Digital ID devs can't kill passwords on their own
Digital ID platform developers are competing to sign up partners to deploy their technologies to replace vulnerable usernames and passwords with a single sign-in. The challenge is to sign up a sufficient volume of partners to make these platforms attractive for consumers and businesses.
One of the latest newcomers is Madrid-based Biocryptology, whose biometrics-based platform competes with other fintechs in the ID-as-a-service space such as the U.K.'s Nuggets and Canada’s SecureKey, as well as with open standards bodies such as the FIDO (Fast IDentity Online) Alliance.
September 2019 will see the introduction of Secure Customer Authentication (SCA) in the EU as part of PSD2. This will increase the number of online transactions for which two-factor authentication is required — and, in turn, it will likely increase demand for biometric ID technology.
Currently just one to two percent of European online transactions require cardholder authentication (mostly likely using passwords), but this is set to rise to up to 25 percent of payments from due to SCA, according to Mastercard U.K.
The key to success in the emerging ID-as-a-service field lies in signing up a sufficient volume of major industry partners.
Significantly, Nuggets announced a partnership in June 2018 with Chinese payments processor QFPay, which handles payments for AliPay and WeChat Pay, to use its platform in Asia. But other coalition-based digital ID developers such as SecureKey and Australia Post have found it takes a long time to sign up partners to facilitate their commercial rollout.
In October 2016, SecureKey secured C$27 million from Canada’s top banks to fund the commercial rollout of a nationwide federated digital ID network, which will enable Canadian consumers to use a single digital ID for new bank accounts, credit cards, driving licences, telephone services or other utilities. It said in an October 2016 news release that its blockchain-based network would be launched in 2017.
Canada has a small number of major banks and telcos, making it easier to sign up partners for SecureKey. The firm’s platform is built with IBM Blockchain technology based on the Linux Foundation’s opensource Hyperledger Fabric, and is designed to enable a scalable number of consumers and institutions to quickly join its Verified.Me network.
But as of August 2018, SecureKey’s Verified.Me network still hasn’t rolled out, although Canadian FIs such as BMO, CIBC, Desjardins, RBC, Scotiabank, TD and Sun Life Financial are members. SecureKey spokesperson Sarah Douglas says the FI partners are still in the implementation phase and plan to roll out later this year.
EnStream, an ID verification and authentication business owned by Canada’s three largest telcos (Telus, Rogers Communications and Bell Mobility), is a SecureKey partner. A version of SecureKey’s technology is already used by the Canadian government to provide citizens with secure access to e-government services such as tax-filing and social security by logging in to government sites using their bank credentials.
“The idea with SecureKey is that a consumer has their own ID profile based on the ID data held by their bank, which is stored in a safe on the blockchain,” said Ed Price, director of compliance at Devbridge Group. Price was previously a senior solutions architect at BMO Harris Bank, a subsidiary of Bank of Montreal, where he worked on the development of SecureKey’s federated ID network. “As a consumer, you own this ID data and you decide which companies or organizations get to access that data for the purpose of ID validation.”
Last year, Australia Post launched Digital iD, a smartphone-based national digital ID scheme, with foreign exchange provider Travelex Australia, job outsourcing site Airtasker, Australia’s largest credit union CUA, and the Queensland Police Service.
So far, just 10 organizations in total have signed up for Digital iD to verify an individual’s identity including a number of cryptocurrency exchanges and the Western Australia Police Service as part of the National Police Certificates process, said Jared Lynch, national media and communications manager for corporate affairs at Australia Post. “We expect to top 1 million ID verifications, on an annualized basis, in the coming months,” he said.
Biocryptology is partnering with companies such as ID document capture firm Mitek Systems, blogging site WordPress, digital business platform Magnolia, and Euronet Worldwide-owned Ria Money Transfer in a bid to replace usernames and passwords with a biometric-based universal ID platform.
The fintech wants to make its digital ID security platform, a global standard for online ID by 2025 through a global coalition of partners, said Ted Oorbals, Biocryptology's CEO.
A major vulnerability with existing authentication processes is that banks and other service providers store the user’s credentials, including any registered biometric data, for validating ID credentials input at login.
“This creates a risk that your data could be stolen from one of these service providers,” Oorbals said. “Our solution is designed to remove this risk. Once we’ve validated your ID data, you need never supply it to any other service provider which participates in our platform."
This means that the ID provided to a bank can be used to identify the same consumer to another company such as an insurance provider, Oorbals said.
"Our strategy is to develop a coalition of ID partners who accept our ID solution,” Oorbals said. “We offer a single digital ID for all online and real-world access, authorization and authentication applications through our partners. While FIDO is based on open source technology, our platform is a closed solution.”
Unlike Nuggets and SecureKey, Biocryptology uses a proprietary technology which isn’t based on the blockchain. In the payments industry, Biocryptology is targeting its solution at P2P money transfer companies, as well as to banks and e-commerce sites.
New users of Biocryptology’s app undergo a one-time on-boarding process, which involves scanning a biometric identifier (fingerprint or face) via their smartphone, and entering their email address and phone number into the app. Their ID is then verified by Biocryptology against a central matching database. After completing this process, the user can access both online and physical environments using the app and their biometric data.
Biocryptology has developed a product called the UP device with electronics manufacturer Foxconn. The UP device scans biometric traits such as fingerprints and can be used as an alternative to smartphone-based biometric identification, particularly for security-sensitive applications such as banking and government services. The drawback of the UP device is that it requires a user to have their ID validated by a notary.
Oorbals said the reason Biocryptology offers hardware authentication devices is because smartphones have security limitations. “The problem is that a fraudster can enroll you on their own mobile phone, and your mobile phone can be hacked,” he said.
The company has established four levels of validating the identity of users of its platform, depending on their needs.
Level 1 is physical access authenticated by the user, such as to a home or car, or access to personal online services such as email. Level 2 covers access to closed physical environments or online platforms which are controlled by a company. Level 3 covers access to online banking and payments services, verified by a third party. And Level 4 covers access to official/government services or premises and procedures for legal purposes; identity validation is performed by an official body such as the police using the Foxconn device.
Biocryptology is also partnering with Mitek to electronically verify a user’s ID from their passport, driving licence or selfie.
Oorbals said that the only user data Biocryptology stores is the user’s email address and phone number, which is data that consumers are generally happy to share with other people. “I give my name, email address and phone number to people every day, and these can’t be used to commit fraud on their own,” he noted.
Biocryptology is in the process of implementing its platform with global remittance firm Ria.
“We will provide Ria with a plug-in for their digital app and website that links to our platform,” said Oorbals. “We will identify all transactions that go through Ria’s platform, and they will pay us €1 a month per person to authenticate them via Biocryptology.”
For a business to use Biocryptology, there is no up-front fee, and companies pay €1 per month per user of the platform, Oorbals noted.