Millennials & Mobile Health: How Providers Can Maximize Convenience & Minimize Fraud

As the largest generation in the U.S., wielding growing purchasing power, Millennials have driven change in all industries – from retail to automotive, banking to healthcare, examples of disruption abound. Their preferences are backed by powerful dollars and any company foolish enough to ignore that fact will be faced with irrelevance in short order. It may be hard to imagine that such a highly regulated and decidedly personal industry as healthcare would be able to evolve to address the unique demands of the Millennial generation. But we are seeing the evolution in myriad ways.

Millennials are used to speed and convenience – even when it comes to healthcare. They inhabit a workforce that embraces freelance work as well as telecommuting, which often means little to no downtime. As such, time is valuable and healthcare, and other routine “adulting,” must be quick and efficient. Millennials don’t accept long wait times, manual processes and slow turnaround.

Due to the great value they place on convenience, Millennials demonstrate a strong preference for “fast health” option, eschewing primary care physicians as a first line of inquiry. A PNC Healthcare study found that they are twice as likely as Baby Boomers to prefer retail clinics and acute care facilities for speed and efficient healthcare delivery. This generation’s penchant for faster and more convenient options was likely a key driver for the recent launch of CVS HealthHUBs, an extension of its MinuteClinics.

Often called Digital Natives, Millennials are keen to use technology to manage their lives. Growing up with smartphones, they are not only comfortable with digital technology but expect it at every turn. As such, they are becoming increasingly comfortable with using mobile devices for more sensitive transactions such as banking and healthcare.

There are now well over 300,000 health apps available on the top app stores worldwide, nearly double the number of apps available in 2015 – and more apps are being added each day.

From wearable sensors to mobile health apps, Millennials often look to technology to create efficiencies in their lives. Beyond mobile apps, they are demanding solutions such as online health portals, online appointment scheduling, electronic medical record access and more. Hospitals and physicians are evolving to meet these needs to provide better service to their patients.

As more Millennials become parents, they are using health facilities more frequently as well. Dayton Children’s Hospital in Ohio built a new wing with features to specifically address the technology needs of Millennial parents. From simple things like having electronic chargers available and providing a robust wireless network, to more critical services like electronic signage that lists patient precautions and connecting medical devices, such as vital sign monitors, directly into the EMR, hospital executives focused on how technology would attract and build confidence with Millennials.

While providing improved patient experiences is often the goal for implementing technology solutions, it is important to understand that patient medical data is the most valuable asset on the dark web. The dark web is a massive marketplace for stolen data and personal information that often is a result of a data breach, and notably, the healthcare industry accounts for up to a third of all data breaches.

Why do fraudsters want medical data?  It contains a trove of personally identifiable information (PII) that can be used for identity theft or to access medical care in the victim’s name. This information is hard to change and unlike a credit card breach, individuals have few options and little recourse when protected health information (PHI) is leaked.

Experian, an Acuant partner, found that a social security number will fetch about $1 and credit card information will garner from $5-110. Yet data-rich medical records – ideal for identity theft purposes – can rake in up to $1,000. Victims often spend more than 200 hours and an average of $13,500 to remediate the damage of medical ID theft.

Since avoiding technology and ignoring the demands of Millennials isn’t an option for organizations that plan to stay in business into the next decade, healthcare providers must find ways to balance convenience and fraud prevention. Here are a few ways to offer an improved patient experience, while protecting the organization from fraud.

Automated Intake Processes

It is possible to streamline and improve the patient experience by using mobile devices to enable credentialing, automate intake processes and power self-check in. Patients don’t want to be bogged down with administrative processes. By accelerating the registration process, the patient wait times are minimized. Something that Millennials will expect when visiting any healthcare provider.

As healthcare providers embrace mobile technology, front line staff can capture critical health data from insurance cards and patient IDs using a mobile device. Patient data can then be auto-populated into an application or EMR, reducing the chance of errors. This is especially true for credentialing, which should no longer rely on outdated, time-consuming, paper-based approaches that are definitely error prone. This is particularly helpful for reducing insurance claim rejections, which are often the result of incorrect or missing information. With an automated process, collected data is more complete and accurate, resulting in increased efficiency and accuracy while leading to faster claim processing and reduced rejections.

Instant Multi-Factor Smartphone-Enabled Identity Verification

Another benefit of using technology to automate processes is the ability to reduce fraud. It is easier to spot medical fraud using technology as compared to paper-based processes. Medical insurance fraud is a growing issue due to the high rate of identity theft. Mobile phones can scan and instantly authenticate IDs to create a trust anchor. From there, you can layer on facial recognition technology to verify a patient matches their ID by presenting with a simple selfie, all in seconds and in the same workflow. It is an easy way and powerful way to combat fraud.

Facial Recognition Over Passwords

Biometric technology can also be used when patients want access to medical test results, to book an appointment, or to pay a bill. Instead of passwords that are often re-used and possibly compromised, patients can use facial recognition technology to verify their identity and access sensitive health information or login to patient portals.

In a world where Millennials can – and do! – look up physician and hospital ratings online, patient satisfaction is a big deal. By embracing technology and putting more power (literally) in the hands of patients, healthcare staff can focus their attention creating positive experiences around patient care while benefiting from improving overall risk exposure. The result will be significant increases in patient satisfaction, reduced fraud, better data security, more efficient and effective patient visits and improved staff productivity.

 

Learn more about Acuant MedicScan

Federation and Other Trust Models for Cross Vertical Digital Identity Acceptance

Over the past year, digital identity solutions have both matured and newly emerged. Several of the Self Sovereign Identity (SSID) solutions that were first commercially introduced last year, have now made it into pilots. Others solutions are using a metered approach to build a solid credential structure to address a specific vertical use case. Still others are blending these concepts to provide support for both government led digital credential standardization as well as sector specific use cases. Each of these capabilities was presented and widely discussed recently at connect:ID 2019 in Washington, DC.

As all of the solution sets have developed support for valuable identity based processes, there are still a number of challenges for use of any of these credentials across verticals or industries. Most of these SSID solutions are commercial efforts that were instantiated as pilots to address requirements specific to an industry – examples include:

  • Self enrollment & electronic health record sharing, derived from a specific health insurer’s customer base
  • Mobile driving license generation & utilization
  • Seamless traveler initiatives leveraging the Digital Travel Credential (DTC) being defined through an ICAO and ISO partnership for use throughout the travel continuum (booking – airport check-in – baggage drop – security screening – airport vendor services – boarding – arrival – customs – hotel check-in – return trip)
  • Concepts extending the DTC concept from the traveler journey to Visa request, work permit, & law enforcement record verification processes
  • Solutions providing a digital identity to the extremely large population of people without paper identity documents
  • Digital consortium solutions for banking

As can be imagined, each of these capabilities has been implemented using varying technologies and security frameworks. All of the programs describe their offerings as being built with extensive security measures in the generation and protection of the digital credential, and just as importantly, with a Privacy By Design approach. Some of the digital credentials are built through the derivation of data from a physical document (after the performance of automated identity document authentication – often in combination with facial recognition matching of the end-user against the authenticated source document), while others use identity repositories as the data source for the digital credential. As the DTC is a token which leverages the Document Security Object from an ePassport, the initial delivery mechanism of this token to the end user is meant to be managed by the document issuer.

Security of the token also varies. The DTC imposes requirements to perform the same level of authentication for the token as for the document itself, meaning that it needs to be cryptographically assessed to determine its authenticity by the relying party. Other solutions are leverage block chain implementations to both protect and distribute the user data to support access decision processes for both physical and logical access capabilities.

The key to the evolution of a broader, frictionless identity ecosystem is going to be the development of an interoperable security framework that will allow the digital credential from one ecosystem to be fully leveraged by another. While brand loyalty drives many of these initial capabilities, use of a single credential for many disparate functions is what will drive consumer adoption globally. While it seems naive to think that a global, federated trust fabric will be deployed to support any and all of these disparate programs, perhaps the answer is an interoperable identity wallet that understands the protocols required to authenticate an end user to all points within the ecosystem using the appropriate digital credential – without any specific user action other than authentication to the device containing the digital credentials.

 

Ozone e-Passport PKI

4 Blockchain Business Opportunities

Varun Garg, Acuant’s Director of Cloud and Mobile Products, recently contributed this article to DevPro Journal. You can read his article below. To read the original, click here.

Blockchain is an immutable decentralized way to securely store data in blocks that are linked to each other using cryptographic principals. In late 2017, bitcoin and other cryptocurrencies became the center of many conversations among millennials and tech experts alike. Just two years later, many believe that cryptocurrencies are dead. But there are numerous emerging groundbreaking blockchain related business opportunities that will disrupt established businesses and ways of doing things.

Here are four disruptive, blockchain-related opportunities.

Trading

Blockchain can be used to transfer assets from one holder to another globally and instantly. Current financial markets limit trading to a country or a continent. For example, NYSE, Japan Exchange Group, Euronext, etc. Today when we trade stocks, it takes a few days for a trade to settle and for us to withdraw the money. We have yet to see a global decentralized financial market where anyone can trade any asset and trades are settled instantly on the ledger.

Imagine a world where you could trade almost anything from stocks to precious metals to fiat or cryptocurrencies to ETFs, and you could interchange from one asset to another instantly for pennies. Decentralized exchanges (DEX) solves the problem where no institution or country or a group of servers have the central authority making it impossible to hack or implode.

Money Transfer and Micropayments

Bitcoin once was promoted as a digital way to transfer money from one person to another locally and globally instantly. As of today, it takes around $0.88 and 10 to 20 minutes to transfer money using bitcoin, making it very inefficient. If you are doing a money transfer from your bank account to someone’s bank account overseas, it may cost you a 1 percent to 5 percent transaction fee and may take two to five days for the transaction to process and settle as funds are routed through many intermediary banks.

Thanks to technologies built using blockchain such as Ripple or Stellar Consensus Protocol, money can be transferred from one bank account to another globally within seconds for just a few cents.

This practice can also be expanded to micropayments. Credit/debit card network fees are not cost effective for micropayments. If you had to pay 2.9 percent + $0.30 on a $0.50 transaction, you’d be paying about 63 percent. Even on a $3.00 transaction at 2.9 percent + $0.30, you are left paying about 13 percent overall. With technologies built using blockchain, network fees can be reduced to a fraction of a cent.

Digital Advertising

Google, Facebook, Twitter, Pinterest, etc. have built an incredible business by showing us digital ads. They store all our data and sell it to advertisers. Have you ever wondered why you don’t pay to use their services? Is there something free on this planet?

Your data is worth hundreds of dollars to these companies. You are the product. Blockchain-based technologies aim at fixing the web by blocking all the ads we see in our web browsing experience and rewarding us for our attention. Today, our screens are full of ads shown to us based on our browsing history. Shouldn’t we be in control of the ads shown to us instead of having them forced on us? And if we see ads, shouldn’t we be rewarded to pay attention to these ads?

The multibillion-dollar digital advertising industry is in crisis. User privacy has become a casualty in an ever-increasing consumer-surveillance ad model that relies on tracking and profiling users. Publishers and content creators are shutting down or retaliating with self-destructive tactics as users enable ad-blockers in response to privacy violations, irrelevant ads and malvertisements. Ad fraud is rampant throughout the system, and advertisers are struggling to find solutions that comply with new GDPR/ePrivacy regulations. This is a fundamentally unsustainable state of affairs.

Contracts

Typically, you would go to a lawyer, spend a lot of money and wait for days for the contract to be drafted and agreed upon by both parties. With Smart Contracts, you can do this same process through blockchain. Suppose you want to rent an apartment from me. You get a receipt which is held in our virtual contract; I give you the digital entry key which comes to you by a specified date. If the key doesn’t come on time, the blockchain releases a refund. If I send the key before the rental date, the function holds it, releasing both the fee and key to you and me respectively when the date arrives. The system works on the If-Then premise and is witnessed by hundreds of people, so you can expect a faultless delivery. If I give you the key, I’m sure to be paid. If you send the amount defined in the contract, you receive the key. The document is automatically canceled after the time, and neither of us can interfere with the code without the other knowing since all participants are simultaneously alerted.

Smart contracts can be used for all sort of situations that range from financial derivatives to insurance premiums, breach contracts, property law, property sales, automobile sales, credit enforcement, financial services, legal processes and crowdfunding agreements.

What We Learned at the Goode Intelligence Biometric Summit

Acuant attended the Goode Intelligence Biometric Summit in NYC last week, where industry experts and providers met to discuss the state of identity, challenges and trends in biometrics. Our own Steve Maloney, EVP of Business Development and Strategy spoke on a panel hosted by International Biometrics + Identity Association (IBIA) Executive Director Tovah LaDier to address how biometrics are being leveraged to support digital onboarding while complying with Know Your Customer (KYC and eKYC)  and Anti Money Laundering (AML) regulations.  Here is a recap of what we learned.

 

Biometrics is hot right now

Biometrics continues to be one of the hottest tech areas with increasing investment activity bringing more providers to a growing market. Financial services, payments, transportation and governments continue to be at the vanguard of adoption, but other vertical sectors are increasingly turning to biometrics to support a range of use cases including healthcare. The majority of uses of biometric authentication are performed on-site, but mobile device usage is a fast growing area as well.

 

The line between convenient and creepy is based on the use case

The topic of the keynote speech by Alan Goode of (CEO & Chief Analyst at Goode Intelligence), was Biometrics, Creepy or Convenient? This is an important question that directly affects user adoption and government regulation- it is also an ethical and trust debate.

Alan walked though several examples of biometric use cases that exist today, or did exist, to survey the crowd’s reaction as to whether this was in fact convenient or creepy. Examples included your smartphone recording where you parked your car without you instructing it to do so, airport kiosks in China scanning and identifying your face to then display your flight details in a public area, retail stores using behavioral biometrics to determine unusual consumer behavior from a camera to catch and prevent shoplifting, and using cameras for facial recognition to catch jay walkers in order to message and fine them. Reactions were mixed and likely a bit biased to convenient given the audience.

Results from a larger survey shared included:

  • Gas station plays ads at the pump based on your age/gender/ethnicity that a camera determines – 44% found creepy
  • Weaponized automated drones using facial recognition to identify targets – 70% found creepy
  • Banks detecting your behavior to see how you interact with and use your keyboard to prevent fraud – 30% found creepy

All acknowledged that there are grey areas to consider which include cultural and regional differences, regulations such as GDPR, and consumer opinion – not to mention the ethical and moral questions.

Goode Biometric Summit Panel

Biometrics will transform digital identity authentication

It was agreed traditional passwords alone are dying a slow and painful death. They simply do not provide enough security in today’s digital world and for our increasingly digital identities. The group was also in agreement that consumers are lazy, therefore convenience is key.

Key market drivers were identified as:

  • The increasing number of services that require logins with different devices
  • The demand for protection of digital identity
  • The demand to replace current solutions requiring pin codes
  • Smart cards being close to commercial launch – especially in EU & Asia with the US following closely and likely to follow contactless biometric payment cards

In an age where it is all about the IoT, there was also a focus on the evolution of UI (device & biometrics)- the latest being conversation or voice (Hi Alexa). We talk to tv’s, cars and now Nike even has voice enabled shoes. There was a notion that in fact, the best UX is no UX, the idea being removing it will reduce friction and not rely on consumers who will inevitably get it wrong. However, there was general consensus that usability outweighed friction and that some friction is inevitable.

There was also debate about what the standard guidelines are to be followed, but here in the United States NIST was the front runner and recent advances by FIDO applauded. And while all agreed that the least amount of friction always wins, frictionless may be the wrong mindset. While solutions must be useable, they must also be secure in order to fight the criminals who are sophisticated. Not the check a box and meet compliance solutions, but really deterring the high-powered criminals we need to thwart. The majority (90%) of security solutions today are fine to catch the low-end criminals, but not the dangerous ones. Essentially, solutions needed to catch the fraudsters must make the attacks more trouble than they are worth and at Acuant, we believe it’s about creating multiple signals to defeat bad actors.

 

Conclusions

No matter your moral opinion on the matter, the masses have spoken. Biometrics are being widely adopted and are here to stay. They have a proven convenience factor that will continue to push the borders on privacy and creepiness. Here is where we will expect to see more legislation. The majority agreed this will be largely centered on the use case and the level of risk or security needed in each, for example, we are much more likely to be okay with our biometrics being recorded for travel when terrorist threats abound, rather than in a store while shopping to spot unusual behavior.

What’s more, we cannot and are not in a position to rely on one method of authentication. As we at Acuant believe – identity is the new currency, and as such it must be defended. When it comes to biometrics this includes Presentation Attacks, also known as “spoofing,” to defeat biometric systems which expose the vulnerability of AI only recognition systems. All  biometrics are vulnerable, and institutions must recognize that solutions have flaws. All agreed that we need to put more factors together for better solutions including security and privacy (protecting PII/data), versatility, ease of use and maintenance (continuous updates).

Acuant starts with establishing the trust anchor of an authenticated ID, then allows for layering on additional methods of verification based on your use case. Learn more about choosing a solution that is right for you by reading our white paper:

read the white paper

Takeaways from KNOW Identity 2019: Hint, Identity is the New Currency

KNOW Identity 2019  hit Las Vegas last week. The show brings together some of the brightest minds in the international identity community to discuss and debate the best way to manage and protect identity and PII in our increasingly digital world.

Here is a recap of the biggest highlights and our key takeaways below.

 

Self-Sovereign Identity (SSI) Remained a Central Theme

As with last year, Self-Sovereign Identity (SSI) played an important role in many discussions. Today’s brightest minds are grappling with the undertaking of securing digital identity, and many sessions – including Roger Dingledine’s keynote – highlighted the importance of privacy.

Mastercard announced a corporate world-push into digital identity to bring trust into transactions, putting the individual at the heart of every digital interaction. Charlie Walton, the SVP of Digital Identity at Mastercard, walked through this vision (outlined in the paper “Restoring Trust in the Digital World,”) during the Tuesday morning keynote.

There are many large players trying to commoditize SSI, but at the same time there is another path being created. TYKN exhibited at the show – the company is bringing digital identity to rural Africa through an open source offering. This is just one example of “out of the box” thinking to help solve the digital identity crisis.

 

Biometrics Adoption Continues Across Border Control/ Travel

Biometrics adoption was another hot topic last week. Colleen Manaher from the US Customs and Border Control led a fascinating session about the use of biometrics, specifically citing the use of biometrics in airports as an opportunity to close the gap between security and customer experience. She argued that active private sector participation is at the core of effective, secure and privacy-preserving identity processes enacted by governments.

When it comes to travel and airports, Americans view verification technology as a positive solution. According to our recent survey,  84% of Americans believe that biometrics will improve travelers’ airport experience, and the majority (59%) say that biometrics will increase safety because of improved identification accuracy.

The adoption of fast and easy identity verification via document authentication that can be tied to biometrics, EIDs and other technologies has the potential to make flying a frictionless and fun experience again.

Diversity is Key: Multiple Techniques Ensure Trust in Your Transactions

Wandering the exhibitor hall shows more platforms offering bundles of identity authentication techniques using data aggregation, email, phone, identity document authentication and biometrics. With another 1,244 breaches last year – and one UK firm alone that had nearly one billion email addresses stolen – it’s important to use multiple techniques to ensure trust in your transactions.

On Wednesday morning, David Birch, Director of Innovation at Consult Hyperion and KNOW 2019’s emcee, gave an impassioned speech suggesting World War 3.0 has already begun. He argued, “…We’re in a cyberwar and our identity infrastructure needs to support mobilization across virtual and mundane realms. World War 3.0 has already started but a lot of people haven’t noticed because it’s in the matrix.”

As we at Acuant have believed and known for a while, Identity has become a currency. Companies are now recognizing that identity is an organization’s biggest vulnerability; as such the verification and protection of identity data or PII (personally identifiable information) is paramount. Acuant helps organizations build trust by providing a full suite of solutions that allow businesses to address their appropriate level of risk.

 

Want to learn more? Schedule a Demo 

 

 

Why Reports Of The Password’s Decline Are Somewhat Exaggerated

Acuant’s EVP of Strategy, Stephen Maloney, was interviewed in this article by PYMNTS.com. You can read the article at its original source here.

The password doesn’t get a lot of love these days, and not for entirely unfair reasons. Consumers in 2019 are well past the point where they have a few digital relationships such that they only have to remember a password or two — they have dozens, if not more, and trying to keep the mix of letters and numbers straight for each site can be a bridge too far for most of us.

It’s all a bit unfair, Stephen Maloney, EVP at Acuant, told Karen Webster in a recent conversation, because truth be told the password, when properly used, can be just fine as a method of authentication. It’s just that the proliferation of passwords means it is almost impossible for any human being to use them right.

Doing it correctly, he noted, entails using strings of nine or more characters, with a mix of symbols and uppercase letters — and then using a different one for every different digital relationship. Hardly anyone can do that. And while Google and Facebook can act as the auto-repositories for all passwords —solving part of the problem — it does create the small issue that if someone should gain access to or control of those master accounts, they have “the keys to the kingdom,” according to Maloney.

Which means the password, despite its persistence, is in decline. There is a life and usefulness for it as an identification method, he said, but it’s a diminishing one.

“Passwords are particularly being diminished in the corporate space,” Maloney said, “where you run the risk that one errant person can leave a door open for potential hackers. We’re going to see multiple kinds of protections in order to protect and safeguard corporate databases.”

The same should be true of securing individual data, he said, but consumers are a little more complicated and have demands far more varied by context. Broadly, he noted, consumers want to eliminate friction while remaining secure — and the future of replacing the password will be in offering the right technological innovations in the right contexts to fulfill both of those needs.

The Consumer in Context

A customer taking an Uber ride or ordering with the help of Alexa, Webster noted, isn’t using a password to authenticate either of those transactions — but feels secure enough because of the underlying security infrastructure to be unworried by that fact.

As a matter of technical fact, Maloney said, that customer probably could worry. If someone makes off with your phone, they will likely be able to fraudulently order up an Uber ride if they can figure out how to bypass whatever biometric authentication is on the device, he pointed out. But it’s a low risk for the consumer, he said, because Uber would reimburse them, and it’s a low risk for Uber because it is very unlikely to lose millions, or even thousands of dollars to that type of circumstance.

So, change the context or type of transaction — and change the customer expectation, he said.

“Therein lies the challenge for all of us. Find that balance between the consumer journey they’re on and how much friction they are willing to tolerate in their lives for it,” he said. “When I’m moving $500 or $5,000 between my bank accounts I might be willing to tolerate a little more friction and time than I am when I am waiting on a latte at Starbucks.”

And those contexts are going to make a difference in what kind of technology or authentication solution is going to come into play — because, he noted, it’s not going to be a single answer that dethrones the password so much as a variety of possible combinations of authentication methods, active and passive. It might be a matter of consumers using the mobile technology in their hands — and requiring a biometric marker like a fingerprint scan or sending a selfie. It might mean using geolocation technology in the background, to make sure the device trying to do the transacting is in the location where one would expect the consumer to be.

“You’re seeing the de-evolution of the password as alternative technologies come to bear and we are going to see different geographies adopt different use cases as needs and cultures vary,” he said. “I think right now we can see document authentication, facial liveness and voice coming up as big opportunities.”

The Evolution of Authentication

While not a perfect metaphor, there are some similarities in how authentication is evolving to how payments have evolved, Webster and Maloney agreed. Starting with cash, payments evolved through checks, credit cards, debit cards and now into a whole host of emerging and growing forms of digital payments — where use is generally dictated by customer need or preference.

“If think you are seeing a path that somewhat resembles that, we are not going to see the password die overnight, but its use and utility are going to diminish over time,” he said.

What he hopes to see arise, Maloney said, is a notion of “self-sovereign identity,” wherein everyone owns their identity and how they use it. The technology to enable that exists today, Maloney noted, but deploying it, finding acceptance for it and fully sketching out the use cases for it hasn’t been solved yet. And in reality, he said, those challenges will likely be on the table for the next five-plus years.

But in that time, there will be progress in a variety of areas, he said. For innovation in authentication, he said, the places to look are where firms stand to lose a lot from failure to authenticate the individual or bot conducting a transaction.

“One axis is high value or high risk,” Maloney noted, “another axis is the need for compliance or highly regulated. The sweet spot there, obviously, is high value and highly regulated.”

These are the places where the greatest assurances are required, and they are key to the innovative path forward because innovation tends to “percolate down” from them.

There will also be the race among players like Google, Amazon, Apple and others to keep innovating on that consumer experience.

“You’re going to see us and other folks working to take friction out of the equation,” Maloney said.

That might be in digitizing credentials, or in pushing more of the work of authentication behind the curtain instead of in the consumer’s face.

None of it will kill the password overnight — any more than the emergence of digital payments has destroyed cash. But it will mean the password will stop being the central authentication player in much the same way cash was ousted from the center of transactions. Because what consumers want, as much as they want to be secure, is for their digital journey to be easy — and they’ll follow the path of least resistance that is provided to them.

RSA 2019 Reflections: Why Trust is Paramount & What the Industry is Doing About It

Last week we, along with tens of thousands of other security professionals, attended RSA Conference 2019. The theme of this year’s event was “Better” – how cybersecurity overall can be better and what organizations can do to better their own security outcomes.

 

But trust – the desire to capture it, the lack of it among customers and its evolving definition – remained a central theme across the many keynotes, exhibitor booths, vendor announcements and chatter among industry professionals.

 

Missed the event but want takeaways from the show floor? We’ve outlined the three biggest themes covered at RSA Conference:

 

Better together: Humans + Machines

Rohit Ghai, president of RSA Security, took the stage during a keynote depicting what life will look like in 2049. His image of this brave new world? “The consumer owns the data and has perfect information on her data and its copies and where it flows…Data is the primary asset flowing through supply and distribution chains, and the provenance and governance of data is an essential competency. “

 

He believes that humans and machines need to work together to properly enable the future trust landscape. “Stop waiting for humans or machines to get better at things they are terrible at,” he said. “Implement a security program with machines and humans working together. Humans asking questions. Machines hunting answers.”

 

Our take: This same model is used at Acuant to identify the fraud risk of IDs. And while tools like AI and machine learning are extremely efficient for discerning between real and fraudulent documents (processing millions of transactions at a rate unachievable by human experts), a human eye is still needed for accuracy.

 

IDs are physical documents that endure wear and tear or manufacturing discrepancies. Human researchers are needed to train algorithms to identify the fraud risk of an ID and automatically direct those that warrant further scrutiny to human reviewers. This mix of AI and humans cuts processing time from days to minutes and remains the most successful threat prevention model.

 

All signs point to federal privacy legislation

There’s long been talk about a potential U.S. privacy law, but with the advent of GDPR in Europe and the California Consumer Privacy Act of 2018, a bill finally seems inevitable. Experts at IAPP, Google, Microsoft and Twitter noted that the likelihood of a federal privacy law passing in the next year is higher than in years past. During the session Julie Brill, corporate vice president and deputy general counsel at Microsoft, posited the odds were at 30% “It’s no longer a question of if there will be a privacy bill, but what that bill would look like,” she said.

 

There are signs Congress will tackle privacy legislation again this year, and technology companies such as Google have a keen interest in shaping the federal privacy law. While there are several points of disagreement on what the law should cover, interest is high on both sides of the aisle in Congress to do something on the federal level to protect consumers.

 

Our take: The U.S. in particular is currently a hotbed of frustration over the mismanagement of personally identifiable information (PII) and lack of protection for digital identity. As all signs point to federal legislation outlining what is and is not permitted related to digital identity, lawmakers should focus on giving individuals control over their identity and outlining that they should be managing how and where their data gets shared.

 

Complexity creates security gaps

Multiple speakers identified the complexity of security products as an industry shortcoming.  Rob Westervelt, research director of security products at IDC, said the growing complexity of security solutions has led to gaps in coverage: “Organizations don’t fully understand the capabilities of the technology they have deployed.” This complexity also leads to misconfiguration and security policies that are not uniformly deployed across an enterprise’s IT footprint.

 

Complexity has also led to organizations not using 2FA effectively. Researchers L. Jean Camp and Sancharis Das from Indiana University-Bloomington detailed the challenges of 2FA adoption during their session. They posited that simply providing 2FA to users isn’t enough; it’s also critically important to communicate why and how to use the technology. Users need to be aware of the risks, and security vendors need to make it easier for users to understand.

 

Our take: We agree that complexity creates security gaps – especially in an area as multifaceted as identity verification. But we also recognize that establishing identity in the digital world is a fluid process, especially as questions continue to arise about the collection, processing and ownership of data. Identity verification is a balance between risk and friction. But with the creation of a “trust anchor” (such as an authenticated government issued ID) organizations can allow the user to take control of the verification process — deciding what parts of their identity, and data, a company can utilize to establish verification. This eliminates the complexity and friction associated with this process and breeds trust.

Interested in learning more about how to protect your business and establish trust? Read our whitepaper!

 

 

read the white paper

Why Digital IDs Need A ‘Trust Anchor’

Acuant’s CEO, Yossi Zekri, contributed to this article in PYMNTS.com; you can read the article at its original source here.

Customer experience is the Holy Grail of commerce — especially for eCommerce.

But the ease and speed that consumers demand when transacting online comes with risk, as merchants need to establish identity — in other words, being certain that customers are who they say they are — in a world where buyers and sellers may be continents apart. The fallout hits everyone involved via a fraudulent transaction, and, as the data shows, account takeovers are on the rise.

Establishing identity in the digital world is proving to be a fluid process, as questions are multiplying around the collection, processing and ownership of data.

PSD2 is here, of course, changing the way consumers and companies access data. And recently, legal challenges centered on data collection have begun popping up. For example, the Illinois Supreme Court ruled earlier this year that companies can be sued for biometric data collected without users’ consent.

As Karen Webster noted in an interview with Acuant CEO Yossi Zekri, although technology (and even use cases) are still evolving when it comes to digital identity, some basic “best practices” can be identified and embraced.

“If you think about process overall, it’s all revolving around … [a] balance between risk and friction,” he said. Compliance impacts friction — likely increasing it. That’s especially true along the traditional and current methods of authentication, he said.

Nowadays, verification spans many conduits and data points — including something the consumer is (i.e., ascertained through biometrics), something the user knows (such as a password) and, more recently, something new, which is how one behaves.

But, said the executive, the creation of a “trust anchor” can be accomplished by establishing the authenticity of a government-issued identity document. From there, you can layer on biometrics, embracing what works and shunning what doesn’t.

Forget What You Know — Literally

As for what doesn’t work: You can toss the “something you know” aside. Passwords — and their easily forgotten nature — create friction and the irritation of repeated log-ins, on the best of days. As Webster noted, passwords are likely floating around somewhere on the dark web, pilfered as part of one of the innumerable data breaches seen in recent years — possibly up for sale.

Everybody knows what you know, it seems.

Zekri said the “trust anchor” can carry extra weight through a government-issued credential “that has in it, and encompasses, the complete verification process that went into that credential.” Government-issued documents, he continued, are created using forensics proof, may have chips embedded (for extra security) and have the benefit of “an automated element to establish the validity of that credential.”

Introducing Biometrics Into the Mix

Where biometrics comes into play, he said, is through interactions that link a face to a person and facilitate a sense on the part of the merchant that “you can interact with that identity in an easier way in the future.” In other words, the trust anchor is established at the beginning of the relationship or transaction and carries over into the future — reducing (and perhaps even eliminating) friction.

Heavy lifting is required to create a digital identity solution robust and flexible enough to be ubiquitous across consumers’ preferred channels.

“And it will take some time to get there,” said Zekri, because questions still surround “the philosophy of what is that digital identity, where is it going to be, where is it going to reside and how would it work?”

The User in Control

“I think where the future goes to is bringing that trusted identity, including a biometric layer with a digital ID as the delivery mechanism,” Zekri predicted.

But there’s a twist: “The user should be able to choose how and where the data is shared,” he said.

In this case, it’s the user who takes control of the verification process — deciding what parts of their identity, and data, a company can utilize to establish verification.

Consider the use case where a fingerprint is offered up to open one’s email account, but where a more extensive (and individual) combination of credentials must be established to access the sensitive information contained in, say, tax returns.

The flow of credentials is designed not to create friction, but to provide permission.

Zekri noted that once credentials have been established, it’s possible to have a “permission or scoring system” that allows a user to be approved “across different areas [and activities] up to a certain level, but you are also approved for all things below that.”

Then, he said, interactions truly do become frictionless. By sending a command or showing one’s face, an app can conceivably “know” an email or bank account is accessible because the consumer has already gone through the higher level of authorization built into their digital identity.

When asked what use cases are in urgent need of trusted anchors, Zekri said this: Involve “access management,” where identity is being used with healthcare and hospitality among as many as 15 markets (beyond financial services) that can benefit from digital identity and more robust credentialing methods. In those verticals, there is a continued and growing need to combat crime and terrorism and satisfy an environment zeroed in on anti-money laundering (AML) and Know Your Customer (KYC) regulations.

“As technologies evolve,” said Zekri, “you can layer all these additional elements to that trusted identity.” He offered a range of scenarios: authenticating a driver’s license at home, verifying geolocation that matches the address on the license, capturing and verifying a passport as a second ID and authenticating the chip in that passport (which matches the face). A user’s voice or iris can be layered on, too.

Regardless of the number of layers, “the core is still the same,” he said. There’s no personally identifiable information (PII) moving back and forth along traditional means, but there may be a token traveling between parties with limited information, accessible with a limited key offered up at a single point in time — “and then it all evaporates,” said Zekri.

To make it all ubiquitous, Zekri said Acuant is currently focused on the first piece of the puzzle, tied to enrollment, across all manner of devices and locations. In the end, the transaction is a process marked by frictionless behavior and individual control.

“We are working on something that ultimately we believe is a good methodology to both store and communicate that information” — and though different people will do different things across different digital identity constructs, the trend is to “merge into one” solution.

“Who’s going to provide that one thing?” he queried. “Like anything else, it’s an evolution. We are trying to facilitate the process” for providers that may, at the outset, be competing entities, “and create [a] trusted identity for them.”

How Acuant Helps Businesses Meet the Challenge of Implementing Identity Verification Solutions in an Economy where Identity is the New Currency

As more business transactions take place online, customers need not be present to conduct business. Many companies are now recognizing that identity is an organization’s biggest vulnerability and the verification and protection of identity data or PII (personally identifiable information) is paramount. This is creating new challenges for companies to ensure they are doing business with legitimate individuals and to authenticate users appropriately. This task is especially complex for banks or financial institutions as they must meet strict KYC, AML and other such regulations.

PROBLEM

An overwhelming majority of North American companies – eCommerce and financial services organizations in particular – consider identity verification a top priority but don’t believe they do it well or have all the necessary tools for success. According to The State of Identity Verification Maturity in North America report, 93% of respondents stated that while identity verification is a priority, they struggle to overcome obstacles that prevent them from realizing its full benefits, with just 2%  believing they are successful.

So, if identity verification is a top priority, why aren’t more companies utilizing solutions?

There are many factors at play:

  • First, while organizations want to protect users and their PII, they are concerned about creating a frustrating or less than stellar user experience.
  • Second, the IT skills and cybersecurity gap is a serious issue plaguing already overwhelmed IT teams who may lack the expertise to identify fake or synthetic IDs, especially given the sophistication of today’s fraudsters.
  • Lastly, modern identity verification solutions leverage the latest technologies – including machine learning and AI – that integrate with various web frameworks. Many organizations either don’t have access to or the familiarity with this type of technology.

SOLUTION

Acuant helps organizations build trust by providing a full suite of solutions that allow businesses to address their appropriate level of risk by providing companies with a layered approach utilizing a continuum of document authentication, facial recognition, geo-location, chip inspection etc. Our next gen Identity Platform is powered by the latest tech (AI with human assisted machine learning) to boast the highest speed and accuracy rates- and is anchored by establishing the authenticity of an identity document (remotely or on premise). And when it comes to the pain points of integration and implementation that are barriers to many businesses, Acuant Solution Services, is there to get you up in running.

With services to provide fully customizable identity verification, and ideal for companies with fewer technical resources or the need for managed services, Acuant Solution Services provide a fully customizable experience throughout every stage of the product development life cycle with easy API for integration into any third-party iOS, Android, Windows, Xamarin or HTML5 application. Experience the mobile app idScan® Go for Android and iPhone, to see how the solution conducts real time ID and biometric verification for secure transactions to instantly prevent fraud.

 

 

 

Acuant Solution Services