WHAT CAN YOU DO WITH DIGITAL IDENTITY

By | Blog | No Comments

What can you do with digital identity is a fundamental, probably critical, question for the industry to answer. It probably should be top of pack for any company thinking of standing up a digital identity solution, as without it you will have created a boat without paddles or a sail. It may look good and be technically sound, but it won’t get you too far. Metaphor aside, if a digital identity solution does not solve an immediate problem and lacks a scalable business plan, then it will quickly lose momentum and become obsolete. This is, of course, true of any technology or business, but is acutely relevant to the digital identity industry.

This is one of the important findings from a report that I have authored, the second edition of the Goode Intelligence Digital Identity report which was recently published and covers the market for verified citizen and commercial digital identity.

In the four years since the first edition of the report was published in 2019, there has been a growing realisation that you cannot stand-up a digital identity scheme or solution without successfully answering these three questions:
1. Does it solve a real-word problem?
2. Will people use it?
3. How can I make money out of it?

The third question is critical to privately run identity systems/schemes.

A failure to answer these questions has effectively ended Self-Sovereign Identity (SSI). The theory that people would choose to download a wallet or generate their own digital identity and then use this identity with a variety of relying parties, including governments, has not been successful. There are of course other reasons, but fundamentally in building solutions without a direct link to benefit (both user and business) there is little appetite for them.

So, what can you do with digital identity and where are we seeing success and growth. With the emergence of digital identity wallets and verifiable credentials there are three new categories that are added to our list from 2019, Employee ID, Healthcare ID, and Digital Qualifications.

Our top eight use cases and applications for Digital Identity in the six-year period that the report covers, 2024-2029 are:
1. Identity Verification: Supporting remote customer onboarding.
2. Access to eGovernment services: Providing a single digital identity to access cross-department digital government services including eVoting
3. Assured Authentication: When the digital identity is highly assured and issued after strong identity and document verification then it can be used for assured authentication
4. Digital Travel: Including, Mobile driving licenses (mDL), Kerb(couch)-to-Gate for airport, rail, and boats.
5. Age Verification: Including Offline – used in bars and clubs instead of a paper document, and Online – used to ensure access to adult (age restricted) digital content and services is upheld.
6. Digital Signature:  Supporting smart contracts.
7. Employee ID: Digitising employee records and career history by exploring the capabilities of verifiable credentials.
8. Healthcare ID: Including healthcare professionals, including qualifications and experience, Patient ID, Healthpass (COVID19)

The second edition of The Digital Identity Report, published October 17 2023, is a comprehensive 272 page study that includes a review of current global adoption, market analysis including key drivers and barriers for adoption, interviews with leading stakeholders, technology analysis with review of key technologies and profiles of companies supplying solutions across key verticals plus forecasts (regional and global) for digital identity users, key technologies, and revenue within the six-year period 2024 to 2029.

More information can be found on the report page.

Beyond compliance: comply and thrive in a PSD2 world

By | Blog | No Comments

Goode Intelligence recently published a white paper aimed at fraud and security professionals that are responsible for the roll-out and management of PSD SCA solutions.

The white paper, “Beyond Compliance: Comply and Thrive in a PSD2 World”, investigates how behavioural biometrics can enhance Strong Customer Authentication (SCA) deployments and resolve issues that have become apparent now that SCA is mandatory across the UK and the EU.

It is aimed at banks and Payments Service Providers (PSPs) that are now SCA compliant who want to discover what is next now that they are SCA compliant.

SCA adoption is high

The payments industry is at the start of its journey with implementing SCA and has rightly focused on being compliant with local SCA regulation. The percentage of transactions processed through SCA-compliant authentication rails is high in Europe with 92 percent of authentication requests being SCA compliant.

SCA has reduced payment fraud

SCA was introduced to reduce payment fraud within Europe and there are indications that this has been the case. Fraud rates are declining in regions that have implemented SCA. The EBA has confirmed that the average value of fraudulent card transactions across the EU has fallen by 50 percent for issuers between June 2020 and April 2021 (0.12 percent to 0.06 percent).

Fraud rates down – at what cost?

This is incredibly positive news but there have been documented issues with the deployment of SCA technologies that include an increase in transaction failure rates (payment attrition), rejected transactions and abandonment in the payment process because of increased friction for consumers. Figures from Microsoft paint a picture of low SCA success rates, and high challenge and abandonment rates.

Beyond compliance: comply and thrive in a PSD2 world

With good levels of SCA compliance and falling payment fraud levels, it is time for the payment industry to concentrate their efforts onto the problem areas that SCA is causing. These include measures that can:

  • Increase acceptance rates
  • Reduce declines and failures
  • Reduce levels of friction
  • Make it easier for consumers to make payments online
  • Detect previously undetected fraud

Benefits of behavioural biometrics for SCA

A technology that can meet these requirements, and one that is being increasingly adopted, is behavioural biometrics. Banks and payment services providers are increasingly turning to biometrics for payment security with many issuers already adopting biometric authentication in their mobile apps. A leading UK bank, that has turned to BioCatch’s leading behavioural biometric technology to enhance its SCA solution has a projected fraud saving of £1million annually. The BioCatch behavioural biometric solution deployed by this UK bank was able to detect 42 percent of the fraud that was being missed prior to the deployment of BioCatch’s technology.

Behavioural biometrics, has many benefits for payment security including:

  1. Meets SCA ‘inherence’ factor requirements
    • Including providing ‘inherence’ for ‘what you have’ SCA factor, e.g., mobile phone evidenced by OTP
  2. Improves user experience
  3. Reduces friction leading to reduced abandonments
  4. Reduces false positives for 3DS and risk-based-authentication (RBA) transactions
  5. Reduces fraud, including previously undetected fraud

Download the full report

You can download the full report here.

Alan’s View – 18th August 2021

By | Blog | No Comments

Alan Goode, CEO and Chief Analyst, shares his views on the latest developments for Digital Trust featuring latest updates on  behavioral biometrics including the acquisition of Revelock by Feedzai and latest round-up on investment and M&A for the industry.

 

Alan’s View – 29 July 2021

By | Blog | No Comments

Alan Goode, CEO and Chief Analyst, shares his views on the latest developments for Digital Trust featuring latest updates on  Covid-19 health pass, quantum encryption and SSI, updates on RSA Outseer and Transmit Security, and latest round-up on investment and M&A for the industry.

 

 

Alan’s View – 22 July 2021

By | Blog | No Comments

Alan Goode, CEO and Chief Analyst, shares his views on the latest developments for Digital Trust featuring UK and France government’s plans for Covid-19 health pass, UK government asks for consultation on digital identity plans, New York City introduces biometric privacy law and latest round-up on investment and M&A for the industry.

Digital Trust World 2021 – The matter of trust in a digital world

By | Blog | No Comments

Digital Trust World 2021

The matter of trust in a digital world

From the company that brought you the annual Biometric, Identify and Identity Summits, join us in shaping the digital trust landscape of the future.

Trust is at the heart of fruitful relationships, both personal and business.  This is true for both the physical and digital worlds.

In the physical world we create trust through security, effective process, and reputation. These pillars guide us through our decision making when establishing trust and inform us when asking questions such as, Do I trust this person to honour an obligation? Can I trust a business with my money?  Do I trust that my healthcare provider will keep my records secured under lock and key, and that the key can only be accessed by authorised people?

Trust is also very much a two-way process – a mutual relationship based on reputation. Can an entity trust that I am a real person and not an imposter, that I will abide by the rules of the relationship, and that I do not have previous history of reneging on a contract, either on purpose or by misfortune?

In the physical world we issue documents and create records that prove who we are, when we were born, where we live, what we can do and what have we done.  These make us eligible to receive healthcare or social care, to permit us to travel internationally, to permit us to drive a vehicle (and what types of vehicles), to prove that we have been fined for speeding. The list goes on….

In the digital world we need to match the levels of trust that thousands of years of human civilisation has created to maintain a safe and prosperous society.

We are in the fourth industrial revolution and due to COVID-19 pandemic, digital transformation is accelerating at an incredible rate. How we recreate the trust of the physical world, and even improve on it, is one of the fundamental questions of our time.

Digital Trust World 2021, a major new event from Goode Intelligence, will provide a platform for the world’s leading authorities in Digital Trust to drive the conversations around how we can effectively develop trust in the digital world, alongside our thought leadership expertise in the digital trust economy.

Goode Intelligence has been active in covering the latest developments shaping Digital Trust since 2007 when it published its ground-breaking market analyst report on the mobile phone as an authentication device. Since then, Goode Intelligence has been instrumental in shaping the narrative around trust in the digital world predicting the

  • Importance of biometric technology for frictionless mobile authentication in 2010 – three years before the arrival of Apple Touch ID
  • Critical role of mobile in remote identity verification
  • Opportunity for decentralised identity, central to the passwordless authentication movement
  • Arrival of multi-purpose biometric technology for cars
  • Future of touch-free biometric payments to support new retail opportunities
  • Importance of quantum cryptography in withstanding the threat from quantum computing.

Topics and Themes

Digital Trust World 2021 covers the following topics and themes segmented into the following technologies:

  • Authentication
  • Biometrics
  • Digital Identity
  • Fraud and Security

The event will also cover aspects such as Privacy & Ethics, Skills and Professional Training, Legal Requirements, Attracting Investment and Powerful Communication for Business Success.

Authentication

  • Pick a date – when will we see the end of passwords?
  • We expected the passwordless revolution to be with us by now, so why I am still using passwords?
  • FIDO Alliance update
  • Biometric authentication – offering the right mixture of security and convenience
  • Continuous authentication – a privacy nightmare?
  • Why we need risk-based authentication more than ever – delivering frictionless authentication

Biometrics

  • The importance of liveness detection in combatting identity fraud
  • How biometrics is being leveraged for secure touchless physical access control
  • The role of voice biometrics in supporting frictionless user authentication
  • Biometrics is not just about identity and authentication – how biometric technology is being used to monitor our wellness and wellbeing

Digital Identity

  • All you need to know about the digital identity wallet wars
  • Who should issue digital identity – government, banks, tech companies or telcos?
  • Case studies
    • What we can learn from the Nordic BankID model
    • Latest developments with digital identity in Canada
  • Is SSI the right choice for your business?
  • Digital Identity in:
    • Government
    • Financial Services
    • Healthcare
    • Travel
  • Identity Verification
  • The security of digital identity – what makes a digital identity system secure?

Fraud & Security

  • New models for fraud management
  • The importance of behavioural analysis in fraud prevention
  • What you need to know about the risk to encryption from quantum computing and how to solve it
  • Encryption as a service – models and benefits
  • The risk of synthetic identity fraud
  • What account takeover (ATO) looks like and how to mitigate risk?
  • Regulatory roundup with updates on
    • GDPR and worldwide data protection regulation
    • PSD2 SCA
    • EU AI regulation

Privacy & Ethics

  • Bias in AI – why it is such an important issue
  • What privacy by design is and how you ensure it is baked into digital trust solutions?
  • Diversity and inclusion in digital identity
  • Important considerations when designing and deploying a biometric system
  • Live AFR – is it such a bad idea?

Join me in October as we shape trust for the digital world by registering for your place now.

Alan’s View – The Healthpass Explosion

By | Blog | No Comments

Despite confusion with UK Government’s policy on COVID-19 immunity and vaccination passports (some weeks it is a ‘no’, some weeks a ‘maybe’, other weeks a ‘yes’), it appears there is growing evidence that some sort of digital record to indicate a citizen’s health status will materialise. This is not just a UK trend. Around the world, a consortium of airlines, airports, travel associations, transport groups, technology vendors and governments are joining forces to design and deploy systems to verify the health status of citizens eager to get out and about again.

These initiatives are known by a number of names including immunity passports, test records or vaccination passports but are now being commonly called a healthpass. Biometrics is fundamental to the success of these schemes and biometric providers are recognising that they offer a great opportunity in an economic age where other sectors are stalling on new projects. Biometrics enable these schemes accurately to verify identity and then to authenticate citizens into the healthpass to allow verifiers to access their Covid-19 health data – have I been vaccinated? When was I last tested? Can I safely enter a country?

The UK is piloting a system jointly developed by iProov and Mvine, and British Airways is testing VeriFLY, a biometric health app developed by Daon. There is a need for common standards and interoperability with these schemes and it is encouraging that a global initiative called the Good Health Pass Collaborative has very recently been launched. This initiative includes iProov and Daon joining forces with the Airport Council International (ACI), ID2020, MasterCard and SITA. I am sure that this something we will hotly debate during the coming weeks and months.

My thoughts for the shape of 2021

By | Blog | No Comments

It has been a challenging year for us all and one cannot underestimate the impact of the pandemic on so many people around the world.  However, there is significant hope that 2021 will be a much better year for many of us.

2020 has been a year of the acceleration of digital transformation.

More people are working from home – At its highest figure during the Covid lockdown, 38 percent of the UK’s workforce was classified as exclusively working from home. [Source 1: UK ONS]

More people are banking remotely – More people are turning to digital banking, mobile and online, and many people are new entrants in using this technology. A study by McKinsey discovered a 20 percent rise in digital banking during the COVID-19 crisis – that’s two years’ growth in just a couple of months. [Source 2: McKinsey]

More payments are moving online – A study from McKinsey says that in the first six months of 2020, consumers spent US$347 billion online with US retailers, up 30 percent from the same period in 2019.

Once it is safe to do so, and the COVID-19 vaccinations have reached the majority of the world’s population, then we shall undoubtedly see the pendulum swing quite dramatically back to physical interaction. We are social beings and a pent-up demand for physical interaction means we will embrace physical shopping, face-to-face business meetings and events and international travel.  However, a new normal will emerge as normal life resumes and we again experience the inconvenience of long queues for parking at the shopping mall or travelling three hours for a 30 minute business meeting. The pendulum will again move towards the virtual world resulting in a balance of physical and virtual interactions with the distinction between the two narrowing. Much of the change in behaviour that has been a result of this pandemic will stick.

The improved digital infrastructure and a change in work culture will go hand-in-hand to support a much more virtual lifestyle. Businesses will support increased working from home and will benefit from improved productivity, reduced costs from smaller office space and improvements in employee mental health – getting that work-life balance is so important.

In the world of digital trust and security, in particular with authentication, biometrics, fraud and security, and identity, I believe that the following will happen in 2021.

Authentication: Despite the many predictions that 2020 will see the ‘death of the password’ it still dominates the authentication landscape.  The need for secure and frictionless authentication mechanisms that work across all channels and devices has never been so pressing but the fact remains that the password is still king. PSD2 Strong Customer Authentication (SCA) has increased the use of 2FA and MFA but banks and payment service providers are largely turning to SMS delivered OTPs despite many reservations from security experts and groups such as NIST. Standards such as FIDO and other passwordless initiatives provide organisations with alternatives to passwords that eliminate many of the security weaknesses, but adoption levels remain muted. There have been positive moves from some of the large tech networks including Microsoft and Google with their authentication apps but in many cases, it is still not mandatory for users to adopt them. I believe regulatory pressure will be the biggest driver to move away from passwords in 2021.

Biometrics: Expect another stellar year for biometric adoption across a wide range of verticals. I predict that behavioral biometrics will be more widely used in partnership with anti-fraud and authentication solutions especially in heavily regulated industries including financial services (EUs SCA and 3-D Secure 2.0 are driving forces in payments).

Will 2021 be the year that biometric payment cards finally arrive for consumers? Expect an uptick in pilots around the world and increasing commercial rollouts to enable secure, safe, frictionless and no-limit payments in physical locations. Surveys from 2020, including our own yet to be published UK survey, indicate that there is strong demand for these cards and a willingness to pay a nominal sum per month for the privilege of owning one. With the rise of contactless cards in many regions of the world, the addition of biometric authentication will make them the top of wallet choice for millions of consumers.

Biometric accuracy and the ability to withstand presentation attacks (liveness or genuine presence assurance) will continue to improve in 2021 making biometrics a reliable method to identify and authenticate people across a wide range of devices and channels.

Biometrics will be vital for a wide range of applications across many different verticals; to support a safe (often touchless) and seamless travel experience, as a pivotal component in remote digital onboarding, to secure the next generation of connected cars, to link the physical and digital worlds for government-issued digital identity and to both actively and passively authenticate people.

Fraud and Security: There is enormous pressure on fraud and security systems to withstand increasing levels of attack on core systems. Covid-19 has led to increasing levels of fraud attempts against digital services. The UK’s Action Fraud reported a 400 percent increase in COVID-19 related fraud during March 2020 with the majority of reports related to online incidents. As remote onboarding increases there will attacks on the tools that are being used to support this process, including using AI-powered attack tools to fool face biometric systems and the collection of personal information for use in synthetic identity attacks. Attacks on remote account opening has increased during the COVID-19 period and it has become one of the favoured attack points for criminals. In terms of a response from fraud teams, I predict increasing levels of cooperation between fraud and security teams to withstand the assault. This will include increasing adoption of layered tools that protect all levels of digital interaction with customers from discovery, onboarding, authentication and transaction processing.

Throughout 2021, more states will enact privacy and data protection legislation akin to the GDPR and California’s CCPA legislation.

Identity: A portable government-issued digital identity is proving to be a fundamental requirement in supporting digital transformation. It has the ability to provide an anchor for a wide range of linked digital identity credentials. This may be issued in a centralised or decentralised (self-sovereign) model – there are merits for both. Governments manage a rich depository of verified identity data across a number of different agencies. I predict that during 2021 governments will wake up to the opportunity that this data provides by enabling third parties to access this data in the same manner that government-issued documents are used in the physical world.

Age verification will be a popular application for next-generation digital identity solutions. I predict that blockchain technology is a realistic platform for age verification services as it can be supported by a zero-knowledge proof protocol that only supplies a cryptographic representation to the answer – am I legally permitted to access/purchase/consume age restricted products and services, including digital adult content and the consumption of alcohol? For instance, I am a student (this for me was some years back) and I am legally permitted to drink alcohol, but I am at an age where I need to verify my age when entering a venue that serves alcohol. Instead of using a physical government-issued document that proves that I am legally allowed to consume alcohol, along with long list of other personal attributes that are irrelevant to the consumption of alcohol, I (the prover) give permission to the venue management (the verifier) to access my digital identity app (wallet) to verify my age. The verifier doesn’t not need to know my date of birth, they only need to know the answer to the question – am I legally permitted to consume alcohol, to which the answer can only be ‘yes’ or ‘no’.

2020 saw Goode Intelligence work with a wide range of digital identity bodies and providers and we’ll be continuing this collaboration in 2021.

I would like to wish all of you a happy and safe holiday season and I look forward to connecting with you during 2021 – a hopefully less stressful year than 2020.

Alan

[1] https://www.ons.gov.uk/peoplepopulationandcommunity/healthandsocialcare/conditionsanddiseases/bulletins/coronavirustheukeconomyandsocietyfasterindicators/1october2020

[2]

https://www.mckinsey.com/industries/financial-services/our-insights/no-going-back-new-imperatives-for-european-banking

 

The Passwordless Customer Journey – Is It On Your Roadmap?

By | Blog | No Comments

Most of us agree that passwords are a huge headache. They are easy to forget, vulnerable to hacking, and inconvenient. But can we really live without them? The answer is yes we can! While it won’t be a transition that happens overnight, businesses need to start thinking about the future now. The ability to provide stronger security with less friction will have substantial implications on the customer experience and brand perception.

More than a change in behavior, the evolution requires a shift in mindset by consumers and businesses who have relied on passwords to protect their information and accounts for so long. The passwordless journey needs to be substantially more secure and easier than the existing journey. Trading in one set of pain points for a different set of pain points won’t suffice. As such, biometrics are emerging as the “password killer.”

Today, consumer-grade applications such as iPhone’s Face ID are bringing biometrics into the mainstream, education is needed to create more trust in the technology.

For example, on the consumer side, a common concern is:

“If my password is compromised, I can change it. I can’t change my biometrics.”

This concern is rooted in the perception that your biometrics can be “stolen.” Unlike a password, which is “something you know,” your voice or face biometrics are “something you are.” Sure, someone can obtain a photo or video of you from Facebook or record your voice and use it to trick a biometric system into thinking it sees or hears you. However, this is where liveness detection plays a critical role. It distinguishes between the real you and a spoof.

This concern may be followed by:

“But, what if my biometric “template” is stolen?”

A biometric template is a digital (binary) representation of the unique characteristics found in a person’s biometric sample. These templates are encrypted and stored for future matching. They are virtually meaningless if obtained.

Like any disruptive technology, there is a chasm to traverse. Increased user acceptance of the technology combined with the need for stronger security will continue to drive businesses to embark on the journey towards a passwordless future. What exactly that future looks like and how to get there offers much to discuss!

In the Identity Futures 2020 panel session, The Passwordless Odyssey, Powered by Biometrics, we discussed topics relevant to companies on the road to, or considering, a passwordless future. A panel of diverse experts spoke about how biometrics fit into that journey, how the technology addresses some of the challenges faced today and we discussed the best points in the journey to get started on your path.

View the recording to hear more.

INTERVIEW: The DID Alliance’s Ramesh Kesanupalli talks to us about GADI, the exciting new initiative for Digital Identity…

By | Blog | No Comments

Last month we were delighted to host a webinar introduction to the Global Architecture for Digital Identity (GADI) in partnership with the DID Alliance*.  Ramesh Kesanupalli, co-founder of the DID Alliance, founder of the FIDO Alliance and CEO, Digital Trust shares his insight on this very exciting initiative and why we need a new method to add trust and accountability into Digital Identity.

After your success with the FIDO Alliance, what made you turn your attention to identity?

Ramesh Kesanupalli: “There were a couple of reasons: firstly, digital identity is one of the hot topics that is emerging in the industry – after adding up all the attacks that have happened to major entities, and considering the misinformation and untraceable information that is rampant on the internet – Identity is a problem that needs to be fixed.  After the successful standardisation of FIDO and its inclusion in all major operating systems and browsers, it’s only natural to look into identity binding as the next step.  At the same time, the CEO of RaonSecure, Soon Hyung Lee, who has been developing the OmniOne Identity DLT, asked me to take a look at what they were doing which got me started looking into this space.”

Tell us about the basic premise of GADI

Ramesh: “The basic premise of GADI is to define a trustable identity framework that will work at a global scale and bring different identity systems to establish trust and accountability. While security and privacy are the fundamental rights of everyone, for a functioning business or society, trust and accountability are basic necessities.”

What is a digital address and how is it used?

Ramesh: “A Digital Address is a human-readable access point, which is bound to a unique trust anchor for the user that is generated by a trusted issuer in the GADI ecosystem when the user is being on-boarded into the GADI ecosystem.  Once the initial trust anchor of the user is created, and a Digital Address is created for the user with a Digital Address Provider, the issuers can issue the user credentials using the verifiable credential formats, and publish the DIDs (Decentralised Identifiers) of those credentials to the Digital Address that the user is associated with.  The user can then go to any other issuer who would issue credentials to the user and provide their Digital Address so that the other issuer can start issuing their credentials to that user.  The user will then be able to provide verifiable credential presentations to a service provider to prove identity claims as needed based on the service provider’s context.”

Can GADI work with existing identity ecosystems?

Ramesh: “Yes.  Existing identity systems can turn themselves into a Digital Address Provider by embracing the GADI methods of on-boarding users and issuers.  The creation of the initial trust anchor is the key first step which involves identity verification of the user against a government-issued identity document by a high-trust entity.   This could be a Department of Motor Vehicles (DMV), Passport Agency, Employer, Financial Institution or Medical Centre.   Digital Address providers will have to go through a certification process and must follow the governance and policies of the GADI ecosystem.”

Finally, how can people find out more and get involved?

Ramesh: “We welcome organisations, both public and private to come and join the DID Alliance to contribute to the specification, governance, and direction of the ecosystem.  There are different work streams that need help, support and participation.  We have a Technical Working Group, Governance Working Group, Messaging Working Group, Certification Working Group and so on.

“People can get involved at the board membership level, sponsor membership level or associate membership level.  Please visit the DID Alliance web site didalliance.org for more information and to reach out to us.”

*The DID Alliance is an open industry association created to drive the development of a standardised, interoperable framework for decentralised identity services to ensure the authenticity of an established trust in digital identities.