Can digital ID work without AI, blockchain and consumer ownership?
Getting rid of passwords is easier in concept than practice, with hundreds of initiatives designed to build something more digital, flexible and transportable. But none have taken hold, causing one developer to try an approach that rejects most of the prevailing methods.
Digital ID projects typically rely on blockchains or other types of distributed ledgers, or use artificial intelligence to improve the behavioral analysis that’s used to spot a risky user or activity. The selling point of using blockchain, cloud or ID as a service is that these options put the user in charge of his or her ID. The ID works like a digital driver’s license that’s transportable.
Uri Arad thinks this approach won’t gain enough traction and isn’t using the right technology. Arad worked for PayPal for about eight years, developing risk analysis and managing a team of data experts. He left the payment company in 2018 to create Identiq, concluding that companies cannot fully understand new users at the time of onboarding without the help of other companies.
Identiq’s been working on its model and building a nascent network that is rolling out this month. It’s coincidentally launching as use of mobile apps spikes during the coronavirus pandemic, pressuring companies to safely onboard an unexpected wave of new users. The startup has drawn about two dozen companies thus far, including PayU, Plastiq and Blackhawk Network. Other users span retail, gaming, social networking and sharing apps.
The Tel Aviv-based Identiq uses cryptography and algorithms to compare a new user’s data against existing identities deemed trustworthy by other members on the network. This vetting is designed to take place without sharing the user’s personal data.
Instead, the company uses multiparty computation, or a system in which different members work together without divulging their own work. Identiq takes a portion of the fees the participants pay to use the network to vet users. The model is an older one, using programming techniques that already exist and don’t rely on disparate use of new AI-driven models that are often still in pilot testing. The result, Arad argues, is an ID network in which firms can benefit from the data that other companies possess without accessing that data.
“We’re trying to look at this problem differently. There’s a gap between what one company knows and what the whole ecosystem knows,” Arad said. “If there’s a way to ask the ‘internet’ to vouch for someone, we should be able to do that.”
Identiq’s decentralization is more targeted than a distributed ledger such as a blockchain.
“Blockchain is good for managing transaction information,” Arad said, adding a blockchain is immutable and thus prone to holding information for too long. “Technically, Identiq is not transactional because nothing is moving from one party to another. And with a blockchain, all of that information is there forever.”
Both Identiq’s concept and the decentralized blockchain user-owned data management concept rely on a network effect. The more participants, the larger and stronger the network. But a model that leans on individual users to control and transport their own ID, generally referred to as self-sovereign ID, relies too much on buy in, Arad contends.
“In many cases the users have either a lack of understanding or a lack of motivation. They have very little skin in the game. If I know my card issuer is going to pay my money back if it gets stolen, I may not be as careful about using my card,” Arad said. “A self-managed solution is not going to be helpful.”
Identiq’s solution is quite different from the way payment data and identity are usually handled, said David Mattei, a senior analyst at Aite Group, adding a prime benefit could be the reduction of friction at account openings.
The firm is operating like a “traffic cop” by routing requests among participants. “What’s interesting about this approach is no one knows who is asking the question and no one knows who is answering the question,” Mattei said, adding parties don’t have to identify themselves or risk sharing sensitive data, making it GDPR compliant. “It’s full anonymity among those who participate in the network, which has distinct advantages.”
The challenge to the model is the data that’s validated tends to be numerical, such as a card number, CVV or phone number, Mattei said, adding it’s harder to vet based on shipping addresses or names. And different merchants will have different types of information, requiring the network to normalize the data. “While it can handle some text data, the results are stronger on numerical data.”
Digital identity verification is increasingly important and difficult in an era where digital fraud is escalating, said Krista Tedder, head of payments for Javelin Strategy & Research, adding identity fraud in the U.S. increased 15% in 2019, with one of the top risks being new account fraud.
“Building a trusted consortium between companies could potentially fill the gap of knowing consumers and preventing fraud,” Tedder said. “The hurdle will be the proliferation of synthetic identities and what happens when a synthetic identity is validated by the consortium. Once a synthetic identity would be seen as valid, the criminal would be able to pass verification at other companies that participate in the consortium.”