2020. As at March 2019, it has acquired 3.6 million users. Oliver Dowden MP, the Minister for Implementation, recently announced the creation of a new Digital Identity Unit, which is a collaboration between DCMS and Cabinet Office to ensure the adoption of interoperable standards. The government is also engaging the private sector to establish a commercial framework for businesses to provide digital identity for use with public services. The government hopes to bring this capability online by April 2020.

Singapore has already created a digital ID program with the SingPass Mobile app taking effect in the middle of last year. Malaysia and the Philippines have expressed interest in developing such a program

Africa is taking a less standardized approach to digital identity; each individual county within Africa has rolled out its own approach. For example, Nigeria is moving towards a single, centralized National Citizens Database bringing together various databases for SIM card registrations and driving licenses to be managed by the National Identity Management Commission which issues the National Identity Numbers. And last month (May 2019), Tanzania kicked off biometric verification of mobile telephone numbers. The ID card issued by the country’s National Identification Authority (NIDA) will be the sole document required for the process. Mobile phone subscribers are expected to use the same NIDA offices that capture biometrics for issuing ID cards to verify their fingerprints to register their SIMs.

One of the key issues that Africa is facing in general is a lack of identity management systems or governments not having the ability to identify citizens as there is a large number of the population that is unregistered, or they don’t necessarily have means of biometric verification to prove their identity.

The other issue identified is identity on mobile, because traditionally we have had physical identity documents like passports and ID cards, but the increasing trend is identity moving to mobile phones as there is a very high uptake of mobile usage across the continent, so there is a need to bring the identities of people on mobile phones and make it easier for people to access to government services, as well as authentication remotely.

The U.S. is enacting data privacy laws on a state-level, but lawmakers in the House and Senate are calling for bills aimed at strengthening individuals’ ability to control their data collected by the biggest technology companies, including Alphabet Inc.’s Google, Facebook Inc. and Apple Inc. The California data privacy law, set to take effect in January 2020, is viewed by most as the strictest consumer privacy legislation in the United States. Similar to Europe’s General Data Protection Regulation, which took effect last year, the California measure also includes more provisions allowing consumers to opt out of data sharing as opposed to forcing them to opt in before continuing to use online sites.

Looking Ahead – Why Trust is the Key to ID Verification

The convenience of being able to quickly and easily verify one’s identity comes with the loss of control over where that data is being stored and how it is shared. At Acuant we believe in creating solutions that put the power back into consumers’ hands. Companies are now recognizing that identity data collection and verification is an organization’s biggest vulnerability- and the protection of identity data is paramount. Acuant helps organizations build trust via an identity platform that allows businesses to address security/privacy concerns, regulations and their appropriate level of risk – while at the same time being customer centric.

Learn more about our Next Gen Identity Platform here:

New call-to-action

Global Challenges with Establishing Identity in Today’s Digital Economy: A Look from a Solutions Provider POV

Acuant CEO Yossi Zekri recently spoke at London’s premiere Identity Week Show recently. Here is a bit of what Yossi had to say from Acuant’s point of view on the global challenges in establishing identity today.

We are all aware that establishing identities today is not foolproof. There is no perfect solution to protect customers and institutions from sophisticated fraudsters, hackers and data breaches. But as identity is increasingly digital and becoming a currency for consumers — the need to defend digital identity against bad actors is imperative.

Establishing a trusted Identity Anchor is the base for the Digital Identity of the future — and this is at the heart of what Acuant does.

Global Factors

Acuant sees millions of global ID transactions — heavily concentrated in North America, but capturing transactions from virtually every country every month. We see mobile use is increasing across the globe, which has its own set of challenges.

With more than 196 countries, there are thousands of identity document templates and types globally, each with unique identifiers/characteristics and security elements. This presents challenges such as:

  • Data Sets – The need for good (and a lot of) data and quality documents to establish a global document library. Systems must utilize human factors as well as machine learning to have continuous updates to libraries or databases.
  • Design – ID card issuers do not always design with authentication in mind so there are different security features which can present challenges and most have nonwhite light features making them poor or irrelevant for mobile authentication.
  • Language & Culture – There are cultural differences in language/spelling that add complexities. For example, Mohammad is written 50+ different ways, depending on the country, and Asian names often end up truncated due to the limited character space on forms.

In addition, ordering schemes differ among countries and security features on each ID are different with some being easier to forge than others and frequent changes to track. This is a constant battle with incremental fraud capabilities and the methods providers and institutions use to verify IDs are changing.

Device & Method Challenges

It is imperative today for businesses to provide an omnichannel verification solution that includes mobile. The rise in mobile adoption evidenced in Forrester’s Mobile Mind Shift Index identifies an evolving preference for mobile use.

Much of this can be attributed to millennials (currently ages 18-34), the generation most likely to own a smartphone (97% market penetration) which they check more than 150 times per day. A paper document is no longer the only method of ID verification to consider. Some reports show millennials are deciding who to do business with based on their mobile capabilities.

But verifying IDs via mobile creates additional challenges:

  • Solutions must be in real time (seconds)
  • ID holder’s appearance may have changed since ID photo was taken
  • Fraudsters are increasingly sophisticated
  • Camera quality affects the image and image quality is key!
  • Harder to run forensic tests

Solution providers need a strong Algorithm + Big Data Set + Human Oversight = for the Best Results.

Establishing Genuine Presence

Today, solutions must be able to address increasingly sophisticated fraud and presentation attacks while balancing the user experience. Businesses and organizations must match the level of risk to the use case: how much friction they add will/should depend on the level of assurance required and risk involved.

Factors to consider include:

  • Time – consumers will not stand for a lengthy or invasive process
  • Accuracy – how can this process yield accurate/ best results
  • New verification methods to support mobile/digital identity
  • Using a hardware secure element (SE)/chip authentication to securely store a mobile ID credential on a smartphone

Linking an ID to a person requires multi-factor authentication. First, you must establish there is a valid ID to establish a trust anchor. You must have a clear image that can be captured via any device and have robust authentication tests (strong forensics). Second, you must verify the person is who they claim to be which can be accomplished with biometric tests such as robust facial match and liveness tests. ID photos must be matched to be a real time selfie for a score or decision. Challenges here include presentation attacks, image and device spoofing, deep fakes and video replay.

Once you link the ID to the person, additional security features can be layered on:

  • Start building an Identity Score for easy & ongoing verification
  • Watchlist & database crosschecks: OFAC, INTERPOL, AML etc.
  • NIST certified algorithm – ICAO Standards for govt use cases such as border control

 

Software solutions that use AI & Machine Learning in tandem with human researchers are the best method to detect fraud. Automation cuts down processing time and eliminates mistakes. You must start with an automated solution that uses a strong algorithm, have a big enough data set, then add human oversight (mostly to compensate for image quality and variation) to get the best results and pass more good customers.

While there are no global standards today in identity verification, there are solutions that offer a  level of certainty for every level of risk. It is up to institutions to decide the amount of security they are providing, and up to consumers to decide how much friction they are willing to bear. The burden of proving digital identity is one both must ultimately face.

 

 

Beyond Machine Learning

Millennials & Mobile Health: How Providers Can Maximize Convenience & Minimize Fraud

As the largest generation in the U.S., wielding growing purchasing power, Millennials have driven change in all industries – from retail to automotive, banking to healthcare, examples of disruption abound. Their preferences are backed by powerful dollars and any company foolish enough to ignore that fact will be faced with irrelevance in short order. It may be hard to imagine that such a highly regulated and decidedly personal industry as healthcare would be able to evolve to address the unique demands of the Millennial generation. But we are seeing the evolution in myriad ways.

Millennials are used to speed and convenience – even when it comes to healthcare. They inhabit a workforce that embraces freelance work as well as telecommuting, which often means little to no downtime. As such, time is valuable and healthcare, and other routine “adulting,” must be quick and efficient. Millennials don’t accept long wait times, manual processes and slow turnaround.

Due to the great value they place on convenience, Millennials demonstrate a strong preference for “fast health” option, eschewing primary care physicians as a first line of inquiry. A PNC Healthcare study found that they are twice as likely as Baby Boomers to prefer retail clinics and acute care facilities for speed and efficient healthcare delivery. This generation’s penchant for faster and more convenient options was likely a key driver for the recent launch of CVS HealthHUBs, an extension of its MinuteClinics.

Often called Digital Natives, Millennials are keen to use technology to manage their lives. Growing up with smartphones, they are not only comfortable with digital technology but expect it at every turn. As such, they are becoming increasingly comfortable with using mobile devices for more sensitive transactions such as banking and healthcare.

There are now well over 300,000 health apps available on the top app stores worldwide, nearly double the number of apps available in 2015 – and more apps are being added each day.

From wearable sensors to mobile health apps, Millennials often look to technology to create efficiencies in their lives. Beyond mobile apps, they are demanding solutions such as online health portals, online appointment scheduling, electronic medical record access and more. Hospitals and physicians are evolving to meet these needs to provide better service to their patients.

As more Millennials become parents, they are using health facilities more frequently as well. Dayton Children’s Hospital in Ohio built a new wing with features to specifically address the technology needs of Millennial parents. From simple things like having electronic chargers available and providing a robust wireless network, to more critical services like electronic signage that lists patient precautions and connecting medical devices, such as vital sign monitors, directly into the EMR, hospital executives focused on how technology would attract and build confidence with Millennials.

While providing improved patient experiences is often the goal for implementing technology solutions, it is important to understand that patient medical data is the most valuable asset on the dark web. The dark web is a massive marketplace for stolen data and personal information that often is a result of a data breach, and notably, the healthcare industry accounts for up to a third of all data breaches.

Why do fraudsters want medical data?  It contains a trove of personally identifiable information (PII) that can be used for identity theft or to access medical care in the victim’s name. This information is hard to change and unlike a credit card breach, individuals have few options and little recourse when protected health information (PHI) is leaked.

Experian, an Acuant partner, found that a social security number will fetch about $1 and credit card information will garner from $5-110. Yet data-rich medical records – ideal for identity theft purposes – can rake in up to $1,000. Victims often spend more than 200 hours and an average of $13,500 to remediate the damage of medical ID theft.

Since avoiding technology and ignoring the demands of Millennials isn’t an option for organizations that plan to stay in business into the next decade, healthcare providers must find ways to balance convenience and fraud prevention. Here are a few ways to offer an improved patient experience, while protecting the organization from fraud.

Automated Intake Processes

It is possible to streamline and improve the patient experience by using mobile devices to enable credentialing, automate intake processes and power self-check in. Patients don’t want to be bogged down with administrative processes. By accelerating the registration process, the patient wait times are minimized. Something that Millennials will expect when visiting any healthcare provider.

As healthcare providers embrace mobile technology, front line staff can capture critical health data from insurance cards and patient IDs using a mobile device. Patient data can then be auto-populated into an application or EMR, reducing the chance of errors. This is especially true for credentialing, which should no longer rely on outdated, time-consuming, paper-based approaches that are definitely error prone. This is particularly helpful for reducing insurance claim rejections, which are often the result of incorrect or missing information. With an automated process, collected data is more complete and accurate, resulting in increased efficiency and accuracy while leading to faster claim processing and reduced rejections.

Instant Multi-Factor Smartphone-Enabled Identity Verification

Another benefit of using technology to automate processes is the ability to reduce fraud. It is easier to spot medical fraud using technology as compared to paper-based processes. Medical insurance fraud is a growing issue due to the high rate of identity theft. Mobile phones can scan and instantly authenticate IDs to create a trust anchor. From there, you can layer on facial recognition technology to verify a patient matches their ID by presenting with a simple selfie, all in seconds and in the same workflow. It is an easy way and powerful way to combat fraud.

Facial Recognition Over Passwords

Biometric technology can also be used when patients want access to medical test results, to book an appointment, or to pay a bill. Instead of passwords that are often re-used and possibly compromised, patients can use facial recognition technology to verify their identity and access sensitive health information or login to patient portals.

In a world where Millennials can – and do! – look up physician and hospital ratings online, patient satisfaction is a big deal. By embracing technology and putting more power (literally) in the hands of patients, healthcare staff can focus their attention creating positive experiences around patient care while benefiting from improving overall risk exposure. The result will be significant increases in patient satisfaction, reduced fraud, better data security, more efficient and effective patient visits and improved staff productivity.

 

Learn more about Acuant MedicScan

Federation and Other Trust Models for Cross Vertical Digital Identity Acceptance

Over the past year, digital identity solutions have both matured and newly emerged. Several of the Self Sovereign Identity (SSID) solutions that were first commercially introduced last year, have now made it into pilots. Others solutions are using a metered approach to build a solid credential structure to address a specific vertical use case. Still others are blending these concepts to provide support for both government led digital credential standardization as well as sector specific use cases. Each of these capabilities was presented and widely discussed recently at connect:ID 2019 in Washington, DC.

As all of the solution sets have developed support for valuable identity based processes, there are still a number of challenges for use of any of these credentials across verticals or industries. Most of these SSID solutions are commercial efforts that were instantiated as pilots to address requirements specific to an industry – examples include:

  • Self enrollment & electronic health record sharing, derived from a specific health insurer’s customer base
  • Mobile driving license generation & utilization
  • Seamless traveler initiatives leveraging the Digital Travel Credential (DTC) being defined through an ICAO and ISO partnership for use throughout the travel continuum (booking – airport check-in – baggage drop – security screening – airport vendor services – boarding – arrival – customs – hotel check-in – return trip)
  • Concepts extending the DTC concept from the traveler journey to Visa request, work permit, & law enforcement record verification processes
  • Solutions providing a digital identity to the extremely large population of people without paper identity documents
  • Digital consortium solutions for banking

As can be imagined, each of these capabilities has been implemented using varying technologies and security frameworks. All of the programs describe their offerings as being built with extensive security measures in the generation and protection of the digital credential, and just as importantly, with a Privacy By Design approach. Some of the digital credentials are built through the derivation of data from a physical document (after the performance of automated identity document authentication – often in combination with facial recognition matching of the end-user against the authenticated source document), while others use identity repositories as the data source for the digital credential. As the DTC is a token which leverages the Document Security Object from an ePassport, the initial delivery mechanism of this token to the end user is meant to be managed by the document issuer.

Security of the token also varies. The DTC imposes requirements to perform the same level of authentication for the token as for the document itself, meaning that it needs to be cryptographically assessed to determine its authenticity by the relying party. Other solutions are leverage block chain implementations to both protect and distribute the user data to support access decision processes for both physical and logical access capabilities.

The key to the evolution of a broader, frictionless identity ecosystem is going to be the development of an interoperable security framework that will allow the digital credential from one ecosystem to be fully leveraged by another. While brand loyalty drives many of these initial capabilities, use of a single credential for many disparate functions is what will drive consumer adoption globally. While it seems naive to think that a global, federated trust fabric will be deployed to support any and all of these disparate programs, perhaps the answer is an interoperable identity wallet that understands the protocols required to authenticate an end user to all points within the ecosystem using the appropriate digital credential – without any specific user action other than authentication to the device containing the digital credentials.

 

Ozone e-Passport PKI

4 Blockchain Business Opportunities

Varun Garg, Acuant’s Director of Cloud and Mobile Products, recently contributed this article to DevPro Journal. You can read his article below. To read the original, click here.

Blockchain is an immutable decentralized way to securely store data in blocks that are linked to each other using cryptographic principals. In late 2017, bitcoin and other cryptocurrencies became the center of many conversations among millennials and tech experts alike. Just two years later, many believe that cryptocurrencies are dead. But there are numerous emerging groundbreaking blockchain related business opportunities that will disrupt established businesses and ways of doing things.

Here are four disruptive, blockchain-related opportunities.

Trading

Blockchain can be used to transfer assets from one holder to another globally and instantly. Current financial markets limit trading to a country or a continent. For example, NYSE, Japan Exchange Group, Euronext, etc. Today when we trade stocks, it takes a few days for a trade to settle and for us to withdraw the money. We have yet to see a global decentralized financial market where anyone can trade any asset and trades are settled instantly on the ledger.

Imagine a world where you could trade almost anything from stocks to precious metals to fiat or cryptocurrencies to ETFs, and you could interchange from one asset to another instantly for pennies. Decentralized exchanges (DEX) solves the problem where no institution or country or a group of servers have the central authority making it impossible to hack or implode.

Money Transfer and Micropayments

Bitcoin once was promoted as a digital way to transfer money from one person to another locally and globally instantly. As of today, it takes around $0.88 and 10 to 20 minutes to transfer money using bitcoin, making it very inefficient. If you are doing a money transfer from your bank account to someone’s bank account overseas, it may cost you a 1 percent to 5 percent transaction fee and may take two to five days for the transaction to process and settle as funds are routed through many intermediary banks.

Thanks to technologies built using blockchain such as Ripple or Stellar Consensus Protocol, money can be transferred from one bank account to another globally within seconds for just a few cents.

This practice can also be expanded to micropayments. Credit/debit card network fees are not cost effective for micropayments. If you had to pay 2.9 percent + $0.30 on a $0.50 transaction, you’d be paying about 63 percent. Even on a $3.00 transaction at 2.9 percent + $0.30, you are left paying about 13 percent overall. With technologies built using blockchain, network fees can be reduced to a fraction of a cent.

Digital Advertising

Google, Facebook, Twitter, Pinterest, etc. have built an incredible business by showing us digital ads. They store all our data and sell it to advertisers. Have you ever wondered why you don’t pay to use their services? Is there something free on this planet?

Your data is worth hundreds of dollars to these companies. You are the product. Blockchain-based technologies aim at fixing the web by blocking all the ads we see in our web browsing experience and rewarding us for our attention. Today, our screens are full of ads shown to us based on our browsing history. Shouldn’t we be in control of the ads shown to us instead of having them forced on us? And if we see ads, shouldn’t we be rewarded to pay attention to these ads?

The multibillion-dollar digital advertising industry is in crisis. User privacy has become a casualty in an ever-increasing consumer-surveillance ad model that relies on tracking and profiling users. Publishers and content creators are shutting down or retaliating with self-destructive tactics as users enable ad-blockers in response to privacy violations, irrelevant ads and malvertisements. Ad fraud is rampant throughout the system, and advertisers are struggling to find solutions that comply with new GDPR/ePrivacy regulations. This is a fundamentally unsustainable state of affairs.

Contracts

Typically, you would go to a lawyer, spend a lot of money and wait for days for the contract to be drafted and agreed upon by both parties. With Smart Contracts, you can do this same process through blockchain. Suppose you want to rent an apartment from me. You get a receipt which is held in our virtual contract; I give you the digital entry key which comes to you by a specified date. If the key doesn’t come on time, the blockchain releases a refund. If I send the key before the rental date, the function holds it, releasing both the fee and key to you and me respectively when the date arrives. The system works on the If-Then premise and is witnessed by hundreds of people, so you can expect a faultless delivery. If I give you the key, I’m sure to be paid. If you send the amount defined in the contract, you receive the key. The document is automatically canceled after the time, and neither of us can interfere with the code without the other knowing since all participants are simultaneously alerted.

Smart contracts can be used for all sort of situations that range from financial derivatives to insurance premiums, breach contracts, property law, property sales, automobile sales, credit enforcement, financial services, legal processes and crowdfunding agreements.

What We Learned at the Goode Intelligence Biometric Summit

Acuant attended the Goode Intelligence Biometric Summit in NYC last week, where industry experts and providers met to discuss the state of identity, challenges and trends in biometrics. Our own Steve Maloney, EVP of Business Development and Strategy spoke on a panel hosted by International Biometrics + Identity Association (IBIA) Executive Director Tovah LaDier to address how biometrics are being leveraged to support digital onboarding while complying with Know Your Customer (KYC and eKYC)  and Anti Money Laundering (AML) regulations.  Here is a recap of what we learned.

 

Biometrics is hot right now

Biometrics continues to be one of the hottest tech areas with increasing investment activity bringing more providers to a growing market. Financial services, payments, transportation and governments continue to be at the vanguard of adoption, but other vertical sectors are increasingly turning to biometrics to support a range of use cases including healthcare. The majority of uses of biometric authentication are performed on-site, but mobile device usage is a fast growing area as well.

 

The line between convenient and creepy is based on the use case

The topic of the keynote speech by Alan Goode of (CEO & Chief Analyst at Goode Intelligence), was Biometrics, Creepy or Convenient? This is an important question that directly affects user adoption and government regulation- it is also an ethical and trust debate.

Alan walked though several examples of biometric use cases that exist today, or did exist, to survey the crowd’s reaction as to whether this was in fact convenient or creepy. Examples included your smartphone recording where you parked your car without you instructing it to do so, airport kiosks in China scanning and identifying your face to then display your flight details in a public area, retail stores using behavioral biometrics to determine unusual consumer behavior from a camera to catch and prevent shoplifting, and using cameras for facial recognition to catch jay walkers in order to message and fine them. Reactions were mixed and likely a bit biased to convenient given the audience.

Results from a larger survey shared included:

  • Gas station plays ads at the pump based on your age/gender/ethnicity that a camera determines – 44% found creepy
  • Weaponized automated drones using facial recognition to identify targets – 70% found creepy
  • Banks detecting your behavior to see how you interact with and use your keyboard to prevent fraud – 30% found creepy

All acknowledged that there are grey areas to consider which include cultural and regional differences, regulations such as GDPR, and consumer opinion – not to mention the ethical and moral questions.

Goode Biometric Summit Panel

Biometrics will transform digital identity authentication

It was agreed traditional passwords alone are dying a slow and painful death. They simply do not provide enough security in today’s digital world and for our increasingly digital identities. The group was also in agreement that consumers are lazy, therefore convenience is key.

Key market drivers were identified as:

  • The increasing number of services that require logins with different devices
  • The demand for protection of digital identity
  • The demand to replace current solutions requiring pin codes
  • Smart cards being close to commercial launch – especially in EU & Asia with the US following closely and likely to follow contactless biometric payment cards

In an age where it is all about the IoT, there was also a focus on the evolution of UI (device & biometrics)- the latest being conversation or voice (Hi Alexa). We talk to tv’s, cars and now Nike even has voice enabled shoes. There was a notion that in fact, the best UX is no UX, the idea being removing it will reduce friction and not rely on consumers who will inevitably get it wrong. However, there was general consensus that usability outweighed friction and that some friction is inevitable.

There was also debate about what the standard guidelines are to be followed, but here in the United States NIST was the front runner and recent advances by FIDO applauded. And while all agreed that the least amount of friction always wins, frictionless may be the wrong mindset. While solutions must be useable, they must also be secure in order to fight the criminals who are sophisticated. Not the check a box and meet compliance solutions, but really deterring the high-powered criminals we need to thwart. The majority (90%) of security solutions today are fine to catch the low-end criminals, but not the dangerous ones. Essentially, solutions needed to catch the fraudsters must make the attacks more trouble than they are worth and at Acuant, we believe it’s about creating multiple signals to defeat bad actors.

 

Conclusions

No matter your moral opinion on the matter, the masses have spoken. Biometrics are being widely adopted and are here to stay. They have a proven convenience factor that will continue to push the borders on privacy and creepiness. Here is where we will expect to see more legislation. The majority agreed this will be largely centered on the use case and the level of risk or security needed in each, for example, we are much more likely to be okay with our biometrics being recorded for travel when terrorist threats abound, rather than in a store while shopping to spot unusual behavior.

What’s more, we cannot and are not in a position to rely on one method of authentication. As we at Acuant believe – identity is the new currency, and as such it must be defended. When it comes to biometrics this includes Presentation Attacks, also known as “spoofing,” to defeat biometric systems which expose the vulnerability of AI only recognition systems. All  biometrics are vulnerable, and institutions must recognize that solutions have flaws. All agreed that we need to put more factors together for better solutions including security and privacy (protecting PII/data), versatility, ease of use and maintenance (continuous updates).

Acuant starts with establishing the trust anchor of an authenticated ID, then allows for layering on additional methods of verification based on your use case. Learn more about choosing a solution that is right for you by reading our white paper:

read the white paper

Takeaways from KNOW Identity 2019: Hint, Identity is the New Currency

KNOW Identity 2019  hit Las Vegas last week. The show brings together some of the brightest minds in the international identity community to discuss and debate the best way to manage and protect identity and PII in our increasingly digital world.

Here is a recap of the biggest highlights and our key takeaways below.

 

Self-Sovereign Identity (SSI) Remained a Central Theme

As with last year, Self-Sovereign Identity (SSI) played an important role in many discussions. Today’s brightest minds are grappling with the undertaking of securing digital identity, and many sessions – including Roger Dingledine’s keynote – highlighted the importance of privacy.

Mastercard announced a corporate world-push into digital identity to bring trust into transactions, putting the individual at the heart of every digital interaction. Charlie Walton, the SVP of Digital Identity at Mastercard, walked through this vision (outlined in the paper “Restoring Trust in the Digital World,”) during the Tuesday morning keynote.

There are many large players trying to commoditize SSI, but at the same time there is another path being created. TYKN exhibited at the show – the company is bringing digital identity to rural Africa through an open source offering. This is just one example of “out of the box” thinking to help solve the digital identity crisis.

 

Biometrics Adoption Continues Across Border Control/ Travel

Biometrics adoption was another hot topic last week. Colleen Manaher from the US Customs and Border Control led a fascinating session about the use of biometrics, specifically citing the use of biometrics in airports as an opportunity to close the gap between security and customer experience. She argued that active private sector participation is at the core of effective, secure and privacy-preserving identity processes enacted by governments.

When it comes to travel and airports, Americans view verification technology as a positive solution. According to our recent survey,  84% of Americans believe that biometrics will improve travelers’ airport experience, and the majority (59%) say that biometrics will increase safety because of improved identification accuracy.

The adoption of fast and easy identity verification via document authentication that can be tied to biometrics, EIDs and other technologies has the potential to make flying a frictionless and fun experience again.

Diversity is Key: Multiple Techniques Ensure Trust in Your Transactions

Wandering the exhibitor hall shows more platforms offering bundles of identity authentication techniques using data aggregation, email, phone, identity document authentication and biometrics. With another 1,244 breaches last year – and one UK firm alone that had nearly one billion email addresses stolen – it’s important to use multiple techniques to ensure trust in your transactions.

On Wednesday morning, David Birch, Director of Innovation at Consult Hyperion and KNOW 2019’s emcee, gave an impassioned speech suggesting World War 3.0 has already begun. He argued, “…We’re in a cyberwar and our identity infrastructure needs to support mobilization across virtual and mundane realms. World War 3.0 has already started but a lot of people haven’t noticed because it’s in the matrix.”

As we at Acuant have believed and known for a while, Identity has become a currency. Companies are now recognizing that identity is an organization’s biggest vulnerability; as such the verification and protection of identity data or PII (personally identifiable information) is paramount. Acuant helps organizations build trust by providing a full suite of solutions that allow businesses to address their appropriate level of risk.

 

Want to learn more? Schedule a Demo 

 

 

Why Reports Of The Password’s Decline Are Somewhat Exaggerated

Acuant’s EVP of Strategy, Stephen Maloney, was interviewed in this article by PYMNTS.com. You can read the article at its original source here.

The password doesn’t get a lot of love these days, and not for entirely unfair reasons. Consumers in 2019 are well past the point where they have a few digital relationships such that they only have to remember a password or two — they have dozens, if not more, and trying to keep the mix of letters and numbers straight for each site can be a bridge too far for most of us.

It’s all a bit unfair, Stephen Maloney, EVP at Acuant, told Karen Webster in a recent conversation, because truth be told the password, when properly used, can be just fine as a method of authentication. It’s just that the proliferation of passwords means it is almost impossible for any human being to use them right.

Doing it correctly, he noted, entails using strings of nine or more characters, with a mix of symbols and uppercase letters — and then using a different one for every different digital relationship. Hardly anyone can do that. And while Google and Facebook can act as the auto-repositories for all passwords —solving part of the problem — it does create the small issue that if someone should gain access to or control of those master accounts, they have “the keys to the kingdom,” according to Maloney.

Which means the password, despite its persistence, is in decline. There is a life and usefulness for it as an identification method, he said, but it’s a diminishing one.

“Passwords are particularly being diminished in the corporate space,” Maloney said, “where you run the risk that one errant person can leave a door open for potential hackers. We’re going to see multiple kinds of protections in order to protect and safeguard corporate databases.”

The same should be true of securing individual data, he said, but consumers are a little more complicated and have demands far more varied by context. Broadly, he noted, consumers want to eliminate friction while remaining secure — and the future of replacing the password will be in offering the right technological innovations in the right contexts to fulfill both of those needs.

The Consumer in Context

A customer taking an Uber ride or ordering with the help of Alexa, Webster noted, isn’t using a password to authenticate either of those transactions — but feels secure enough because of the underlying security infrastructure to be unworried by that fact.

As a matter of technical fact, Maloney said, that customer probably could worry. If someone makes off with your phone, they will likely be able to fraudulently order up an Uber ride if they can figure out how to bypass whatever biometric authentication is on the device, he pointed out. But it’s a low risk for the consumer, he said, because Uber would reimburse them, and it’s a low risk for Uber because it is very unlikely to lose millions, or even thousands of dollars to that type of circumstance.

So, change the context or type of transaction — and change the customer expectation, he said.

“Therein lies the challenge for all of us. Find that balance between the consumer journey they’re on and how much friction they are willing to tolerate in their lives for it,” he said. “When I’m moving $500 or $5,000 between my bank accounts I might be willing to tolerate a little more friction and time than I am when I am waiting on a latte at Starbucks.”

And those contexts are going to make a difference in what kind of technology or authentication solution is going to come into play — because, he noted, it’s not going to be a single answer that dethrones the password so much as a variety of possible combinations of authentication methods, active and passive. It might be a matter of consumers using the mobile technology in their hands — and requiring a biometric marker like a fingerprint scan or sending a selfie. It might mean using geolocation technology in the background, to make sure the device trying to do the transacting is in the location where one would expect the consumer to be.

“You’re seeing the de-evolution of the password as alternative technologies come to bear and we are going to see different geographies adopt different use cases as needs and cultures vary,” he said. “I think right now we can see document authentication, facial liveness and voice coming up as big opportunities.”

The Evolution of Authentication

While not a perfect metaphor, there are some similarities in how authentication is evolving to how payments have evolved, Webster and Maloney agreed. Starting with cash, payments evolved through checks, credit cards, debit cards and now into a whole host of emerging and growing forms of digital payments — where use is generally dictated by customer need or preference.

“If think you are seeing a path that somewhat resembles that, we are not going to see the password die overnight, but its use and utility are going to diminish over time,” he said.

What he hopes to see arise, Maloney said, is a notion of “self-sovereign identity,” wherein everyone owns their identity and how they use it. The technology to enable that exists today, Maloney noted, but deploying it, finding acceptance for it and fully sketching out the use cases for it hasn’t been solved yet. And in reality, he said, those challenges will likely be on the table for the next five-plus years.

But in that time, there will be progress in a variety of areas, he said. For innovation in authentication, he said, the places to look are where firms stand to lose a lot from failure to authenticate the individual or bot conducting a transaction.

“One axis is high value or high risk,” Maloney noted, “another axis is the need for compliance or highly regulated. The sweet spot there, obviously, is high value and highly regulated.”

These are the places where the greatest assurances are required, and they are key to the innovative path forward because innovation tends to “percolate down” from them.

There will also be the race among players like Google, Amazon, Apple and others to keep innovating on that consumer experience.

“You’re going to see us and other folks working to take friction out of the equation,” Maloney said.

That might be in digitizing credentials, or in pushing more of the work of authentication behind the curtain instead of in the consumer’s face.

None of it will kill the password overnight — any more than the emergence of digital payments has destroyed cash. But it will mean the password will stop being the central authentication player in much the same way cash was ousted from the center of transactions. Because what consumers want, as much as they want to be secure, is for their digital journey to be easy — and they’ll follow the path of least resistance that is provided to them.

RSA 2019 Reflections: Why Trust is Paramount & What the Industry is Doing About It

Last week we, along with tens of thousands of other security professionals, attended RSA Conference 2019. The theme of this year’s event was “Better” – how cybersecurity overall can be better and what organizations can do to better their own security outcomes.

 

But trust – the desire to capture it, the lack of it among customers and its evolving definition – remained a central theme across the many keynotes, exhibitor booths, vendor announcements and chatter among industry professionals.

 

Missed the event but want takeaways from the show floor? We’ve outlined the three biggest themes covered at RSA Conference:

 

Better together: Humans + Machines

Rohit Ghai, president of RSA Security, took the stage during a keynote depicting what life will look like in 2049. His image of this brave new world? “The consumer owns the data and has perfect information on her data and its copies and where it flows…Data is the primary asset flowing through supply and distribution chains, and the provenance and governance of data is an essential competency. “

 

He believes that humans and machines need to work together to properly enable the future trust landscape. “Stop waiting for humans or machines to get better at things they are terrible at,” he said. “Implement a security program with machines and humans working together. Humans asking questions. Machines hunting answers.”

 

Our take: This same model is used at Acuant to identify the fraud risk of IDs. And while tools like AI and machine learning are extremely efficient for discerning between real and fraudulent documents (processing millions of transactions at a rate unachievable by human experts), a human eye is still needed for accuracy.

 

IDs are physical documents that endure wear and tear or manufacturing discrepancies. Human researchers are needed to train algorithms to identify the fraud risk of an ID and automatically direct those that warrant further scrutiny to human reviewers. This mix of AI and humans cuts processing time from days to minutes and remains the most successful threat prevention model.

 

All signs point to federal privacy legislation

There’s long been talk about a potential U.S. privacy law, but with the advent of GDPR in Europe and the California Consumer Privacy Act of 2018, a bill finally seems inevitable. Experts at IAPP, Google, Microsoft and Twitter noted that the likelihood of a federal privacy law passing in the next year is higher than in years past. During the session Julie Brill, corporate vice president and deputy general counsel at Microsoft, posited the odds were at 30% “It’s no longer a question of if there will be a privacy bill, but what that bill would look like,” she said.

 

There are signs Congress will tackle privacy legislation again this year, and technology companies such as Google have a keen interest in shaping the federal privacy law. While there are several points of disagreement on what the law should cover, interest is high on both sides of the aisle in Congress to do something on the federal level to protect consumers.

 

Our take: The U.S. in particular is currently a hotbed of frustration over the mismanagement of personally identifiable information (PII) and lack of protection for digital identity. As all signs point to federal legislation outlining what is and is not permitted related to digital identity, lawmakers should focus on giving individuals control over their identity and outlining that they should be managing how and where their data gets shared.

 

Complexity creates security gaps

Multiple speakers identified the complexity of security products as an industry shortcoming.  Rob Westervelt, research director of security products at IDC, said the growing complexity of security solutions has led to gaps in coverage: “Organizations don’t fully understand the capabilities of the technology they have deployed.” This complexity also leads to misconfiguration and security policies that are not uniformly deployed across an enterprise’s IT footprint.

 

Complexity has also led to organizations not using 2FA effectively. Researchers L. Jean Camp and Sancharis Das from Indiana University-Bloomington detailed the challenges of 2FA adoption during their session. They posited that simply providing 2FA to users isn’t enough; it’s also critically important to communicate why and how to use the technology. Users need to be aware of the risks, and security vendors need to make it easier for users to understand.

 

Our take: We agree that complexity creates security gaps – especially in an area as multifaceted as identity verification. But we also recognize that establishing identity in the digital world is a fluid process, especially as questions continue to arise about the collection, processing and ownership of data. Identity verification is a balance between risk and friction. But with the creation of a “trust anchor” (such as an authenticated government issued ID) organizations can allow the user to take control of the verification process — deciding what parts of their identity, and data, a company can utilize to establish verification. This eliminates the complexity and friction associated with this process and breeds trust.

Interested in learning more about how to protect your business and establish trust? Read our whitepaper!

 

 

read the white paper