The views expressed in this article are solely those of the author and should not be attributed to the European Payments Council.
Identity is in crisis. Massive cyberbreaches and identity frauds are daily news. Users experience endless frustration with countless passwords and registration procedures. Governments suffer from poor online acceptance and merchants experience high fraud costs despite massive IT investments.
Maybe we need to rethink the topic of identity.
Today’s discussion around identity largely centres around government- and regulator-led initiatives on the one hand and private initiatives on the other. Especially the online commercial sector is deploying countless individual identity solutions, allowing the user to sign on to their particular service, with a number of them (notably social media) also offering their identities to third parties. The result of these many approaches is that the user is confused, has an overwhelming number of ways of identifying himself, has severe concerns about his data being shared and hence control of his privacy and has a terrible online experience.
This frenetic activity on identities thus paradoxically results in worse security (not least since users try to conquer the complexity and diversity by reusing passwords across services, writing PIN numbers on the back of their bank cards, or holding credentials in central repositories) which in turn leads to severe issues, both economic (e-commerce rejection) and systemic (cyberbreaches, online trust).
Maybe we need to radically rethink our approach to identity. There must be better ways of organising this topic than in silos who are sometimes more-or-less connected.
Surely there are now better methods than user identifications (userids), passwords and rigid two-factor authentication procedures to identify someone reliably.
Maybe there is even a fundamentally better way to think about the topic: maybe it is not about identity (‘is it him/her’) at all! Upon consideration, maybe the real personal identity is mostly irrelevant: I just need to prove that I am over 18, that I have the right to access this service, that I may pass through this door. Only some selected attributes of myself are relevant. Who I am, what my name is, what my home address or my bank account details are - is mostly of no concern. Indeed, revealing my full personal identity to services, applications and devices is against the fundamental privacy principle of ‘data minimisation’.
Identity – in the formal/usual sense of identifying the full individual - may thus, in most cases, be a massive overshoot to requirements and quite illegal under and ePrivacy.
Thus, it is suggested that services maybe should only be allowed to verify attributes and instead of talking about identity maybe we should be focussing on rights management.
Looking further we see that this rights management should not only be applied for natural and legal persons (as, for example, sees the world). Instead we are surely increasingly seeing the need to verify also the right of applications, programs, robots, apps, devices: does this piece of software have the right to initiate a payment, to see the balance on my account, to gather information on my transaction history? Does this device have the right to communicate with my bank card, to open this door for me, to drive me to work?
We can see that this topic is multi-dimensional and stands at the intersection between many new legislations (, , ) and many new developments (open banking, Robo-artificial intelligence, Internet of Things (IoT)) and may need to be radically rethought in the context of these new regulations, new market developments and the new technological possibilities.
One could argue that a way forward may lie not in more-or-less interconnected silos, but in a true federated system, connecting
- several identity providers (better: attribute verifiers), employing modern authentication technology (not userid/password), who compete to offer their services to verify very specific attributes (not revealing whole personal identities) of an individual/company/application/robo-adviser/device (not just people)
- several consuming industries (online platforms, government services, IoT, etc) who rely on these attributes.
This sounds much like a trusted four-corner-model that we know from banking and payments, suggesting that there may be a role here for the financial services industry. There will of course be many industries providing identity services. Very visible are already ‘sign on with Facebook’, ‘sign on with Google’ or finger-prints on mobiles.
But maybe the role of banks in this space (with their extensive Know Your Customer (KYC) assets, their network, their modern security solutions) has so far been undervalued.
Selected forward-thinking banks, not only in the Nordics, are indeed already entering this space in a federated way. They thereby strategically strengthen their positions as trusted parties known to preserve privacy and security. They also see this as a commercial opportunity to generate new revenues and save costs by leveraging existing investments and infrastructures. The business case looks attractive: you log on/identify yourself many more times per day, than you pay per day.
Maybe banks and payment-related services can help towards a world with less cybercrime, less identity fraud, better online experience of government and commercial services, to not only make our lives safer and easier but finally to truly enable the efficient and convenient online and offline economy.
For full text see article in JPSS Journal of Payments Strategy & Systems.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.