In Canada, a digital ID for payments gets a bigger job

Register now

Blockchain and the 'Internet of Things' are enabling a lot of new payments innovation. In Canada, they're part of a huge project that could radically change ID security for not just payments, but a whole host of activities that rely on privacy and data integrity.

"In a click you can open an account, and in the future payments will fall into that," said Greg Wolfond, CEO of SecureKey, a Toronto-based security company that provides device security for government and corporate clients. It also offers SecureKey Concierge, a program that authenticates computing devices for mobile commerce and payments.

That technology is the launching point for an initiative that will use blockchain to power the exchange of data among people and institutions. This data can authenticate a payment, help a renter obtain approval for an apartment, or vet access to a government building. Users will largely control the system—consumers will load it onto their smartphones; and banks, telcos and other enterprises will participate.

"The consumer knows what he or she is sharing, but the recipient cannot know or obtain other data or information that can compromise the user's privacy in a way that the user does not know," Wolfond said.

The data to secure a payment is not usable outside that context, but the system that curates the data is usable in a broad range of venues, Wolfond said. "It's like taking your driver's license to a bar to prove you're of age. The bartender does not know where else you have used your license. But that license can be used in all sorts of places. And the bartender doesn't have access to other information on the license beyond your date of birth."

Canada's largest banks — BMO Bank of Montreal, Bank of Nova Scotia, CIBC, Desjardins, Royal Bank of Canada and TD — are financially backing the project, which is expected to launch in 2017. It's a chance to put the country's banks at the center of national identity management, a key role get in front of the curve as Web connected devices become payments enablers.

Other big companies such as telcos are expected to participate, though SecureKey did not release details on participants beyond the banks. It's a potential revenue source for both SecureKey and the banks, which will share fees from participants, acting as identity brokers.

Federated identity has long been a goal for information security, though most early initiatives did not last because of interoperability problems, competitiveness among participants, or the inability of the actual technology to properly secure computing devices and consumers in multiple venues.

But the decentralized nature of blockchain, which is a type of distributed ledger commonly associated with bitcoin, is seen as giving federated or digital identity a new chance to succeed. Since the blockchain is decentralized, different parties rely on the same shared source of information and also vouch for the security and integrity of that information.

"Blockchain technologies could lead toward a shift towards individuals controlling their own data and releasing data based on their own preferences," said Ben Knieff, a senior research analyst at Aite Group. "This leads to an environment where each of us exposes different aspects of our identity in different contexts."

Ultimately this develops into a federated identity capability that the user owns and controls, Knieff said. "In the future everyday consumers will manage private keys much like they do bank accounts."

In the Canadian project, a starting user base of about 7 million people will access Concierge to manage ID through their online banking account, which is used to authenticate payments and other financial services. This single sign on will allow access more than six dozen government services, as well as other merchant or retail services that rely on information that is typically paired with payments.

"If a [telco] wants to know your name, address and credit score as part of an application, you answer yes and that information is released," Wolfond said. "And we also don't have the data, but we do orchestrate its release."

The Canadian project is also considered a new form of digital identity, which can help protect users as they transact in different channels, and can fill gaps that physical protections such as EMV chip cards cannot.

The challenge for the participants is to ensure the integrity of the actual data, said Al Pascual, Javelin Strategy & Research's research director and head of fraud and security.

"Whatever party is the custodian of the identity…they must be sure that when a digital identity is created that it belongs to the true individual," Pascual said. "This is done to varying degrees of certainty depending on the industry, which is why many banks are loath to allow 'login with Facebook' to be used with their digital banking properties."

For reprint and licensing requests for this article, click here.
Device security Data security Mobile payments Mobile banking Canada