Identity management is big business - Interview with AU10TIX team

With the identity verification market projected to hit USD 12.8 billion by 2024 and the biometrics market to reach USD 59 billion by 2025, identity management is big business

And with the current global situation it has never been more crucial to have an efficient and effective ecosystem to fight fraud, help individuals manage their identities, and enable businesses to provide safer and more secure services.

However, the pandemic has highlighted a lot of structural inadequacies, one of which includes the societal approach to identity verification as it seeks to combat fraudsters who are more active and innovative than ever, trying to take advantage of the system and people in need.

The Paypers has sat with Carey O’Connor Kolaja, President and Chief Operating Officer of AU10TIX, and David Birch, Advisor to the Board for AU10TIX, to find out how does the industry need to evolve to keep up and overcome some of the challenges impacting identity management.

Nice to meet you Carey. You have been awarded one of the ‘Most Influential Women in Payments’. Could you tell us more about your professional background and how does this tie into becoming an expert in the identity management field?

Carey O’Connor Kolaja (COK) - Spending over 20 years in the financial sector, where identity verification is foundational to moving, lending, borrowing, and saving money; it was hard to not become fascinated by it.

We live a very integrated existence, so my personal background has shaped my outlook as much as my professional. Throughout my life I have been intrigued by the question ‘how do I trust’ and ‘who do I trust’, stemming from a number of personal as well as professional experiences.

Growing up, financial responsibility was paramount in my house. I had to learn the importance of balancing a checkbook, not spending more than you can afford, and how a little savings every day could make a big difference (building financial freedom brick by brick).

When I was at PayPal, I believed that managing and moving money was a right, not a privilege.  As my focus expanded beyond payments, I realised that even more fundamental to money are our identities. Having ownership over our identity is a human right, as well as how we validate who we are, what we are entitled to, and what we can access.

Our identities shift, multiply, adapt, and update frequently as we move through modern life. Each identity is a key to a service, an asset, or experience that is equally valuable and vulnerable. Protecting identities is therefore not an option, it is a global imperative as we become more digitally dependent.

As financial institutions and enterprises have shifted their operations online, amid this pandemic, what role does identity management (with all its five pillars - creation, verification, authentication, authorisation, and federation) play into this new setup?

David Birch (DB) - Carey is completely correct - identity is a necessity and a working digital identity infrastructure is the foundation of a working digital economy and digital society. Right now, we don't have either: that is, we don't have working digital identities (we have siloed digitised identities) and we don't have a working digital identity infrastructure.

I think about these issues using the three-domain identity (3DID) model that I developed with my colleagues at Consult Hyperion. This brings together the identification domain where digital identities are connected to things in the real world, the authentication domain where control over those identities is established, and the authorisation domain where credentials attached to those identities are used to enable transactions.

There are essentially three ways we could move forward. First we could construct a wholly centralised identity management system, as has been done in India for example, where the government creates identity for the citizens and organisations have access to this database in order to determine whether people are authorised for transactions or not.

Alternatively, we could opt for a more distributed system where identity is federated across organisations. You can imagine how this might work in banking, for example, rather as payment cards do today. I could present my Barclays Bank identity to Bank of America in order to obtain service from them, just as I present my Barclays Bank debit card to Carrefour to get service from them.

In recent years, though, the new possibility of a federated, decentralised architecture has been explored. I can certainly see some advantages to this in terms of accountability and resilience, but it's not clear to me whether it has practical advantages over a federated solution for the majority of consumers and citizens in the majority of transactions.

When it comes down to it, there is a market failure at the moment which means that products and services ship with poor security and there is no incentive to fix it. Developing a privacy-enhancing digital identity infrastructure and then requiring products and services to plug into it is the only sensible way forward as I can see.

The identity management industry’s recommendation (and regulatory bodies if we consider PSD2’s SCA) is to shift from single factor identity verification, to solutions that are multiple, adaptive, passive, and continuous. Could you please elaborate on this idea?

COK - Single factor verification doesn’t account for context, intension, or risk levels. We started with a password, then a biometric - but in both cases if there is a breach, that piece of data is exposed and is at risk.

Verifying who I am in order to access an online account with J. Crew, versus to access my bank, house or car requires different levels of security; and the risk associated with the use case require strong layers of protection. If I am signing into my bank account, using face and pin may be sufficient, however, sending USD 10 to a friend versus USD 10 K to a business requires different levels of authorisation. Therefore, how we prove who we are needs to be adaptive.

In a fluid world, no longer is a static identity sufficient to verify each other. We must move to embracing the future of adaptive identities.

What are the benefits of ongoing identity verification vs. one-time verification?

COK - One-time verification assumes that the signals around my behaviour remain the same in perpetuity, not accounting for dynamic lifestyles and behaviour changes, or allowing for the identification of sleeper accounts that perpetuate systems.

Ongoing identity verification offers adjusted risk based on explicit and implied signals about the individual and the world in which we live.

I believe that identity verification and authentication will become a perpetual, passive dynamic set of tasks that are informed by deep machine learning of context, content, historical patterns, and alternative data-sets creating signals that span multiple ecosystems. Something more akin to how credit cards work today, where the consumer uses them and doesn’t get challenged until they make an unusual deviation from their normal purchase patterns. It is continuous, seamless, and adaptive.

No digital identity interview without a focus on data privacy. Has GDPR met its goals?

DB - I cannot say whether GDPR has met its goals or not since I don’t know what those goals are. It has certainly cost a lot of money, but so far seems to have more of an impact on Dutch grandmothers than surveillance capitalists.

How has COVID-19 influenced the digital identity management space? What are top challenges for businesses in the financial sector and what do you recommend FIs do to overcome them?

COK - COVID-19 has helped bolster the discussion on the importance of identity management and, as David has said, it is now fundamentally managing how we become more digital dependent.

Synthetic identity fraud is the fastest growing type of financial crime in the United States, accounting for 10–15 percent of lender losses and 9–15 percent of credit card losses each year. To date, detecting synthetic identities has been a significant challenge for lenders because there’s not an industry standard or a single definition that can be used to establish the legitimacy of an identity.

That being said, financial institutions are not the ones I most worry about - they have been fighting financial fraud and identity fraud from the beginning. What concerns me are industries that have not had to deal with fraud at the scope or scale that they need to now - healthcare, government, and education, to name a few examples.

Sooner or later the situation created by COVID-19 will pass. Where should ID be heading towards?

DB - It's an attractive argument that people should be in charge of their own identities. There is certainly some very compelling work going on in the space and I'm very interested in what Microsoft is doing with their identity network, for example.

But the truth is that, as an average person, I am neither capable of managing my digital identity nor inclined to do so. I want my digital identity to be managed by somebody who knows what they're doing, is subject to appropriate regulation, and has a structure in place for recourse in the event of failure.

About Carey O’Connor Kolaja

Carey has over 25 years of diverse experience in financial services, identity management, product management, technology, and consulting. She is currently President and COO of AU10TIX, one of the leaders in automated identity detection and cyber fraud prevention. Carey is responsible for establishing and driving business strategy and day-to-day operations.

About David Birch

David Birch is an author, advisor, and commentator on digital financial services. An internationally recognised thought leader in digital identity and digital money; he was named in the top 15 favourite sources of business information by Wired magazine and awarded ‘Contributor of the Year’ by the Emerging Payments Association. Currently he is Advisor to the Board at AU10TIX.

About AU10TIX

AU10TIX, an identity management company, is headquartered in Israel and provides critical solutions and capabilities that enables companies and their customers to operate efficiently and responsibly in today's digital world. The company's proprietary technology provides results in less than 8 seconds, allowing companies to onboard faster, prevent fraud, meet compliance mandates, and importantly, establish trust with their customers. AU10TIX is a subsidiary of ICTS International N.V. For more information, visit AU10TIX.com.