By Patrick Kleuters, Senior Vice President Europe, Gemalto
Today’s companies are increasingly recognising that if they don’t have a strong online presence, they will fall behind. They need a digital offering to stay competitive. And, now, there’s a boom in online services that require ID authentication—from signing up to a new mobile service to renting a holiday home.
However, the issue is that in the absence of a properly designed, ubiquitous identification framework, many services have evolved independently, leading to inconsistencies in customer authentication. Thus, the quality of the customer experience has fallen, creating distrust and apathy towards identity schemes.
Fortunately, banks are well placed to fix this internet identity crisis. In particular, Payment Services Directive 2 (PSD2) requires banks to support Strong Customer Authentication (SCA) for all of their customers, which means radically revisiting their approaches to fraud prevention and how they identify customers. In fact, the regulation gives banks the perfect excuse to work together to fix the usability and convenience problems posed by current online authentication schemes. By controlling the identity-verification process and becoming identity- and data-protection providers, banks could deploy the solutions that become the de facto standard for securing the internet.
But first, banks must make sure that they are taking the correct approach to be successful. Below are some key considerations to ensure successful deployment.
Show customers you’re worthy of their trust
First and foremost, banks must address issues of trust. The modern digital world has made society distrustful of third-parties and the handling of data. It is the confidence the customer has in the controller of his or her data that will determine the uptake and success of any digital identity scheme. Currently, banks have two primary models from which to choose, and they must decide which is right for them and their customer base.
A federated-identity approach would see the customer relinquish primary control of his or her data to a trusted provider, normally the bank. For banks, this streamlines the entire process, allowing them to validate the authenticity of the individual’s identity when they enrol for a new service and then become the focal point of trust for other services and providers. Under this approach, customers can reuse credentials for multiple services. They simply log into one website and then access others without having to create another profile or type another username and password each time. It works because the other sites trust that the identity provider (in this case, the bank) has authenticated the user to a certain standard, and so they permit access.
More recently, however, another type of model has emerged, which is more decentralised and based on evolving technology such as blockchain. This model places the end user fully in control and allows different service providers to share identity verifications. This is called the Self-Sovereign Identities(SSI) model. With this approach, service providers can simplify customer-identity management and streamline the due-diligence process while enabling end users to be in total control of their identities. Users share only what they must and can prevent third-parties from registering their data. The best-known example of a successful SSI scheme is Sovrinin the United States, which is working with IBM and T-Lab to provide a decentralised global identity scheme.
Keep privacy front in mind
Privacy remains a key driver of the user experience and will be crucial in onboarding customers. In any identity model, clear boundaries to limit the visibility of personal data to each participant will be important. To work with this, banks can temper the “blinding” to limit the degree to which each participant is aware of the user’s actions and data.
Adopting a non-blinded model would mean that the user’s information is exchanged between the identity provider and the third-party, usually with or without the customer’s knowledge. It’s commonly used to enable individuals to access websites using their Google or Facebook logins. In this situation, the customer is redirected to log into his or her account before he or she can access the service.
A blinded model, on the other hand, would ensure that no personal data is exchanged between either party. To achieve this, all claims are sent through a central, independent hub that acts as a buffer between the identity provider and the third-party. While this boosts the user’s privacy, it does not encrypt any data, instead relying on the trusted hub to securely handle and process before passing onto either party.
Banks must decide which aligns more closely with the needs of their customer base.
Collaborate to succeed
Over the last year, we have seen several bank-driven initiatives in the digital identity space. In Canada, for example, Bank of Montreal, Canadian Imperial Bank of Commerce, Desjardins Group, Royal Bank of Canada, Scotiabank and Toronto-Dominion Bank have made significant strides in implementing identity solutions through blockchain. These have been designed to allow customers to use an app to verify their identities and show the service provider only what it needs to see, with all other personal information remaining private.
Similarly, in the United Kingdom, customers registered for Barclays’ online banking can now use this login as part of the UK Government’s GOV.UK Verify registration process, which helps customers by pre-filling forms and negating the need to repeat ID-authentication processes.
Such collaboration is vital for the success of digital identity schemes in the future. Not only will these models fail if most banks refuse to get involved, but collaboration—whether it’s government or banking led—vastly improves the possible use cases and services, bringing greater customer satisfaction and engagement. Collaboration also will help lead to standardisation, and through using one model rather than several different ones, it’s more likely to reach a critical mass for other services and industries. Take BankIDin Sweden, for example, which was the result of several banks collaborating on one identity scheme. It now reaches 6.5 million internet customers who have the option to use it with more than 300 different service applications.
Fulfil the potential
For a ubiquitous digital identity scheme to be successful, banks must have the vision and strategy in place to drive change. Developments in Europe show that it can be done, if banks take an active and engaged role. With the likes of card payments, faster payments and SEPA, banks have a long history of collaboration to create an ecosystem that delivers value to all participants. Now is the time for banks to come together and realise the opportunity that is in front of them. Collaborate and align their digital ID schemes with the needs of their customers, and their approaches could very quickly become pan-European or set the precedent for how people verify their identities across the entire internet.