Online identity is everything

Online identity, online trust - is one of the most important issues today. Not only in financial services but in almost everything we do. This was probably THE dominant theme last week at FinTechWeek. Whether the topic of discussion was CyberRisk and Fraud, the changing market or the very topical Blockchain - almost every conversation referenced Identity.

Like many of you I have been involved with the internet for a long time - 300bps modems and writing my first bit of 'code' on a vic 20's is where I started. Over the last 4 or 5 years I have been involved in the identity space both with miiCard and numerous other projects and initiatives. From Trust in Digital Life through to the US's National Strategy for Cyberspace (NSTIC) and the UK's ID Assurance campaigns to build trust online and identity ecosystems - a lot has been happening over the last 5 years. A relatively short period of time but during a period where I think we have seen huge change in the industry.

The lack of online identity and trust has been a challenge with the internet for over 20 years ago from the first time 'on the internet nobody knows you’re a dog' was formed until most recently when an online dating site was hacked resulting in over 30m user records, 60 gigs of data and now a 600m dollar lawsuit. This is of course in addition to Sony, Target, Anthem Blue Cross, the list goes on.

The lack of online identity and trust is now a pain that we are all feeling. This is a very personal issue for me, as someone who has grown up with the internet  and someone who is very passionate about its effect on our lives.

It is in fact the reason why I started miiCard. Prior to miiCard I was working on a Personal Finance Management tool called Money Dashboard. During my time there, it became apparent that there is a fundamental disconnect between the 'physical you' and the 'virtual you.' This disconnect is very difficult to bridge and that's what creates so much doubt in our online interactions and transactions. I realized that our online selves would never reach their full potential until we could eliminate this doubt and replace it with trust by verifying the identity of the person on the other end of the browser or email. And that's exactly what miiCard does. We allow individuals and businesses to confirm an online identity to the same level as an offline photo ID check – and you never have to leave the online relationship or transaction to do it. The patented process is infinitely better than username and passwords or any other method of ID on the internet today, and it instantly enables an entire host of never before possible financial, healthcare, social media, online dating, and other service. It saves businesses and individuals time and money – and makes for a much better overall online experience. It is this convenience as consumers that is what we really want - a key driver in how we make decisions.

With the recognition that the greatest challenge with the Internet is a lack of trust we knew where we needed to start.

We looked at personal information - but that didn't prove anything. Of the billions in fraud each year over half of it is online and the biggest proponent of this is your name, address and data of birth. This is where so much of the fraud we see today comes from. Just because I tell you my name or even some information about me only proves I know that information. Any one of my friends, work colleagues or most of the 3000+ connections on linkedin know or could easily find out.

Document verification solutions were just starting to develop at the time but we saw some obvious challenges. While they can verify a document looks real they can't prove your real identity - that you are that person. Even in person documents, with fraudulent documents so often used, struggle to deal with the risk associated with it. I was recently talking to a director of fraud in a bank who was questioning the value of a physical document check. Take away the physical benefit of the check and while there is a benefit - it isn't as strong as the industry needs.

We had to look at the problem from a different perspective. With the building issues in the market from data hacks through to increasing fraud we had to take a different approach. The approach we took was to put the consumer in the middle of the situation. I asked the question while at a roundtable discussion on cyber risk and cyber security  last week. With the challenges of data, standardisation, security, insurance, etc - is there any alternative but to put the consumer at the middle of the equation? There was not one suggestion of an alternative. This reflects quite strongly where we are as an industry just now - why Identity 3.0 is now a topic and why Identity is at the top of the agenda.

There were a few immediate choices that we felt we just had to make - that then seemed obvious at the time but now reflects our very fortunate position.

We felt we had to take a consumer centric approach - we had to put the consumer in the middle of the equation.

We had to include strong authentication services and make 2FA standard by default but realised quite quickly that these don't prove identity. Just because I have a mobile phone doesn't mean you really know it's me especially when so many phones are pay as you go.

We had to give consumer real control - not superficial control, real control - over their data. We had to empower them to choose what they wanted to share with who, for how long and with a great amount of granularity and control. This included the ability to 'disconnect' easily access to your data. With the upcoming Data Protection Directive in Europe this is being mandated and as we have seen recently with the "right to delete" and "right to forget" issues and Google. We had to support a range of situations - from proving your real identity without sharing any personal information through to sharing all of your information without any verification in your identity.

And one of the most important recognitions was that convenience was key - and this has been an overriding theme over the last 4 years - there's not much that really - truly motivates consumers. Convenience is arguably the highest on the list - hence why we talk about a 'frictionless' user experience and how even milliseconds of delay in loading a webpage can have an immediate impact on conversion and performance.

Finally we needed trust - real trust. We had to find a way to connect the physical person with the digital one - to create the traceability needed from a compliance, risk, fraud and regulatory perspective. We had to find a source of authority. And then it hit us. Banks know you really well. They know you better than anyone else. My bank knows that I live in Musselburgh, work in Edinburgh. My financial profile knows that I was in London last week, where I stayed, where I went for dinner. They have also already done the Know your Customer and Anti-money Laundering checks so why do them again?

If as consumers we can leverage sources like the trust we already have with your banks, the trust embedded in our financial profiles, then we could do more online. Today it's this source of trust that is so hugely exciting. It has the potential to fundamentally change the way we engage online - creating a level of assurance and attestation that just doesn't exist today.

This was our solution to building trust online by empowering consumers. It's only one of many models but is reflective of what is now described as Identity 3.0

Tonight the topic is cyber security - a pretty broad topic given the digital lives we all live. I was talking to someone the other day who said they had been working on this for the last few years and they finally got it. If you put all of the elements together in a quadrant what you had in the middle was identity.

Authentication is the process of identifying an individual, usually based on a username and password. Authentication merely ensures that the account owner is the account owner is who he or she claims to be, but says nothing about the access rights of the individual or who that individual is.

Authorisation is the process of giving someone permission to do or have something. In our world an example would be confirming that your happy for someone to have or have access to your personal data.

Verification in Identity ensure that users or customers provide information that is associated with the identity of a real person - that they are who they say they are. This is usually represented as a Level of Assurance (LoA) in that identity.

Validation relates to the data about the individual being correct. These are typically referred to as attributes and are either self-asserted by the individual or validated through a verification process with a third party. It is the validation of an individual's data that provides it the real value as a business or other individuals can then rely on that data being true.

When you combine these four aspects together - its identity that is the connection between them all.

Given identity is all about context - it directly depends on what your doing at that moment - the levels of each of these services can vary but the identity is still the same. For example if you transfer money - then you may need to know who your transferring it too but you don't need to know much about them. For a higher value transaction you may need a stronger level of authentication such as 2 or 3 factors to ensure that it is you agreeing to that transfer. For a dating site you may just want to share some basic public information, for a mortgage you may want to share everything to get the best rate. Each situation is different, each unique and each a reflection on how much 'trust' is needed between the two parties regardless if both are individuals or business - or both. 

It is this trust that is so critical - and trust from both sides - both for the consumer and for the business. The internet needs a layer of trust - it needs confidence that we get from trusting that you are who you say you are, that the information about you is correct - that you are over 18 when you walk into the bar. But it has to be consumer centric. As I mentioned personal information is one of our biggest challenges today - it’s the reason why the information about us is used so often to impersonate us. I should be able to walk into a bar, prove I'm over 18 even without sharing my birth date. I shouldn't even have to share my name if the bar could trust that I am really who I say I am - and that they can rely on the fact that I'm over 18.

Consumers need to be empowered with this control - with the ability to manage their own information and share it when and how they would like.

During my keynote at FinTechWeek I asked the audience of Cyber Security and risk professionals to keep in mind what a different world we would live in if you could control, manage and prove your online identity. How much would consumers live change if they could open a bank account in minutes. How by leveraging your financial data get a loan in a couple of minutes - re mortgage your house, transfer money, switch your bank account. Think about how if you could get a better rate by proving that you always pay off your credit cards…or you don't so you need a longer repayment schedule. I asked how, if we could help empower consumers to help us then how better of a world would we be in.

So let me leave you with one thought. Instead of trying to help solve the problem for consumers - how about helping them solve the problem for you. Empower them, give them the control, let them prove they really are who they say they are - and then reward them for it and we will have a faster, easier and safer internet.