With estimates of the sales over the Black Friday weekend in excess of £7bn in the UK and $90bn in the USA, retailers are currently focused on getting shoppers into their stores and through their checkouts as seamlessly as possible. As was apparent at last week’s US Payments Forum, the last part of that process, payment, is probably the one area that the retailer believes it has the least control over. Online the problem is even greater; consumers have a variety of ways to authenticate themselves to their bank and to their retailer, many of which leave something to be desired.
75% of sales on Black Friday are online and Cyber Monday is set to be the biggest yet. Many of these online sales depend on consumers having to manually enter card details, or log-in using dimly remembered passwords. Those who are not blessed with the memory of an elephant may have to undergo password reset processes that can involve checking rarely used email addresses or having to remember the incorrect spelling of their answers to a wide variety of questions about their past history. Having apparently completed the process, the percentage of remote transactions that are then declined by the Issuer is around 10 times greater than those completed in the store. Not all these declines will be valid, with legitimate customers being turned away in the name of fraud prevention. Even so millions of pounds of the approved transactions in the UK alone will still turn out to be fraudulent, further undermining the trust of the merchant and consumer alike.
Isn’t it strange that we live in a world where there is significant growth in online sales, but the mechanisms used to pay for those purchases are more cumbersome, less secure and less reliable than those used to buy on the high street? The good news is that the Payment Brands think that this is strange too and have a plan to fix it!
Earlier this month they published a draft version of their Secure Remote Commerce specification, which outlines an approach to promote security and interoperability within the card payment experience in a remote payment environment. The specification is currently out for public consultation. The Payment Brands are looking for feedback from those organizations which will deliver, interact with or use such solutions. (I know a few people who have read them and can help you to shape your reply if you are interested.) We may not see commercial solutions deployed in time for next year’s Black Friday event – these things take time. However they do offer the potential for interoperable payment solutions, with common authentication processes and levels of data security similar to those currently experienced on the high street.
In the short term, I really need to update the TV. So, in preparation for a flurry of holiday season internet shopping, I have cleared funds on my payment cards, cleaned the fingerprint readers on my tablets, found my long paper list of passwords and a similar list of answers to security questions. However, I can’t remember; was my first dog called Fido or Fenton?
Now that the US has (finally) migrated from magnetic stripe to chip payments, and signature will soon be going too, the time has come to think about where the fraud will go next. This was the topic of a great discussion at Money 20/20 involving amongst others EMVCo, Capital One and USAA.
Obviously the first place fraud will jump to will be card-not-present transactions such as e-commerce. This is well understood by those of us who went through the EMV chip migration over a decade ago. Brian Byrne outlined the various initiatives in EMVCo to secure these transactions – Tokenisation, 3DS 2.0 (with live solutions being imminent) and SRC (which is open for public comment).
Increasingly though it’s an identity problem. Identity theft and synthetic identities are being used to attack payments in a number of ways.
Because EMV chip cards are much harder to counterfeit than magnetic stripe cards, fraudsters instead will try to get their hands on genuine cards. This could be through opening a fraudulent account or by taking over an account and ordering a replacement card.
Identity fraud will be a big issue in faster payments too, with a need for good authentication on both ends of the transaction.
Synthetic identities are a particular challenge. Detecting them is tough, spotting the subtle clues that indicate that an identity record which looks legitimate has actually be cultivated over time by a fraudster. And this is big business, with criminals using the latest machine learning and ready access to data (thanks to all of those breaches) to launch well organised attacks at scale.
In the following session, Professor Pedro Domingos (author of “The Master Algorithm”) gave the great quote “if you try to fight machine learning with code you are doomed”. But it is not simply a case of implementing machine learning. As the Prof explained, the characteristics of fraud are constantly changing so any machine learning system will need to be constantly tuned and re-trained to keep up.
Where better to spend a day talking about digital identity than the Venetian in Vegas with its rather synthetic identity.
In giving the topic a full day track, the Money 20/20 organisers have recognised the increasing importance of the topic. However it is a topic that is not straightforward. Andrew Nash from Capital One was right when he said everyone has a different definition of identity. It’s a bit ironic – identity doesn’t have an identity. Here are three questions to summarise what we heard:
Is digital identity just about KYC or the broader sharing of personal data?
There is clearly still a lot of pain with KYC. Idemia explained how in the US, with its fragmented environment, doing basic things creating digital drivers licences that can be used across the country is hard.
But there is shift of focus from the narrow KYC problem towards the broader issue helping people to make their personal data portable in a way that removes friction – the “F” word of Identity, as Neil Chapman from Forgerock put it.
Filip Verley from Airbnb made a useful bridge between these two aspects. It is no surprise that reputation is fundamental to the Airbnb platform. Reputation is the where the value is – Airbnb users don’t care what the name of a renter is but they do want to know they are reputable. But for that to work well that reputation needs to be anchored to the real identity that Airbnb has checked – i.e. their KYC.
Who is digital identity for – the person or the organisation?
Quite rightly there is now widespread acceptance that digital identity needs to be person centric. As well as the privacy point, there are practical reasons why it makes sense to put the person at the centre. For example, the person is in the best place to say which of the residential addresses associated with them is the one where they are actually living.
This is not the same as saying people own their identity. The organisations that provide services to people also have a stake in digital identity too. That’s why in Canada, as Joni Brennan explained, stakeholders across the economy are collaborating through the DIACC to address a need that is bigger than any one of them.
(Bianca Lopes, Joni Brennan and I talking about Digital Identity in Canada)
What will enable interoperable digital identities?
Unsurprisingly there was good representation from the DLT / blockchain crowd including Civic and Shyft. Heather Vescent gave a great overview of the standardisation work around Decentralised Identifiers (DIDs) and the desire of that community to create a new identity layer on the internet – perhaps an 8th “user” layer on top of the OSI 7-layered model of old. Whilst this work is being done through W3C it is still early days.
In contrast, FIDO2 is now a candidate recommendation in W3C and is already supported by Chrome 70 for Android (released last week) meaning that ubiquitous strong device based authentication (which includes biometrics) should not be far off. It’s great to see an initiative that, after a lot of hard work, looks like its about to become mainstream providing a real step forwards towards a more secure digital world.
According to research just published by the Digital ID & Authentication Council of Canada (DIACC) with Consult Hyperion’s support, the potential value of trusted digital identity to the Canadian economy is at least 1% of Canada’s GDP, or CAD $15 billion.
Those of us who have recently been asked to provide copies of our passport and gas bill when opening a new bank account or taking out a new mobile phone contract, understand the lengths that organizations go through to incorporate old world identity processes into their new digital services. DIACC’s research paper highlights how the savings delivered by a robust digital identity ecosystem arises through reducing friction and increasing trust for governments, businesses and citizens alike.
One of the DIACC’s objectives is to drive the development of a digital identification and authentication trust framework to enable Canada’s full and secure participation in the global digital economy. When published, this framework will provide a common lexicon and guidelines for all the stakeholders within the digital identity community in Canada. It will allow each party to understand the roles and responsibilities of all parties in the ecosystem, while also allowing buyers of those systems to understand where a vendor’s solution competes with or complements, another.
In a market as dynamic and collaborative as Canada this is important.
Once a robust digital identity ecosystem is enabled and new solutions are introduced to the market by service providers, how will that impact the economy? DIACC’s research indicates, it will drive the adoption and use of digital services as it will make it easier for consumers to sign up for and access online services, provide the ability to obtain informed consent, and streamline the processes across a variety of industries such as government, healthcare, financial services, and eCommerce.
The research Consult Hyperion undertook with DIACC has shown the direct correlation between robust digital identity and economic benefit. Delivering a nation-wide solution will require both creativity and stamina. Lead applications must prove the benefits of digital identity. Service providers need to identify and root out inefficiencies in existing services. New digital business models will need digital identity to create fully digital user journeys. Everyone needs to work together to accelerate adoption and drive critical mass.
There will also be cost of doing nothing – marginalised parts of society continue to struggle to access important services, small businesses will face continued bureaucracy in an increasing digital world and criminals will continue to exploit the systemic gaps that exist in many digital services today.
Working with the Canadian community to explore the benefits of digital identity in numerous places across the economy has been fascinating. As payments and identity technology people, we know that tools and technology already exist to deliver wide scale digital identity.
The collaboration already evident in Canada is striking and something Consult Hyperion, are excited to be part of. Chat with us further at the IdentityNorth event taking place June 19-20, in Toronto.
The publication by NIST of an updated version of its digital identity guidelines marks a significant change in its approach to identity management. It highlights the importance of implementing digital identity in context, with three different elements replacing the previously monolithic Level of Assurance. These Levels are the Identity Assurance Level for identity proofing, the Authenticator Assurance Level for authentication and the Federation Assurance Level for use in a federated environment. Criteria for each Assurance type run from Level 1 to Level 3. This is intended to provide greater flexibility in implementation, for example combining pseudonymity with strong authentication for privacy purposes. Although optional, federation is positively encouraged for reasons of user experience, cost and privacy.
Risk management features prominently in the guidelines, with risk assessments used to determine appropriate identity choices according to system requirements. Although the requirements are technology agnostic, they are prescriptive regarding the assurance levels required for particular purposes. One area in which the guidelines are particularly refreshing is in their approach to passwords. Drawing on research into passwords exposed during data breaches, the use of unwieldy complexity rules is discouraged. Instead, it is suggested that users should be allowed to make passwords as long as they wish, encouraging the use of pass phrases and excluding very short passwords.
Faced with restrictive rules, many users will select predictable passwords which just meet the system requirements but are easily guessed. It is suggested that passwords should be checked against a blacklist of obvious choices and known compromised passwords, to filter these out. Randomly-generated secrets are therefore preferred to user-generated secrets.
The guidelines also highlight the importance of usability, supporting the use of password managers and only requiring passwords to be changed when there is evidence of compromise. There is some flexibility regarding displaying passwords on screen, depending on the context. In order to maintain an adequate level of security, a mechanism for limiting the number of possible failed authentication attempts is required.
This new, more person-centric approach from NIST follows on from UK government guidance published by GCHQ in 2016, advising ‘dramatic simplification’ of password management policies. This guidance also focused on achieving security by implementing processes which are easier for people to follow and therefore less susceptible to being undermined by users attempting to take short cuts through the system.
CHYP’s involvement in research has highlighted for us the difference between the way people say they behave and how they actually behave online. This kind of performativity may take the form of people describing how careful they are online (perhaps repeating recent official advice), while doing something conflicting on screen even as they are speaking. A similar effect can be seen when comparing figures produced from a user survey by the Gambling Commission, to usage statistics reported by gambling companies. The companies are able to draw statistics directly from their systems, while the survey figures are composed of gamblers’ reporting of their own behaviour. These discrepancies highlight the importance of observation when developing policies based on user behaviour.
It is encouraging to see a more effective approach to combination of privacy, security and usability in Identity Management being promoted at the highest levels. Even in local hospitals, it is now common to see screens showing simply ‘tap your pass or enter your passphrase’, where previously unpredictable processes were in place. Organisations such as FIDO have done a great deal to promote standardisation.
For a standalone organisation to adopt the new NIST rules would seem both positive and achieveable. They are in any case intended to be used within the US government. However, where organisations are already working in partnership and have existing legacy agreements regarding security requirements, it may be necessary to revisit these and agree a new set of password rules to replace existing, outdated approaches. Standardisation and education can go a long way towards supporting this process, although for larger organisations and those with multiple partners, it may take longer.
Publications such as ‘Why Johnny can’t encrypt’ and ‘Users are not the enemy’ have long been recognised for highlighting enduring issues with implementing security software. While education is important, attempts to fundamentally change people will inevitably fail, resulting in escalating support costs and unpredictable security risks. People are simply not equipped to adjust that quickly. In comparison, machines are generally designed by people and comparatively easily modified. Even with the advent of AI, machines are likely to remain reasonably malleable.
Where most user interaction involves people and machines, security tends also to involve mathematics. The NIST guidelines prescribe the use of appropriate cryptography at every stage. This is essential to securing the system but does not of itself guarantee that the system will remain secure. Appropriate system design and implementation are crucial to ensuring secure operations. This is exemplified by the recent flaw discovered in the WPA2 WiFi protocol. A mathematical proof is available for the security of the protocol but there is a vulnerability in the key management, which is not covered by the proof.
As in any system, a mathematical proof has to be ‘situated’ to be useful. Effective risk modelling will take into account the wider context of the system, focusing in on the most critical areas for greater attention. This process may have to be revisited over time, as the surrounding environment evolves. The increasing interconnectedness of the Internet of Things will require greater attention to disconnection technologies to preserve system integrity over time.
Identity, authentication and authorisation are amongst the hottest of hot topics in our world right now. Even if we put Apple and it’s new face recognition technology to one side, there’s no shortage of excitement at the intersection of biometrics and electronic transactions. Remember this from earlier in the year?
A UK supermarket has become the first in the world to let shoppers pay for groceries using just the veins in their fingertips.
As I wrote at the time, this came only a few weeks after people forwarded me a link from to Time Out, calling attention to a new payment mechanism using a new biometric identification technology to effect retail payments in a new way. The system, called Fingopay, uses a scanner at POS to recognise customers in pubs and bars by the pattern of veins in their finger and then charges a linked payment account. I did remark on the overuse of “new”, as the first time that Consult Hyperion blogged about this technology was more than a decade ago, talking about mass market uses of biometrics and looking in the particular case study of Japanese banking, and it wasn’t new then! The technology has reappeared as a “new” solution to these same problems a great many times since then. It seems like every couple of years or so some stories about this new technology and new way to pay reappear. For example…
The BBC were kind enough to invite me on to their lunchtime “You and Yours” magazine programme to discuss this innovation. I think they were a tiny bit surprised, to be honest, when I told them that the technology was eight years old! I also told them, in the spirit of openness and integrity that is associated with the good name of Consult Hyperion throughout the civilised world, that we had been retained by Hitachi some years ago to carry out a study on the security of this product and its suitability for certain financial services applications.
The truth is that the idea of using fingers instead of cards goes back a long way (I can remember Piggly Wiggly exploring it in 2004) and reappears with regularity. So what’s different this time? Well, for one thing, we now have open banking. With strong customer authentication (SCA), risk-based authentication at POS and standard APIs for third-party access to accounts, retailers and other will soon be able to process payments themselves by obtaining payment institution (PI) licences and obtaining consumer consent for access to their bank accounts. Thus, putting your finger on a reader in store and having the retailer instruct an immediate instant payment transfer from your account to the retailer account looks like a more promising model this time around.
It’s the combination of technology (convenient biometric authentication), business (non-bank third party services) and regulation (open access) that means that the payments world is going to see more change in this space in the next year than in the previous ten. Almost every payment conference in that decade has highlighted the “identity problem” yet no-one was going anything about it. Now we have mass market solutions just around the corner.
Anyway, all of this is a roundabout way of saying how excited I am to be chairing the Money2020 workshop “Identity is Fundamental” in Las Vegas next week. We’re going to be talking about the latest trends in identification technology, authentication in the mass market and much more. And we have a detailed case study from Canada, as we have Toronto Dominion and SecureKey talking about the Canadian banks’ ambitious project to fix the identity problem with, amongst other things, the blockchain. You’d be mad to miss it, so look forward to seeing you in the Titian Room on Level 2 of the Venetian next Wednesday at 8.30am. Oh, and if you want to say hi to me or any of the Consult Hyperion team in Las Vegas next week, just email, tweet or message me on LinkedIn.
Over the last few weeks, I have been working with the team inside Consult Hyperion trying to understand the potential impact of the European Union’s PSD2 regulation on our clients’ business. One thing is for certain: it has generated a large number of not-quite-three letter acronyms that will ensure high scores in any game of Acronym Bingo running during a presentation on the subject.
It is clear that the Account Service Payment Service Provider’s (ASPSP or bank to you and me) mobile application will play an important role in any PSD2 compliant transaction. Every time I want to make a bank to bank payment to a new payee, a message will appear in my mobile banking application asking me to verify the transaction and authenticate myself. Will this be the reason I need to keep the mobile banking application on my phone?
Personally, I sit down once a month in front of a computer to do my expenses and pay my bills. I have sufficient standing orders to maximise the return on my Santander 123 account. The rest are settled using Faster Payments, when there are sufficient funds in my account. Being a payment geek, over the years I have loaded several banking applications and PingIt onto my phone. None of these survived the transfer to my next phone as I was not using them. The alternative (my PC and contactless Amex card) are more convenient or deliver the customer experience I need. But perhaps that is changing.
At Consult Hyperion’s excellent Tomorrows Transactions Forum in London earlier this year, Greg Wolfond, CEO of SecureKey, outlined the customer experience to be delivered by the blockchain-based digital identity and attribute sharing service they are building in Canada, with the support of local banks. At the centre of this service was a push notification from the bank, via their mobile banking application, that a third party wanted confirmation of my age or address and a request for permission for the bank to share those details with the third party. To me the bank is the logical place to keep valuable personal information. Most have been doing it for over 100 years usually in the form of paper documents – birth, marriage certificates and Land Registry Property Deeds. However, in a connected world third parties need to be able to access this information when I give them permission. This process must be instantaneous, as I am likely to be on the third party’s website or in their store signing up for a service when the request comes through. I will be in a similar place when I want to make a PSD2 compliant payment.
Earlier this summer, I sold the last of my larger toys, a Laser 1 dinghy. Kids have left home, wife prefers to ramble with the dog, sailing club just too far away, water too cold …. The list of reasons why I should keep it was getting too long.
I posted the boat on Apollo Duck, (think eBay for the sailing community) assuming people would come to view it, we would agree a price, they would give me a cheque, I would bank it and they come back a week later to pick up the boat, when the funds were in my account. Everything was going to plan, until it came to payment. Rather than pull out a pad of paper, he opened his Barclays’ mobile banking application, asked for my bank details and transferred the funds using Faster Payments. Five minutes later the funds were in my account and we were packing the boat up for him to take away. The whole process, from viewing to take away was reduced from 7 days to just over 90 minutes. We did not move from my front lawn, except to access my PC to check that the funds had gone into my account.
This appears to have been the vision of those very clever people in the European Union when they drew up the PSD2 regulations. However, is the mobile banking application the right channel for such services?
In the UK smartphone penetration rates are around 81% of all mobile phone users. However, this figure varies according to the subscribers age, from 90% of subscribers aged between 16 and 24 to 18% of those over 64 . The older generation are likely to have more savings spread across multiple products from multiple providers. If they prefer not to load the mobile banking application onto their phone are there alternative solutions which they can use to authenticate themselves to multiple ASPSP?
Barclays UK does a very good job verifying me using my payment card and their PinSentry device or mobile application across all the channels that I access their services. I can also use the PinSentry device with cards from other banks which support the CAP User Interface Specification, but don’t tell Barclays. There are other solutions from organisations such as FiTeq which remove the need for the separate CAP reader and the payment schemes who are promoting the use of their 3D Secure service for use with other payment solutions.
One of the drivers behind PSD2 was to drive innovation and competition. Is SCA the first place we will see this?
I had wrongly assumed that the majority of new bank accounts openings in the UK would be from students just about to go off to University, like my son, and that migration whilst high (as the media keeps telling us) would still be a minority. But based on some back-of-the-envelope calculations it appears that the 50% number is about right.
As the OIX report above points out, these new arrivals in the UK are very difficult to perform KYC (“Know Your Customer”) on due to the lack of data. They have no history in the UK. This is exactly where eIDAS should be able to step in. For example, a person arriving from France should be able to use their French government-issued eID as one piece of evidence to help meet KYC requirements. The proposed new AML legislation – the amendment to the fourth AML directive – which I have seen referred to as AMLD4.1, AMLD5 and 5AMLD, explicits call out to eIDAS as a potential solution.
There are however some issues with this:
Firstly, to become part of the eIDAS scheme, governments have to “notify” their eIDs into the scheme. To date only Germany has done so.
Secondly, eIDAS provides a switching infrastructure that makes all eIDs interoperable but initially this will only available to the public sector. If a private sector organisation, such as a bank, wishes to leverage an eID it will need to find another way to access or read it.
Thirdly, the mobile channel is becoming increasingly important with banks needing to be able to onboard customers directly in that channel, as well as performing identification and verification of existing customers when provisioning a mobile app. Several of the existing eIDs are smart-card based. These will only be readable by phones if the cards themselves are contactless (which many of them are). They will not however be readable on iPhones, even with the limited opening up of the NFC interface expected in iOS11.
There is clearly therefore a need for some alternative mobile based technology. Fortunately such technology exists in the form of mobile document and selfie capture and verification. One of the vendors in this space, Mitek, kindly commissioned Consult Hyperion to write a paper on this very topic which I had the privilege of presenting at Money2020 last week. You can download the paper here:
A decade ago I remember writing that one of the problems with QR codes is that there is no security. Some years later I wrote an article pointing out that NFC ought to be safer than QR codes because NFC included a standard for digitally-signing tags (although I did also note that no-one used it) whereas anyone could easily create bogus QR codes.
Well, I might not go so far as to call [QR codes] evil, but they certainly have the potential to enable person or persons unknown to act with evil intent.
I suggested, in connection with a couple of projects we were working on at the time, that the mobile operators do something about this by creating a digital signature standard for QR codes so that phones could be set by default to ignore unsigned codes. None of this happened, as I’m sure you are aware and QR codes became popular precisely because any app could read any code anywhere.
The security problem never went away though. I notice in the South China Morning Post that in March 2017 some 90m Yuan was stolen via QR code scams in Guangdong alone (a suspect in the case replaced merchants’ legitimate bar codes with fake ones that embedded a virus to steal personal information) and that in China as a whole, a quarter of viruses and trojans come in via QR. Despite the incredible success of QR there, we need to do better.
Even the man who invented QR codes says that they are an interim technology.
Now, also back in the day, I had originally assumed that Apple would add NFC to the iPhone. I was wrong about this for years, so eventually I assumed that they were going to bypass the technology and go to Bluetooth. Yet what I said at the time still holds: NFC is undeniably convenient.
NFC is a convenience technology, and Apple loves convenience
I wasn’t just guessing about this, I was drawing on Consult Hyperion’s early experiences with NFC (remember the Nokia 6131?) of tag reading and writing, including not only the usual payments and ticketing stuff but also such fun applications as getting information about clothes at London Fashion Week. I also noted surveys at the time that showed that NFC generated better results for merchants, but only once consumers could get it working. As my good friend Osama Bedier, then head of Google Wallet, pointed out, this is was some barrier because of the amount of “futz” it took to get NFC working.
But there was another reason that I was so interested in NFC as QR alternative back in this days. To go back to the security point, I was interested in thestandard for adding digital signatures to NDEFs (the “NFC Signature RTD Technical Specification”) to build a safe tag infrastructure. After hawking this around a few different projects, to general disinterest, I figured that the telcos weren’t interested in using it to deliver secure infrastructure, so I said…
“Someone else will build this business (Apple? They seem to be getting all sorts of NFC-related patents at the moment) and then the operators will once again complain about being pipes. Is Tom Noyes right to say that “…Apple and Google will be further ahead in coordinating value in new networks”
So now, more than a decade after our first NFC experiments, both IOS and Android can read standard tags and action them. I want to make a couple of quick points about this before I head off down to our Hyperlab and see what our developers make of the new toolkit.
First of all, this technology will inevitable be used for triggering in-app payments that work in a very convenient way for consumers. Instead of having to open your Tesco Payqwiq app and then scan a code from the POS, the POS will function as a tag (and remember it can potentially rewrite a dynamic tag on the fly): you can just tap the phone on the POS and the operating system will automatically open the Payqwiq app and route the data to it.
Secondly, since tags are inexpensive, they will be used for a variety of different applications. Tickets for pop concerts, information about products, name badges, all sorts of things that can be read by a phone rather than by a specialist reader, Therefore I expect new standards for NDEF content to spring up. One of my favourite apps, back in the day, was a phone number tag that men could put in their back pocket at a nightclub: admirers could wave their phone in an appropriate area to get the number and send a text message. Here we are trying experiments with different types of clothing (which turned out to have very different NFC-friendly characteristics!) a decade ago.
Lastly, note that NFC tags can be read through packaging. Unlike QR codes that need to be printed on the outside of a box, tags can be inside. Where would this matter? Well, take a current UK example. Cigarettes now have to be in plain packaging. Tobacco companies don’t like this – for obvious brand reasons – but they do have a point: plain packaging makes like easier for counterfeiters. So suppose packs had a cheap tag inside: then your phone could tell you whether you’ve got real Marlboro or a knock off. You download the Marlboro app, then from then on when you tap a pack if the app doesn’t pop up with a big green tick you know you’ve been done. I’ve written about this sort of thing before ( for example, wine and whiskey) so it’s hardly a new idea.
Note, however, that IOS11 also includes ARKit to add augmented reality. So, when you look at your pack of plain cigarettes through your app (after you’ve tapped, so the phone reads the tag and knows that they are real Marlboro) you don’t see plain packaging any more you see… well whatever.
All in all, Apple’s announcement – whether the culmination of a clever plan or a response to Android market share – is a big deal. I found a whole bunch of blank NFC tags in my desk drawer so I’m off to start programming them now.
I have often seen payments (especially the card networks) used as an analogy for digital identity. In fact, I brought up the analogy myself at the fun OIX meeting in Amsterdam last Thursday. Certainly when you look at something like GOV.UK Verify there are some striking comparisons:
A central scheme with a brand, rule book, governance body and switching infrastructure (i.e. Verify itself),
Issuers (i.e. the private sector identity providers), and
Merchant acquirers (well merchants anyway, in the form of government relying parties).
We have to keep reminding ourselves that these card networks did not appear overnight. What we have today is a result of 60 or more years of evolution. Admittedly the pace of change has increased significantly but we need to recognise it often takes time to build scale and gain adoption. There are special cases of course. PayPal, for example, grew out of a significant pain point within eBay – which gave it immediate scale.
There is however one key difference between payments and identity. You cannot sell stuff online without a means to receive payment and normally that means integrating with a payments scheme that works for your customers. You can however sell stuff without leveraging an external identity scheme – you just give the user an ID and password specific to the service. This is however bad news for users – resulting in the fragmented personal data and password mess we find ourselves in today. There needs to be an incentive for merchants to do something different to this. Perhaps merchants need a big stick? Like GDPR for example. Merchants are going to have to be a lot more careful with personally identifiable information in the future. One thing they could do is use an identity provider to hold that data and in the process reduce their risk.
Individuals also need to realise that their personal data is valuable, just like their money. That is going to require some education because so far they’ve been taught to share data without considering the consequences.
In the UK, arguably the most significant digital identity initiative over the past 5 years has been the GOV.UK Verify programme. They are at the stage where they need to grow. The scheme is up and running and so they are now busily signing up citizens and services. It is a critical point in its development. We are very pleased that David Rennie who leads industry engagement on the programme will be taking time out of his busy schedule to join us at Tomorrow’s Transactions. Come along and find out how it is going.