Rohan is the co-founder of 1Kosmos. He is a go-to security and identity management expert and the founder of several businesses that have made considerable advancements in blockchain and identity management. In a conversation with CXO Outlook, Rohan Pinto talks about the role of verified digital identities in the open banking ecosystem and much more.
How COVID-19 has accelerated the need for businesses and governments worldwide to rethink their approach to enabling remote-identity verification over digital channels to facilitate day-to-day interactions?
COVID-19 has brought remote identification from a corner case in the back office to the forefront of worker, customer and citizen onboarding. What was an occasional need for an impaired or disadvantaged individual to send identity credentials via email, fax or SMS has become the primary mechanism by which identity is established, but without individuals being physically present to verify likeness and submit documents in person antiquated manual processes are showing signs of stress and outright failure.
Documents containing highly personal information often don’t transmit well and need to be sent multiple times, but they are being sent unencrypted via unsecure channels exposing them to compromise at multiple points throughout the process.
The workload for manual verification of a person’s physical likeness to their credentials, data entry and management of documents is also increasing rapidly and contributing to data errors introduced along the way. Onboarding is slow — a tell-tale sign of inefficiency and waste, and is not privacy preserving in the long run.
It seems clear that the security, privacy and administration challenges related to remote identity verification are here to stay so it makes sense to evaluate them for business process improvement.
What are the benefits for the customers with digital identities in the open Banking Ecosystem?
In light of the numerous data breaches around the globe, organizations need to take a new approach. Institutions need to establish a strong digital identity that will function as a digital wallet for the customer. The digital wallet will store all pertinent personal information in a readily accessible and sharable digital format, so customers can easily take advantage of new services and access existing services with no friction.
A properly architected digital identity should give individuals sole access and control over their information and minimize the risks associated with unauthorized access from data breach.
Blockchain technology allows private key access without oversight by a central authority so user data cannot be hacked or accessed via data breach. At the same time, the user has control over which services can access their information without manual rekeying. A digital identity developed to standards such as NIST 800-63-3 supports portability and interoperability, or the sharing of information with any 3rd party service via API with user permission. Business applications coded to other standards such as FIDO2 allow that digital identity to be combined with a biometric for convenient and secure biometric authentication.
How does digital identity fit into the digital transformation picture?
When implemented via a certified NIST 800-63-3 solution/process, a digital identity can set a high standard for Trust on enrollment. This enables a high level of security and interoperability for personal identifiable information. But, when combined with FIDO2 certified biometric authentication, the implications for digital transformation are profound because the digital identity and device used to authenticate serve as a next-generation multi-factor authenticator and help move organizations toward a zero trust architecture by re-asserting identity at every user login. This virtually eliminates user account takeover and substantially increases the trust with any given user on the network.
What are the current market needs and use cases for digital identity? Where do you see opportunities for the identity verification industry in the next few years?
Currently passwords are considered by many to be one of the weakest links in cybersecurity. That level of trust can be used to inform a “know your customer” requirement for verifying identity during new account creation. It can also be used to re-establish trust during user log in to online services. This avoids account takeover. Finally, a digital identity can be used as a modern and sophisticated form of multi-factor authentication to fight transaction fraud.
As industries move forward with digital identity we should see passwords and associated two-factor codes used for user authentication become obsolete on a broad scale. Digital identity also plays a role in simplifying the user experience and improving the efficacy of step up authentication as an anti-fraud mechanism.
Do you agree that there is a race currently happening between payment leaders to find and offer the perfect digital identity solution and if so, why?
There is rapid innovation happening in multiple areas of digital identity and payments. For payment fraud prevention we’ve seen passive authentication use a predictive, AI-based approach refined through the years. These are based on transaction history, behavioral biometrics and all sorts of data and device level relationships that can be abstracted and used to provide progressively stronger trust signals. These “big data” solutions have their place and will no doubt continue to deliver value especially in protecting low-to-medium value, frictionless and high speed transactions.
These are now being augmented by “deterministic” digital identity solutions where identity is verified to credentials at varying levels such as government issued driver’s licence and passport, or via the use of banking, or telco records. This gives organisations flexibility in establishing the level of identity assurance they need or want to protect their business and their users from identity fraud.
The right level of assurance will likely depend on the specific use case and blend of solutions to address the needs, which is very hard to forecast or predict, but which is why interoperability and certification to open standards are so important for all payment and identity providers. To avoid vendor lock and enable interoperability, payment and security systems providers need to certify their solutions to the rigors of industry standards and they need to develop APIs that avoid custom integrations which again represent vulnerabilities.
As to the “why”, the cybercrime networks continue to organize worldwide, gaining expertise and sophistication in their attacks on legitimate businesses, driving up losses and costs we all need to absorb. So it’s good to race, but it’s not a winner takes all race and vendors need to race for the purpose of winning the battle against cybercrime not for placing short term profits first.
How will it help in creating a robust digital identity that can cater to cross-sector and cross-border requirements?
We all face an unknown future and live in an environment where payment and security solutions are somewhat fragmented. Innovation doesn’t happen at a steady pace, so we will see asymmetric advancements in ways that are difficult to predict.
Collaboration around interoperability and open standards is essential to accommodate the business and regulatory change that is bound to happen so that consumers and businesses are best served and criminal enterprises are most effectively contained.
This makes organizations such as NIST, FIDO2, and W3C and working groups within those organizations of critical importance to payment and security solution providers to ensure the various voices across sectors and regions of the world are represented and heard as technologies and standards evolve.
How to enable trust and digital identification in Open Banking?
The current NIST 800-63-3 specification provides a robust framework for matching a user biometric to validated credentials in a way that provides end-to-end encryption. Pairing this technology with advancements in AI-based facial recognition can defeat facial spoofing and ensure that a live biometric is captured. This can establish a high level of trust up to Identity Assertion Level 2 (IAL 2) if the underlying platform is certified to comply with the NIST specification via the Kantara Initiative certification body.
Going a step further to combine this capability with a FIDO2 certified authentication capability provides the ability to reassert trust up to Authentication Assertion Level 2 (AAL 2) at every login. This defeats the vast majority of identity-based fraud attacks and eliminates the use of passwords and cumbersome two-factor authentication codes. The NIST standard also enables a high degree of interoperability so it facilitates integration via an open API layer, eliminating the need for custom integrations and avoiding vendor lock.