Experian wants to break the digital ID deadlock by breaking the rules
Transferrable dynamic authentication is something almost everyone wants but still seems just out of reach. Experian says there are a couple of places where that problem can be solved, adding it’s time to realize that even digital-age ID rules no longer work.
It used to be that a password was enough. Then it was a password and some challenge questions. Today it's common for consumers to also use their phones for authentication, but all of these options can be compromised because none of them changes dynamically.
“The subject of identity is more complicated now than it’s ever been,” said Eric Haller, executive vice president and global head of DataLabs for Experian. “The use cases that require a dynamic ID will continue to grow and the data that will fuel those use cases or the opportunity to add new authentication will continue to grow. Any solution has to take that into consideration.”
The goal of digital ID, or vetting without passwords, is so prominent and elusive that it’s drawing the attention of hundreds of government agencies, VC investors, payment companies, technology developers and merchant acquirers around the world.
Digital ID is seen as a solution for everything from financial inclusion to fraud risk, since it can carry authentication from one transaction or relationship to another, removing the requirement to establish new credentials for different purposes. People are already doing this by reusing passwords for different accounts, though without any real connection and in a way that creates a larger risk for theft.
Since digital ID is a likely result of open banking and data protection regulations such as PSD2 and GDPR, its attracting lots of different solutions, such as distributed ledgers, the cloud and APIs. Experian is using AI to quickly update the information behind the triggers that go into risk-based identity.
Experian, which has developed ways to embed voice technology in merchant workflows to replace the use of keyboards — and has spent the past two years building biometric behavioral analysis to battle account opening fraud — is updating its strategy to tackle new identity risk.
The company hopes to address what it sees as a couple of basic challenges that are making it hard to move away from static identifiers such as password. A key challenge: The points that are most important in proving identity are hard to manage and transport among multiple parties in a digitally dynamic environment.
“One is at the time of enrollment, which is the trickiest and still fraud-prone phase of a consumer relationship,” said Kathleen Peters, executive vice president and head of fraud and identity for Experian. “Are they who they say they are at the beginning? Can you have confidence in getting to a reusable ID elsewhere?”
That’s the second challenge—reusability. Once that initial ID is established, how can the future payment or other transaction digitally link back to the personally identifiable information in a constant, near-real-time manner, in different channels and involving different banks and parties?
These gaps or challenges in vetting ID come in part from the prevailing way in which information is knitted together to determine if the person using the digital card, or shopping on a website, or using a specific mobile device, is the proper person, Haller said.
“Traditionally you have rules that create a sustainable barrier to entry,” he said. “The more expertise you have around these rules, the better solution you have.”
The pace of development for new ways to engage is too fast for the traditional rules to apply. Even an advanced way of changing rules, such as behavioral analysis, or applying visual or fingerprint biometrics in a risk-based manner, doesn’t fit into an environment of omnichannel commerce, cross-border payments and cashless retail.
“The rules can’t keep up with the new data that’s being produced,” Haller said. “There has to be a change in how identity is provisioned to perform the basic function of determining if a person is authentic.”
Machine learning is playing a larger role in this knitting and setting the parameters for vetting identity and assessing the analytic risk that determines when extra authentication is needed, or a transaction is flagged.
Under the hood, that means identifiers such as a state or federal ID, a home address, or a biometric trait, or other data that can identify a user will be part of an AI-powered ID graph that can be constantly adjusted, applied to open banking standards, digital commerce and other functions where a digital ID is required.
The platform is open and accessible by third parties via an AP. When combined with AI, that permits improvements in updates, which can take more elements into consideration much faster. Experian is using this system within its business, with plans to use the system as part of upgrades or new products that it brings into the markets, whether payments, banking, or non financial services.
“There’s a general recognition that the current ID paradigm is broken,” said Julie Conroy, research director at Aite Group. “It’s been broken for a long time and it’s hard to get consumers to move beyond it.”
There is accelerated investment in fraud hubs, in which multiple types of authentication coalesce around a central risk engine, according to Conroy. “That hopes to address a lot of the problems around making authentication more nimble and faster.”